[w3c/webpayments-methods-card] security and privacy considerations section seems insufficient (#31) from L. David Baron on 2017-04-11 (public-webpayments-specs@w3.org from April 2017)

From: L. David Baron <notifications@github.com>
Date: Tue, 11 Apr 2017 01:05:02 -0700
To: w3c/webpayments-methods-card <webpayments-methods-card@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-methods-card/issues/31@github.com>

The current [Security and Privacy considerations section](https://w3c.github.io/webpayments-methods-card/#security) seems a bit short for the material being covered.

Some examples of things that I'd have expected to be mentioned might be:
* security risks of transferring card numbers relative to tokenized payment
* security (and perhaps also privacy) implications on the browser side
* privacy implications of sites identifying users based on their credit card
* security of card data in transit, and how [SecureContext] helps

On the flip side, security and privacy implications sections should also mention the positives, such as:
* a bunch of the material in https://github.com/w3c/webpayments-methods-card/issues/2#issue-157615118
* ways having card payment UI in trusted browser UI can reduce phishing risk

(I got here from https://github.com/w3ctag/spec-reviews/issues/152.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-methods-card/issues/31

Received on Tuesday, 11 April 2017 08:05:39 UTC