W3C home > Mailing lists > Public > public-web-security@w3.org > January 2015

Re: WebCrypto - "A Solution Looking for a Problem"

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Thu, 22 Jan 2015 08:42:25 -0800
Message-ID: <CABghAMgT8UMM453DWz-8VUy-Uu7uho41s7By-=xV3g7bZHJLug@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: public-web-security@w3.org
Anders, I think the features you discuss are or were taken up by Web
Payments at
http://www.w3.org/community/webpayments/

However, some important factors which have doomed any
1. Useful, and
2. Safe
web wallet development,

Are the following:

A. Innovation killers within web payments group itself that discouraged or
just plain destroyed possibilities of permissionless, free and open
collaboration without conditions imposed... by this I am referring to the
horrifying CLA for the Web Payments group that they required you agree to
even to jump onto a conference call or mailing list (you have to have
agreed to license your Essential Claims against a gigantic, innovation
killing CLA that I and others in the bitcoin community refused to agree to
in Feb 2014 thus ending the possibility (from my perspective) of a
collaboration with Payswarm / W3C Web Payments)

B.  Payswarm has helped push this W3C web payments thing along from what I
heard, but I don't agree it's been helping anyone. See
http://digitalbazaar.com/payswarm/ - sounds nice, but is unrealistic. Web
wallets such as Coinbase and Bitpay that already have huge userbase and
appeal are themselves soon to become a dying business model for the
following reasons:
a. The cromnibus. Provisions adopted at end of 2014 (buried deep in the
Intelligence provisions) made it so that any and all customer info which
would be handled by third party services could be disclosed to government
at any time. With no warrant, but rather as a result of broad, sweeping
requests.
b. Legality issues. Russia, (Putin), UK (Cameron), U.S. (Obama), Belarus
(some info minister whose name I forget, who said that recently that the
whole internet was now subject to "the fatherland" of Belarus). These idiot
politicians are providing us with a legacy of insecurity and attacks on
encryption and innovation generally. A growing number of countries consider
virtual currency to be illegal.  So legality cannot be a concern here for
us, we cannot be constrained by these concerns when the larger concerns are
how do we ensure users have access to the systems of encryption that
politicians are now in the process of making illegal? The concern must be
moving beyond the Web for payment, because in that context it is broken.
c. Repository issues. If your virtual currency is supported as a corporate
model (you are an LLC or something) you are going to get threatened with
shutdown by another corp (probably one of many anonymized front corps that
can easily be created for this purpose) or by a government. If you are
serious about preserving your repository in the face of multiple aggressive
state actors, or by numerous competitors (including, moving into 2016, DAO
type competitors, that are autonomous and non-human), you need to mirror
into different places before your project becomes known (not just github or
bitbucket), have multiple offline copies with different names in different
locations, and instructions to friends to make sure copies can be checked
against signatures periodically.
On Jan 22, 2015 6:16 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
wrote:

> In this somewhat dated document, applications like on-line banking and
> credit-card processing are mentioned:
> http://www.w3.org/2012/webcrypto/wiki/Use_Cases
>
> A number of reasons to why this probably won't happen are outlined in this
> document:
> http://webpki.org/papers/payments/webcrypto-4-payments.pdf
>
> Although currently not particularly useful, something along the following
> lines could prove to be a
> more workable solution for a wide range of crypto-using applications
> including eID and payments:
> http://blog.chromium.org/2013/10/connecting-chrome-apps-and-
> extensions.html
>
> In fact, the entire idea of having a browser-level wallet needs
> reconsideration, since it would lead to
> local payments and web payments having different "Look-and-feel",
> Security, API, etc. characteristics.
>
> That is, "calling" a local (native) application like a wallet from the web
> is the most likely future
> solution.  According to insiders this exactly what Apple is currently
> working with in order to extend
> the functionality of their (r)evolutionary Apple Pay system.
>
> I suggest that a feasibility study is performed and if it turns out
> positive, be used for chartering
> a new WG which would serve as a replacement for the missing WebCrypto
> "secondary features".
>
> Anders
>
>
Received on Thursday, 22 January 2015 16:45:41 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 22 January 2015 16:45:41 UTC