- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 02 Jun 2014 07:50:43 +0200
- To: Web Payments CG <public-webpayments@w3.org>
Hi List; One of the arguments against using authentication techniques that rely on client-side storage of data like PKI is that it wouldn't work at a kiosk unless the key was supplied in a smart card or similar, right? I think we can safely ignore this objection because with a mobile device which now is in the hands of many more people than PCs, the device itself = key storage. Slightly further down the road the device will also be able to wirelessly "roam" into the kiosk/ATM/POS/whatever but that won't happen until the keys are safely and conveniently stored and managed in the mobile device. Currently key enrollment is performed through proprietary methods since the mobile OS vendors haven't fully understood this use-case yet. Do they ever talk to EU or Asian banks? Probably not. In Sweden the banks have launched an ID-App which can be used both "as-is" or as a stand-alone "PC-companion" where you initiate an authentication on the PC and then meet that request with the mobile ID-App. It has effectively become the Swedish version of the electronic ID-card, not relying on non-existing browser support and quirky card middleware. I developed a more universal version of this a year ago where the PC part is using QR-code which unlike the banks (hard-coded single-provider solution...) isn't secret: https://openkeystore.googlecode.com/svn/resources/trunk/docs/QR-ID-presentation.pdf https://play.google.com/store/apps/details?id=org.webpki.mobile.android thanx, Anders
Received on Monday, 2 June 2014 05:51:14 UTC