W3C home > Mailing lists > Public > public-payments-wg@w3.org > February 2017

Re: [w3c/webpayments] European market - Security concerns (#210)

From: Anders Rundgren <notifications@github.com>
Date: Wed, 08 Feb 2017 21:19:05 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments/issues/210/278549892@github.com>
@marcoscaceres @adrianhopebailie Security reviews have been requested by the WG chairs.  I don't get how you can do such for _Web-based_ payments unless you are an absolute ├╝ber expert on every possible topic (I'm not).  Is there a security model description somewhere?  On top of my head I can't say I understand:
- Where (and how) is SOP overridden?  ServiceWorkers do that? IFRAME does the trick?
- Where (and how) are payment credentials stored?
- How do you perform cryptographic operations in payment apps?

It is (off-list) often claimed that FIDO alliance products is the intended authentication solution.  If that's the case _it rather brings the issuer into the scenario_ while payment gateways would only be dealt with in the background through merchants, right?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/210#issuecomment-278549892
Received on Thursday, 9 February 2017 05:20:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:24 UTC