W3C home > Mailing lists > Public > public-web-security@w3.org > January 2015

Re: WebCrypto - "A Solution Looking for a Problem"

From: Harry Halpin <hhalpin@w3.org>
Date: Thu, 22 Jan 2015 17:53:11 +0100
Message-ID: <54C12AF7.8010400@w3.org>
To: public-web-security@w3.org


On 01/22/2015 05:42 PM, Colin Gallagher wrote:
> Anders, I think the features you discuss are or were taken up by Web
> Payments at
> http://www.w3.org/community/webpayments/
> 
> However, some important factors which have doomed any
> 1. Useful, and
> 2. Safe
> web wallet development,
> 
> Are the following:
> 
> A. Innovation killers within web payments group itself that discouraged or
> just plain destroyed possibilities of permissionless, free and open
> collaboration without conditions imposed... by this I am referring to the
> horrifying CLA for the Web Payments group that they required you agree to
> even to jump onto a conference call or mailing list (you have to have
> agreed to license your Essential Claims against a gigantic, innovation
> killing CLA that I and others in the bitcoin community refused to agree to
> in Feb 2014 thus ending the possibility (from my perspective) of a
> collaboration with Payswarm / W3C Web Payments)

Note I do not consider patent commits to royalty free standards
"innovation killers". In fact, in general patents are innovation killers.

If you want to say "I have patents and want to keep them, and put them
in an open standard and then charge licensing fees when people use the
open standard", just say that. But don't call that "innovation-killing."

I agree there are legal issues with govt. seizure of customer data, but
that's beyond a standards body to fix.

Re WebvCrypto, Anders, as usual, is incorrect. WebCrypto is aimed at
general-use crypto primitives within the browser environment that
already exists. No more, no less. Lots of people have already found that
useful. Please see charter. We could and hopefully will recharter new
work but we'd like to finish the existing API as it is without
shoe-horning into other use-cases that the WG did not accept.

   cheers,
      harry



> 
> B.  Payswarm has helped push this W3C web payments thing along from what I
> heard, but I don't agree it's been helping anyone. See
> http://digitalbazaar.com/payswarm/ - sounds nice, but is unrealistic. Web
> wallets such as Coinbase and Bitpay that already have huge userbase and
> appeal are themselves soon to become a dying business model for the
> following reasons:
> a. The cromnibus. Provisions adopted at end of 2014 (buried deep in the
> Intelligence provisions) made it so that any and all customer info which
> would be handled by third party services could be disclosed to government
> at any time. With no warrant, but rather as a result of broad, sweeping
> requests.
> b. Legality issues. Russia, (Putin), UK (Cameron), U.S. (Obama), Belarus
> (some info minister whose name I forget, who said that recently that the
> whole internet was now subject to "the fatherland" of Belarus). These idiot
> politicians are providing us with a legacy of insecurity and attacks on
> encryption and innovation generally. A growing number of countries consider
> virtual currency to be illegal.  So legality cannot be a concern here for
> us, we cannot be constrained by these concerns when the larger concerns are
> how do we ensure users have access to the systems of encryption that
> politicians are now in the process of making illegal? The concern must be
> moving beyond the Web for payment, because in that context it is broken.
> c. Repository issues. If your virtual currency is supported as a corporate
> model (you are an LLC or something) you are going to get threatened with
> shutdown by another corp (probably one of many anonymized front corps that
> can easily be created for this purpose) or by a government. If you are
> serious about preserving your repository in the face of multiple aggressive
> state actors, or by numerous competitors (including, moving into 2016, DAO
> type competitors, that are autonomous and non-human), you need to mirror
> into different places before your project becomes known (not just github or
> bitbucket), have multiple offline copies with different names in different
> locations, and instructions to friends to make sure copies can be checked
> against signatures periodically.
> On Jan 22, 2015 6:16 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
> wrote:
> 
>> In this somewhat dated document, applications like on-line banking and
>> credit-card processing are mentioned:
>> http://www.w3.org/2012/webcrypto/wiki/Use_Cases
>>
>> A number of reasons to why this probably won't happen are outlined in this
>> document:
>> http://webpki.org/papers/payments/webcrypto-4-payments.pdf
>>
>> Although currently not particularly useful, something along the following
>> lines could prove to be a
>> more workable solution for a wide range of crypto-using applications
>> including eID and payments:
>> http://blog.chromium.org/2013/10/connecting-chrome-apps-and-
>> extensions.html
>>
>> In fact, the entire idea of having a browser-level wallet needs
>> reconsideration, since it would lead to
>> local payments and web payments having different "Look-and-feel",
>> Security, API, etc. characteristics.
>>
>> That is, "calling" a local (native) application like a wallet from the web
>> is the most likely future
>> solution.  According to insiders this exactly what Apple is currently
>> working with in order to extend
>> the functionality of their (r)evolutionary Apple Pay system.
>>
>> I suggest that a feasibility study is performed and if it turns out
>> positive, be used for chartering
>> a new WG which would serve as a replacement for the missing WebCrypto
>> "secondary features".
>>
>> Anders
>>
>>
> 
Received on Thursday, 22 January 2015 16:53:19 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 22 January 2015 16:53:20 UTC