[w3ctag/design-reviews] Secure Payment Confirmation (#544) from Danyao Wang on 2020-08-07 (public-webapps-github@w3.org from August 2020)

From: Danyao Wang <notifications@github.com>
Date: Fri, 07 Aug 2020 10:08:54 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/544@github.com>

Saluton TAG!

I'm requesting a TAG review of Secure Payment Confirmation.

Secure Payment Confirmation is a proposal to allow FIDO-based authentication to be used to securely confirm payments initiated via the Payment Request API.

Secure Payment Confirmation defines a new `PaymentCredential` credential type to the Credential Management API. A `PaymentCredential` is a `PublicKeyCredential` with the special privilege that it can be queried by any origin via the Payment Request API. A bank can register a `PaymentCredential` on the user's device after an initial ID&V process. Merchants can exercise this credential to sign over transaction data during an online payment and the bank can assert the user's identity by verifying the signature.

  - Explainer¹ (minimally containing user needs and example code):
      - https://github.com/rsolomakhin/secure-payment-confirmation

  - Security and Privacy self-review²:
      - https://github.com/rsolomakhin/secure-payment-confirmation/blob/master/security-privacy-questionnaire.md

  - GitHub repo (if you prefer feedback filed there):
      - https://github.com/rsolomakhin/secure-payment-confirmation

  - Primary contacts (and their relationship to the specification):
      - Danyao Wang (@danyao), Google. [Payment Request API](https://w3c.github.io/payment-request) editor.
      - Adrian Hope-Bailie (@adrianhopebailie), Coil. Web Payments Working Group Chair.
      - Benjamin Tidor (@btidor-stripe), Stripe.
      - Rouslan Solomakhin (@rsolomakhin), Google. [Payment Request API](https://w3c.github.io/payment-request) editor.
      - Jeff Hodges (@equalsJeffH), Google. [Web Authentication](https://www.w3.org/TR/webauthn) editor.
      - Dirk Balfanz (@balfanz), Google. [Web Authentication](https://www.w3.org/TR/webauthn) editor.
      - Mike West (@mikewest), Google. [Credential Management API](https://www.w3.org/TR/credential-management-1/) editor.
  - Organization/project driving the design:
      - Google
      - Stripe
      - Coil
  - External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://www.chromestatus.com/feature/6643371200217088


Further details:

  - [x] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future):
      - [Joint Task Force of Web Authentication and Web Payments Working Groups](https://github.com/w3c/webauthn-pay/wiki)
  - The group where standardization of this work is intended to be done ("unknown" if not known):
      - [Web Payments Working Group](https://www.w3.org/blog/wpwg/)
      - [Web Authentication Working Group](https://www.w3.org/blog/webauthn/)
  - Existing major pieces of multi-stakeholder review or discussion of this design:
      - [Secure Payment Confirmation Pilot Proposal](https://bit.ly/webauthn-to-pay-2020h2-pilot)
      - [First draft of Secure Payment Confirmation API proposal](https://docs.google.com/document/d/1n73fdsn8tTDYUGjQPOGRGI_VcTaGNjweedSgcH7P8Hc/edit?ts=5ef93da4&pli=1#heading=h.us83hoxtb650)
  - Major unresolved issues with or opposition to this design: N/A
  - This work is being funded by:  N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  ☂️ open a single issue in our GitHub repo **for the entire review**


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/544

Received on Friday, 7 August 2020 17:09:07 UTC