Re: Credit-card payments on the Web - Stuck in its 1998 form from Anders Rundgren on 2013-10-05 (public-webpayments@w3.org from October 2013)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 05 Oct 2013 16:54:36 +0200
To: Joseph Potvin <jpotvin@opman.ca>
CC: Web Payments CG <public-webpayments@w3.org>
Message-ID: <5250282C.7010104@gmail.com>
On 2013-10-05 15:13, Joseph Potvin wrote:
> RE: "What's completely missing are requirements.  However, AFAIK you are not allowed to mention possible requirements in public forums ... How are you supposed to break the ice?"
>
> Anders, Other than the usual NDAs that restrictive companies typically rely upon for their employees and contractors, what issue are you concerned about that's in the way?

Here is a recent real-world example:  I'm an external commenter for W3C's WebCrypto effort.
I received feedback on most of my comments except when I asked how WebCrypto relates to
the Google Wallet and Google's U2F (Universal Two-factor Factor) authentication.  The latter
seems to answer a lot of some the non-Google members' concerns but since both of these
designs are more or less secret the questions were met with complete silence.  I guessed
before-hand that this would be the case but now it is fully verified :-|

I don't see how you could create useful payment standards in such an environment.
We probably have to wait for Google to present the solution (which we then can sort of "standardize"),
because the other vendors either lack the bandwidth, incentive or the resources creating the
foundation for "Secure Browser Applications".  

There's a currently a related case in W3C's SysApps WG where a "Secure Element API"
is to be created.   None of the big guys have indicated any interest in this and therefore
it won't be a real standard, but a W3C standard.  For people who have standardizing
as their job this may be completely satisfactory for the other 99.9999% it is mainly
a waste of time.  The fact that the SE API is effectively locked by operators isn't publicly
mentioned which IMO again points to a serious lack of open discussions in W3C.


>
> High level functional req's are getting documented here: https://payswarm.com/specs/source/use-cases/ <https://payswarm.com/specs/source/use-cases/>  ... though yes, I wish to know if I've missed noticing where the webpayments technical specs are being assembled  & shared presently?

I was mainly thinking about requirements regarding the client platform.  The subject of my posting is
(IMO) primarily  due to the fact that there is very little in current browsers that could support secure
payments.


>
> In the interest of creating standards-compliant UML2 documentation for web-payments, Papyrus is a free/libre/open industrial-strength standards-compliant solution http://www.papyrusuml.org/scripts/home/publigen/content/templates/show.asp?P=130&L=EN&ITEMID=4
>
> RE: "How are you supposed to break the ice?
>
> Very much like first OpenStack (free/libre cloud software stack) & now OpenCompute (free/libre data centre hardware) are, at this very moment, breaking the ice on data centres.  And they draw upon intelligent defensive initiatives like the OpenInventionNetwork.com, PublicPatentFoundation pubpad.org.org <http://pubpad.org.org>, DefensivePublications.org,  the Software Freedom Law Center www.softwarefreedom.org <http://www.softwarefreedom.org>, etc. 

Yes, server-based Open Source solutions have been extremely successful.  I'm working
on one of these so I should know: http://ejbca.org/

However,  it is not easy translating this success to browsers unless you start developing
native-mode plugins, something that has proved to not scale particularly well.  Forking
Chrome or Firefox is also possible but requires major efforts of all kinds to succeed.

I *am* though personally trying exactly this which may sound incredibly strange given
what I just wrote but I'm trying another route than targeting the "reference market"
(the US) since this has proved to be close-to-impossible unless you indeed are Google.
Not even Microsoft dares to do that these days...

>
> How about this story for a metaphor: http://web.mit.edu/press/2013/simple-scheme-for-self-assembling-robots.html
>
> Joseph Potvin

Cheers
Anders

>
>
>
> On Sat, Oct 5, 2013 at 2:10 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     Credit-card payments on the web haven't taken a single security-related step forward
>     since 1998 when 3D secure was conceived.
>
>     How come?  There's no suitable web technology available for this purpose and
>     banks do not build browsers.  In addition, banks do not contribute to standardization
>     in open forums or to open source projects.
>
>     Can W3C do something here?  I don't think because there is too much tension
>     regarding payments.  What is (at least theoretically...) possible is creating neutral
>     web technology allowing banks to build their own payment systems.
>
>     What's completely missing are requirements.  However, AFAIK you are not allowed
>     to mention possible requirements in public forums if you are working for a major
>     US tech company due to IPR and product considerations.
>
>     How are you supposed to break the ice?
>
>     Anders
>
>
>
Received on Saturday, 5 October 2013 14:55:15 UTC