W3C home > Mailing lists > Public > public-payments-wg@w3.org > February 2017

Re: [w3c/webpayments] European market - Security concerns (#210)

From: Anders Rundgren <notifications@github.com>
Date: Wed, 08 Feb 2017 21:19:05 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments/issues/210/278549892@github.com>
@marcoscaceres @adrianhopebailie Security reviews have been requested by the WG chairs.  I don't get how you can do such for _Web-based_ payments unless you are an absolute ├╝ber expert on every possible topic (I'm not).  Is there a security model description somewhere?  On top of my head I can't say I understand:
- Where (and how) is SOP overridden?  ServiceWorkers do that? IFRAME does the trick?
- Where (and how) are payment credentials stored?
- How do you perform cryptographic operations in payment apps?

It is (off-list) often claimed that FIDO alliance products is the intended authentication solution.  If that's the case _it rather brings the issuer into the scenario_ while payment gateways would only be dealt with in the background through merchants, right?

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Received on Thursday, 9 February 2017 05:20:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:24 UTC