- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 22 Jun 2017 09:10:29 +0200
- To: "Kis, Zoltan" <zoltan.kis@intel.com>
- Cc: "Web NFC (W3C)" <public-web-nfc@w3.org>
On 2017-06-22 08:27, Kis, Zoltan wrote: > > > On Thu, Jun 22, 2017 at 7:40 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > https://www.thetimes.co.uk/article/handy-way-to-pay-little-bills-on-the-cards-h0ffmpkmv <https://www.thetimes.co.uk/article/handy-way-to-pay-little-bills-on-the-cards-h0ffmpkmv> > > Web NFC will never be able to that. > > > Yes, I would be concerned if you could do that with Web NFC :). In your view, what is the gain if a web page could do that? None. > There are number of apps that allow users to make and receive payments, > either involving card provisioning or linking to bank account. The application linked to is rather a Merchant solution. > There is nothing new in that. So far all of them are apps, need store security > and payment provisioning. We don't want to give access to that kind of payment > provisioning to a web page. The question is, what is the gain and what it the price. This is important information for people following this work. > IMO it's a very narrow use case for the web but creates a large attack surface. If payments is a "narrow" use case, what constitutes a mainstream use case? > The Web NFC group rather focuses on more universal use cases that conform > well to the web security model (I have a deja vu feeling when saying this). > Of course it's only a subset of what native NFC apps could do. I think we got that. The problem is converting this into something practical which I didn't succeed with :-( > Anders > https://github.com/w3c/webauthn/issues/496 <https://github.com/w3c/webauthn/issues/496> > > > There are apps for that too, without even using NFC (e.g. Nordea Codes). It's much simpler > to type in a PIN in an app on any phone with a SIM card than being required to use two > devices with NFC support and NFC between them. Guess which solution is more universal? I don't know what you are referring to here. The "Phone Token" is about using a phone as a token to a PC/Browser replacing "phishable" and archaic solutions like userid + passwords. SMS callbacks have recently deprecated by NIST because they are "phishable". I have not invented this use case; it is currently used by 3 million Swedes including myself. All Swedish banks and e-government services accept this solution. The same principle is also usable for payments which means that the "phone" can work in every situation where you today use a "card" as well as in scenarios that cards do not support like Web Payments and P2P payments. This concept has no relationship to SIM-cards, it is just a (very awkward) deployment option. Anyway, since NFC in PCs is "doomed", this proposal (bad or good) is dead as well :-( :-( Anders > > Zoltan >
Received on Thursday, 22 June 2017 07:11:05 UTC