- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 23 Apr 2014 08:25:49 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>, public-webpayments@w3.org
The US government (NIST) do not count on the cloud for storing identity credentials. They prescribe that such must be stored in a local FIPS-140 certified cryptographic module: http://csrc.nist.gov/publications/drafts/800-157/sp800_157_draft.pdf Apple already has such a thing inside their wildly popular iOS devices: images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf When you put things in a cloud, the authentication to the cloud becomes the onus since nothing is stronger than its weakest links. Somewhat unfortunate for W3C, it seems that most big players including Google, Paypal, Microsoft, ARM, Samsung, RSA, have flocked to the FIDO Alliance for standardization of strong authentication. Here are the latest additions: https://fidoalliance.org/news/item/fido-alliance-welcomes-arm-to-the-board-of-directors https://fidoalliance.org/news/item/the-fido-alliance-appoints-samsung-electronics-to-the-board-of-directors WebID and WebPayments will probably have to adapt to the FIDO platform. Anders Still plotting with the alternative to FIDO alliance... On 2014-04-23 03:17, Manu Sporny wrote: > On 04/15/2014 11:40 AM, Jorge Zaccaro wrote: >> I'd love to learn more about the group's opinions and vision on >> wallets for the Web. > > You'll find that the opinions vary from individual to individual. So, > this is just my opinion: > > I think wallets are a bad name for what we're talking about, but many of > the fundamental things this mechanism must do are the same. I think we > have consensus that the solution: > > 1. Must be able to store personal information "in the cloud" (login > credentials, payment mechanisms, coupons, receipts, etc.) in a way where > the customer controls access to the information. > 2. Must be portable across payment and identity providers. > 3. Must not be tied to the browser, but could be enhanced by certain > browser features (such as 2-factor auth, better security sandboxing, > NFC, etc.) > 4. Must address the NASCAR problem wrt. login and payment provider > selection. > > Formulating a Wallet API may not be the best way to approach the > problem. Solving the problem in a more modular way would probably be > more beneficial. For example: > > 1. Create a mechanism for storing credentials in the cloud: > https://web-payments.org/specs/source/identity-credentials/ > 2. Use the credentials in the cloud to solve the Web login > NASCAR problem: > http://manu.sporny.org/2014/credential-based-login/ > 3. Use the credentials in the cloud solution to solve the > payment provider selection NASCAR problem. > 4. Standardize payment initiation: > https://web-payments.org/specs/source/web-commerce-api/ > 5. Standardize digital receipts: > https://web-payments.org/specs/source/web-commerce/ > > ... and so on. When you put all of these base technologies together, you > get a wallet, but the benefit of approaching the problem in this way is > that even if the end goal (creating a wallet API) fails, you're still > left with a bunch of technology that is still useful in other areas. > > -- manu >
Received on Wednesday, 23 April 2014 06:28:35 UTC