Re: [w3c/webpayments] European market - Security concerns (#210)

@marcoscaceres @adrianhopebailie Security reviews have been requested by the WG chairs.  I don't get how you can do such for _Web-based_ payments unless you are an absolute ├╝ber expert on every possible topic (I'm not).  Is there a security model description somewhere?  On top of my head I can't say I understand:
- Where (and how) is SOP overridden?  ServiceWorkers do that? IFRAME does the trick?
- Where (and how) are payment credentials stored?
- How do you perform cryptographic operations in payment apps?

It is (off-list) often claimed that FIDO alliance products is the intended authentication solution.  If that's the case _it rather brings the issuer into the scenario_ while payment gateways would only be dealt with in the background through merchants, right?

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:

Received on Thursday, 9 February 2017 05:20:08 UTC