W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

RE: State of the WebCrypto API

From: ANDREAE Philip <P.Andreae@oberthur.com>
Date: Mon, 12 Oct 2015 19:42:02 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Tony Arcieri <bascule@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <09D719D29942B940B45930011FD043CE40BA39@USCHSERV48.americas.oberthurcs.com>
Using 3D-Secure as a application mechanism allowing the Merchant and Issuer to communicate and subsequently establish a link between the Cardholder and the Issuer.  Allow the Issuer to discover if a Smart Card reader is present.  Ultimately allow the Issuer to communicate through the 3D-Secure redirect with the smart card reader thought a tunnel allowing them to issue APDUs to the card.  The smart card reader could in theory also be an NFC interface.

I am not a technical guy.  All I want to suggest is we need to enable the Financial Institution "The Issuer", who ultimately guarantees the payment transaction, to be able to use existing payment credentials and associated tools, to assure themselves that a genuine set of payment credentials is present.  

Of course there are other techniques such as Amazon One Click and "Card on File" solutions, where a customer has some loyalty to the merchant or recurring activity or payments happen.  In these cases the merchant e.g. AT&T, Georgia Power, Amazon, Uber or Delta can take responsibility for maintaining, on the customers behalf, payment credentials.  In these cases FIDO becomes an effective way to provide a secure multi-factor log-in experience.  

The key use case that must be addressed is where an anonymous Buyer visits a Seller's website and wishes to shop and pay with payment credentials they frequently use e.g. a credit or debit card.


Philip Andreae
Tel: +1 (404) 680 9640  


-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
Sent: Monday, October 12, 2015 3:11 AM
To: Tony Arcieri
Cc: public-web-security@w3.org
Subject: Re: State of the WebCrypto API

On 2015-10-12 00:13, Tony Arcieri wrote:
<snip>
>
> Why did you start this thread?

The W3C is just about to launch two crypto-related WGs:
http://www.w3.org/2015/hasec/2015-hasec-charter.html

http://www.w3.org/2015/06/payments-wg-charter.html


It seems that WebCrypto didn't satisfy a particularly large market (in terms of applications) and therefore the next steps could be worth discussing a bit, right?

I'm still waiting for some kind of write-up/specification on how the payment industry intends making the 1Bn+ chip-cards in circulation usable on the Web, or at least how virtualized versions of such cards would fill that bill.

Apparently you don't think that's a good idea.

Personally, I wouldn't start anything in this space until this has been done.   Elimination of "technical risk" applies to all projects, regardless if they are standards or not.

Anders Rundgren

Received on Monday, 12 October 2015 19:42:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 12 October 2015 19:42:35 UTC