W3C home > Mailing lists > Public > public-payments-wg@w3.org > May 2016

Re: Call for reviews of HTTP API and Core Messages proposals

From: Tommy Thorsen <tommyt@opera.com>
Date: Tue, 3 May 2016 09:37:40 +0200
Message-ID: <CA+zGpV3oiR0Bsc31zwDHObk2GUtzDBm8Tf05XptYH1og02gKsw@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments Working Group <public-payments-wg@w3.org>
> I'm a bit concerned about your "Accept: text/html;application/json" use
> case because it makes a number of assumptions that are not clearly
> spelled out in #128.
> For example, the HTTP API could most likely depend on standard
> authentication mechanisms like Digest, HTTP Signatures, Negotiate,
> OAuth, etc. This is what this demo will do in time:
> http://http-mediator-demo.web-payments.io/
I guess you're right, but does that mean it's not really feasible to unify
the two payment app types? HTTP Payments and Web Payments already use
different user-agents. And the payee will need bespoke implementations for
each of the two payment types. If the payment apps can't be shared either,
what is common between the two systems? Only the format of the request and
response messages? That's not a whole lot... If HTTP Payments and Web
Payments do not share anything meaningful, then we are creating two
entirely separate ecosystems, rather than a single ecosystem which is
accessible via both Web and HTTP.

Katie Haritos-Shea spoke earlier about how important the HTTP Payment
specification is to accessibility. Now, increased accessibility is
something I am very much in favor of, but I wonder: if HTTP Payments is not
a method that lets users with disabilities interact with the grand
ecosystem used by everyone to make payments -- but instead is a method that
lets users with disabilities interact with a completely separate ecosystem
from what everyone else is using -- does it still have value? And who will
create this separate ecosystem?

> Also, does the browser load the text/html page into a secure context
> without a URL (the user is not redirected to the payment app website) or
> does it redirect the user to the payment app website?

All the details aren't clear here, but I think it will load it as a regular
web page with a url and everything. However, the payment app will be loaded
in a separate context (much like a webview overlaid on top of the regular

> How do native
> payment apps work? How does the browser send the payment request to the
> native payment app? Via native OS messaging, or are we requiring native
> payment apps to open HTTP ports on localhost? And if we do that, what
> are the security implications?
I don't know how the native apps will work. I think for mobile platforms,
it is completely up to those that own the platform to decide how this
should work, and we couldn't dictate this to them even if we wanted to.

> We have a number of use cases in our published Web Payments Use Cases
> 1.0 document that would benefit (or need) an HTTP API:
> https://www.w3.org/TR/web-payments-use-cases/#uc-freemium
> https://www.w3.org/TR/web-payments-use-cases/#uc-email
> https://www.w3.org/TR/web-payments-use-cases/#uc-preauth
> https://www.w3.org/TR/web-payments-use-cases/#uc-machine-readability
> https://www.w3.org/TR/web-payments-use-cases/#uc-live-prices
> https://www.w3.org/TR/web-payments-use-cases/#uc-trialware
> https://www.w3.org/TR/web-payments-use-cases/#uc-vehicle
> https://www.w3.org/TR/web-payments-use-cases/#uc-subscription
> https://www.w3.org/TR/web-payments-use-cases/#uc-discovery
> https://www.w3.org/TR/web-payments-use-cases/#uc-automatic-selection
> https://www.w3.org/TR/web-payments-use-cases/#uc-
> https://www.w3.org/TR/web-payments-use-cases/#uc-payer-initiated
> https://www.w3.org/TR/web-payments-use-cases/#uc-electronic-receipts
> https://www.w3.org/TR/web-payments-use-cases/#uc-refund
These are pretty good, thanks!
Received on Tuesday, 3 May 2016 07:38:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 3 May 2016 07:38:11 UTC