- From: Adrian Hope-Bailie <adrian@fynbos.dev>
- Date: Wed, 22 May 2024 15:02:54 +0200
- To: Ian Jacobs <ij@w3.org>
- Cc: public-payments-wg@w3.org
- Message-ID: <CAK7GZxN-DwoSra3e+utTjsjonyr9J8xeyv_wF7J=HA0xvYYgEA@mail.gmail.com>
If there is room in the agenda I'd like to discuss a problem we are trying to solve in the WICG with relation to Web Monetization <https://webmonetization.org/>. Specifically, we are trying to find a way to securely provision a signing key in the browser to be able to make signed API calls to a 3rd-party (digital wallet, PSP, bank etc) to initiate small payments without user interaction. For some context, the user experience is that the user authorizes the browser to make certain payments (under a specific value, to specific merchants etc) without requiring strong authentication. For example, the user approves their browser sending "micro-payments" (under $1) up to a limit of $10 per month to websites they visit. Each time the user visits a website that is able to receive these payments the browser makes a payment based on some heuristic (e.g. the user visits it often). We don't want the browser to invoke WebAuthn/passkeys each time it makes an API call in order to sign the API call (signed API requests is how the system authenticates the client) but we are also wary of keys in software that can be exfiltrated. I have a proposal for how this could work and would like 15 minutes to walk it through and get feedback if time allows? On Tue, May 21, 2024 at 6:26 PM Ian Jacobs <ij@w3.org> wrote: > Dear Web Payments WG, > > Here is the agenda for our 23 May teleconference: > https://github.com/w3c/webpayments/wiki/Agenda-20240523 > > Currently confirmed: > > • SPC and device binding > • Next meeting: 6 June > > For meeting information, log into the W3C calendar: > https://www.w3.org/groups/wg/payments/calendar > > For the co-Chairs, > Ian > > -- > Ian Jacobs <ij@w3.org> > https://www.w3.org/People/Jacobs/ > Tel: +1 917 450 8783 > > > > > > >
Received on Wednesday, 22 May 2024 13:03:13 UTC