W3C home > Mailing lists > Public > public-webpayments@w3.org > April 2014

Re: A briefing on the W3C SE API

From: Sam Mbale <smbale@gmail.com>
Date: Sat, 12 Apr 2014 20:46:03 +0100
Message-ID: <CAFGFx5MM1ukSixF5TN5An6b0r7qGoq8ygCssZH_NfjRQaFi8Vw@mail.gmail.com>
To: Kumar McMillan <kmcmillan@mozilla.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments CG <public-webpayments@w3.org>
I will attempt to deploy  payswarm payment system on
http://media.mpelembe.net tonight. this is a hackathon projecexperiment.  A
realtime payment method  for publishers is the next step

Sam Mbale


On Sat, Apr 12, 2014 at 8:03 PM, Kumar McMillan <kmcmillan@mozilla.com>wrote:

> On Apr 12, 2014, at 1:27 AM, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
> > To get some feeling for the difficulties combining traditional smart
> cards and browsers, you may take a peek at:
> > http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/0057.html
> >
> > I feel pity for Mozilla who bought into this API which also suffers from
> the "minor" snag that SIM-cards cannot be used except through cooperation
> with operators.
> Actually, it's the operators who are proposing a patch for the SE web API
> to Firefox OS right now (not Mozilla) because they are partnering with
> Mozilla to bring devices to market. As I understand it, this effort isn't
> to solve the problem in a new [and better] way it's to make Firefox OS
> connect to the secure elements that are already going to be built into
> these devices anyway. As I also understand it, no one in Mozilla's security
> group is particular excited about it.
> > Banks and operators are not the most obvious bedfellows, IMO it is
> rather the opposite.
> >
> > Apple, Google and Microsoft have so far not commented on this API which
> is sort of understandable since they have already invested in embedded
> security hardware which is much easier to deal with.   Of course without
> any coordination whatsoever.
> >
> > I.e. this topic is effectively out of scope for true standardization.
>  Microsoft and the US government once had a chance coming up with a
> universal solution when the FIPS201/PIV standard was designed.  However,
> the smart card vendors kept the most interesting part for themselves
> (initialization) which the mildly put non-visionary NIST folks didn't
> realize would make their great standard useless for the private sector like
> banks who simply cannot motivate spending $200+ per seat for a "Security
> Solution".  The rest is history with an endless series of security breaches
> due to the use of unauthenticated credit-card numbers.
> >
> > Due to this situation I feel pretty OK continuing with the Firefox
> WebCrypto extension ( https://bugzilla.mozilla.org/show_bug.cgi?id=978867).  And if someone finds a better mousetrap?  Well, that's life :-)
> >
> > thanx,
> > Anders
> >
> >
Received on Monday, 14 April 2014 13:01:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:36 UTC