Re: [w3c/webpayments] European market - Security concerns (#210)

@marcoscaceres @adrianhopebailie Security reviews have been requested by the WG chairs.  I don't get how you can do such for _Web-based_ payments unless you are an absolute ├╝ber expert on every possible topic (I'm not).  Is there a security model description somewhere?  On top of my head I can't say I understand:
- Where (and how) is SOP overridden?  ServiceWorkers do that? IFRAME does the trick?
- Where (and how) are payment credentials stored?
- How do you perform cryptographic operations in payment apps?

It is (off-list) often claimed that FIDO alliance products is the intended authentication solution.  If that's the case _it rather brings the issuer into the scenario_ while payment gateways would only be dealt with in the background through merchants, right?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/210#issuecomment-278549892

Received on Thursday, 9 February 2017 05:20:08 UTC