Hardware Security CG from Adrian Hope-Bailie on 2016-05-10 (public-payments-wg@w3.org from May 2016)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Tue, 10 May 2016 10:34:27 +0200
To: Payments WG <public-payments-wg@w3.org>
Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Message-ID: <CA+eFz_+AV2bk-YR05y7LQk2d0vbVSuJY+B_Nn_s3ZPshdm8UvA@mail.gmail.com>

Hi all,

The HW-SEC CG met recently and have posted up the findings of their face to
face.

One deliverable they are working on is a transaction confirmation API which
I think will be particularly interesting for anyone that wishes to write
browser-based payment apps.

https://github.com/w3c/websec/blob/gh-pages/hb-secure-services/etherpad-04-26-27.md#transactionconfirmationapi---champion-sebastien


*Goal of the API: "to give some assurance to a remote entity that a
transaction is confirmed. Confirm that what was sent was communicated to
the user, and that what was displayed to the user is what was confirmed.
Confirmation should include a signature and also some information about the
secure environment (which vendor, is it hardware, is there tamper
protection, is there any certification- with clarity of both display and
input as these may have seperate security "levels") - this will help the
remote entity understand how confident they can be in the response."*
I'd recommend that those of you in the WG interested in this aspect of the
payment flow review and provide feedback as this work progresses.

It's my feeling that this functionality is not in-scope for the payment API
itself [1] [2] (which simply passes the initial request from the payee
website to a payment app

This functionality can not currently be achieved using a browser-based
payment apps so this would be a great enabling capability for these in
future.

Adrian

[1] https://github.com/w3c/browser-payment-api/issues/31
[2] https://github.com/w3c/browser-payment-api/issues/41

Received on Tuesday, 10 May 2016 08:43:05 UTC