- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 12 Apr 2020 16:31:37 +0200
- To: Web Payments Working Group <public-payments-wg@w3.org>
Although I'm not personally involved in this work, I find the topic interesting anyway. This appears to be the most concrete proposal:
https://www.w3.org/2020/02/3p-creds-20200219.pdf
There are a few things that are unclear like "Your PISP" because unless the PISP is a major entity like Walmart, it would typically not be known by the User, it is rather something the Merchant uses.
Another way dealing with this could be as follows:
- Bind a FIDO key to the ServiceWorker domain ("boa.com" in the Dirk's presentation)
- Use a ServiceWorker-local UI (https://github.com/adrianhopebailie/modal-window ?) to show Merchant payment requests
- Perform ServiceWorker-local FIDO-assertions based on received payments request data
- Encrypt assertions using a ServiceWorker-local public key where "boa.com" would have the private counterpart
- Send completed packages (+ related domain identifiers for "routing") back to Merchants for fulfillment
This should be "fairly compatible" with existing card processing systems and vendors. Yep, there is no PISP here...
No updates to FIDO should be required.
The (in)famous Saturn system takes this notion to yet another level but that is just an option:
https://cyberphone.github.io/doc/payments/y2020-strong-merchant-authorization.pdf
Thanx,
Anders
Received on Sunday, 12 April 2020 14:31:55 UTC