Re: Payment Initiation - platform integration

On 2015-09-16 15:03, Adrian Hope-Bailie wrote:
> <snip>
>
>         The best example I could find is in the Web Notifications PR published
>
>     > earlier this month:http://www.w3.org/TR/2015/PR-notifications-20150910/#displaying-notifications
>
>     I don't understand much of this spec :-(  But I doubt it has any bearings on invocation of wallets and such.
>
>
> </snip>
>
> To be clear, I am not suggesting that the Web payments API in the
 > browser would invoke the notifications API on the host platform.

I see.

> I am drawing attention to a precedent for invocation of a platform
 > API as a result of a browser API being invoked.

The difference is that notifications are passive and fairly innocent
(unless you are bombarded by them), while wallets are active, "full-duplex",
and attractive for various attacks.

>
> What is not clear to me is how this would work for cloud-based wallets.
 > Perhaps the recommendation would be that the browser allows the user to
 > provide a wallet API endpoint (URL) that conforms to our recommendations
 > or it will invoke the platform's payment API?

I think we should do a distinction between Web-wallets like PayPal and
Google Wallet for Android which was (is?) a local wallet using cloud-based
payment credentials.

The security model required by Web wallets won't permit payment instrument
enumeration so they have rather different characteristics compared to any
form of local wallet.

Anders

>

Received on Wednesday, 16 September 2015 13:48:12 UTC