W3C home > Mailing lists > Public > public-web-security@w3.org > January 2017

Re: Request for review of Web Payments WG specifications in preparation for Candidate Recommendation

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 5 Jan 2017 07:03:52 +0100
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <4da668a6-6ac8-b43f-c88b-c6d9ade5d5f2@gmail.com>
On 2017-01-04 18:19, GALINDO Virginie wrote:
> Dear all,
> We are requested to review the security of the Web Payment WG deliverables.

These are the currently the currently supported "Web" payment methods:
https://w3c.github.io/webpayments-methods-card/
https://w3c.github.io/webpayments-methods-credit-transfer-direct-debit/

AFAICT, there are no specified security constructs.

The "App" based methods like Android Pay, Apple Pay, etc. come with proprietary (non-public) security solutions and are therefore not possible to review.

I believe the following work-item better reflects what the payment providers are looking for:
https://fidoalliance.org/fido-alliance-announces-new-authentication-specification-effort-with-emvco-to-bring-added-security-and-convenience-to-mobile-payments/

Anders

> Regards,
> Virginie
>
> -----Original Message-----
> From: Ian Jacobs [mailto:ij@w3.org]
> Sent: mercredi 4 janvier 2017 14:54
> To: Chairs <chairs@w3.org>
> Cc: addison@amazon.com; Janina Sajka <janina@rednote.net>; runnegar@isoc.org; tjwhalen@google.com; GALINDO Virginie <Virginie.Galindo@gemalto.com>
> Subject: Request for review of Web Payments WG specifications in preparation for Candidate Recommendation
>
> Dear Chairs,
>
> In April 2016 the Web Payments Working Group (WPWG) published first drafts of three specifications to make payments on the Web easier and more secure.
> In the nine months since, the specifications have matured significantly through the feedback and experience of multiple implementers:
>
>  * Payment Request API (PR API)
>    https://w3c.github.io/browser-payment-api/
>
>       PR API issues list:
>       https://github.com/w3c/browser-payment-api/issues
>
>  * Payment Method Identifiers (PMI)
>    http://w3c.github.io/webpayments-method-identifiers/
>
>       PMI issues list:
>       https://github.com/w3c/webpayments-method-identifiers/issues
>
>  * Basic Card Payment
>    https://w3c.github.io/webpayments-methods-card/
>
>       Basic Card issues list:
>       https://github.com/w3c/webpayments-methods-card/issues
>
> In order to prepare for advancement to Candidate Recommendation, the WPWG now invites further review by other W3C groups, and these in particular:
>
>   - Accessible Platform Architectures (APA) Working Group
>   - Internationalization Working Group
>   - Privacy Interest Group
>   - Web Security Interest Group
>
> The WPWG does not yet have a timetable for requesting to advance to Candidate Recommendation, but encourages review by the end of February 2017 (in advance of the group's March face-to-face meeting [3]).
>
> Web Payments Overview 1.0 [4] provides an introduction. For more information about the Web Payments Working Group, see:
>    https://github.com/w3c/webpayments/wiki
>
> For the co-Chairs Adrian Hope-Bailie and Nick Telford-Reed; Ian Jacobs, W3C Payments Lead
>
> [1] https://www.w3.org/blog/news/archives/5371
> [2] https://www.w3.org/2015/Process-20150901/#wide-review
> [3] https://github.com/w3c/webpayments/wiki/FTF-March2017
> [4] https://www.w3.org/TR/payments-overview/
>
> --
> Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
> Tel:                       +1 718 260 9447
>
>
>
> ________________________________
>  This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
>
Received on Thursday, 5 January 2017 06:04:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:41 UTC