- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 13 Feb 2015 21:12:33 +0100
- To: Dave Raggett <dsr@w3.org>, public-web-security@w3.org
On 2015-02-13 19:20, Dave Raggett wrote: > The payments world has use cases for secure access to bank accounts from your browser and for installing and activating payment instruments as part of your digital wallet. Both of these require some way to bind web identities to real-world identities. An argument for an intent based approach is given in the following blog post for the Web Payments IG, see: > > http://www.w3.org/blog/wpig/2015/02/13/linking-web-identities-with-real-world-identities/ > > Please note that this is my personal viewpoint and should not be taken as that of the Payments IG, nor of W3C. Since on-line banks in Scandinavia have had "tokens" (OTP, PKI) since 20 years back, may I take the liberty outlining how this currently works in that part of the world? For legal reasons you cannot get a bank-account without having a verified citizen/resident identity. Such identities are usually issued by some kind of government agency. You have to visit the bank showing your ID in order to arrange the account and getting a token. In my new country France, this process took hours and lots of papers including proof of habitation. These procedures won't change due to introduction of on-line provisionable tokens like U2F, although you may have to use your phone or email plus a one-time sign-up password for activating the provisioning if not performed in the office. I would guess that NFC will be used in a not so distant future. I'm aware of the ideas of transferring KYC (Know Your Customer) when you change bank. I don't think this is realistic unless it becomes a law. Personally I think the payment initiative should be cautious about messing with IDs because the world is fairly divided on this topic. IMO, the less ID the better :-) Anders > > — > Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>> > > >
Received on Friday, 13 February 2015 20:13:18 UTC