RE: Payment App spec implementations

Fair enough, I think. I'm not exactly sure what was meant by compelling though.


Steve Sommers
Senior Vice President, Applications Development

Shift4 Corporation
1491 Center Crossing Road
Las Vegas, NV  89144-7047

702.597.2480 ext. 40400
fax 702.597.2499
www.shift4.com
steve@shift4.com

facebook.com/shift4corp
twitter.com/shift4corp
linkedin.com/companies/shift4-corporation
shift4.com/blog



This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate,distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

-----Original Message-----
From: Manu Sporny [mailto:msporny@digitalbazaar.com]
Sent: Monday, March 20, 2017 11:24 AM
To: public-payments-wg@w3.org
Subject: Re: Payment App spec implementations

On 03/13/2017 12:07 PM, Steve Sommers wrote:
> Really both. I realize that some of the complexity will be distilled
> down by the time it reaches the Payment Apps API layer that I'm most
> interested it but still, no matter where the complexity resides, it
> still introduces vulnerabilities or at least attack vectors.

Yes, agreed on your general point.

> Has anyone stepped back and reevaluated the problem to see if there is
> a simpler, less complex solution?

Yes, there was a proposal in the beginning that was simpler, that didn't try to do as much wrt. Shopping Cart / Checkout, but the group decided that that solution was not compelling enough to gain adoption. So, we have what we have today, which is more monolithic and complex, but is (in theory) more compelling.

In general I think the group is concerned about unnecessary complexity, but it's not clear what is and isn't unnecessary at this point and it's only when we identify/discover an attack using the API will there be more attention paid to reducing complexity (or increasing it in order to re-establish security expectations).

-- manu

--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
http://manu.sporny.org/2016/rebalancing/

Received on Monday, 20 March 2017 18:32:25 UTC