W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Secure WebPayments V1

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 30 Sep 2015 06:58:53 +0200
To: "public-web-security@w3.org" <public-web-security@w3.org>
Cc: Ian Jacobs <ij@w3.org>
Message-ID: <560B6C0D.60607@gmail.com>
Dear list,
On https://test.webpki.org/webpay-merchant you'll find a starting point for what may be the first publicly described and testable system for End-2-End-Secured (E2ES) Web Payments.

E2ES in this context means that the user authorization is created in a local Wallet through a signature and then encrypted and that it remains so through any number hops on its way back to the bank.

Talking about signatures, the Web Payment system builds heavily on a new scheme for "Signed JSON" [1].
Hey, didn't the IETF just finish such a thing?  No, IETF-JOSE are JSON-flavored cryptographic containers where the data 1) has no relation to JSON 2) is shrouded in Base64.  For the "Russian doll" kind of messages (one message wraps another etc.) extensively used in this system, JOSE would simply put look too ugly :-)

The payment credentials are stored in a virtual smart card (a real would have been equally possible but would make public testing much more difficult), which not only contain keys but associated attributes such as card images for usage in the Wallet UI.

Although this is a payment system, the primary purpose of this exercise was actually to test and verify the usefulness of Native Messaging: https://github.com/cyberphone/web2native-bridge#api

How does this work relate to http://www.w3.org/Payments/IG ?
Not at all since the W3C are not defining a payment system but some kind of Web-layer running on top of existing and new payment systems.

Anders Rundgren

1] https://mobilepki.org/jcs
Received on Wednesday, 30 September 2015 04:59:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC