W3C home > Mailing lists > Public > public-web-security@w3.org > January 2017

RE: Request for review of Web Payments WG specifications in preparation for Candidate Recommendation

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Fri, 6 Jan 2017 13:32:06 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <540E99C53248CE468F6F7702588ABA2A0146DA4078@A1GTOEMBXV005.gto.a3c.atos.net>
Anders,

Security reviews are expected for any pieces of API in W3C. The fact that those features interface with unknown payment functions does not make the review impossible. We still ideally need to make sure that the content transmitted is not at risk when being 'touched' by the payment related APIs.

The reference of EMVCo and W3C Web Authentication are on a totally different feature, which will deserve all security attention, just like web authentication API, today.

Regards,
Virginie


-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
Sent: jeudi 5 janvier 2017 07:04
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>; public-web-security@w3.org
Subject: Re: Request for review of Web Payments WG specifications in preparation for Candidate Recommendation

On 2017-01-04 18:19, GALINDO Virginie wrote:
> Dear all,
> We are requested to review the security of the Web Payment WG deliverables.

These are the currently the currently supported "Web" payment methods:
https://w3c.github.io/webpayments-methods-card/
https://w3c.github.io/webpayments-methods-credit-transfer-direct-debit/

AFAICT, there are no specified security constructs.

The "App" based methods like Android Pay, Apple Pay, etc. come with proprietary (non-public) security solutions and are therefore not possible to review.

I believe the following work-item better reflects what the payment providers are looking for:
https://fidoalliance.org/fido-alliance-announces-new-authentication-specification-effort-with-emvco-to-bring-added-security-and-convenience-to-mobile-payments/

Anders

> Regards,
> Virginie
>
> -----Original Message-----
> From: Ian Jacobs [mailto:ij@w3.org]
> Sent: mercredi 4 janvier 2017 14:54
> To: Chairs <chairs@w3.org>
> Cc: addison@amazon.com; Janina Sajka <janina@rednote.net>; runnegar@isoc.org; tjwhalen@google.com; GALINDO Virginie <Virginie.Galindo@gemalto.com>
> Subject: Request for review of Web Payments WG specifications in preparation for Candidate Recommendation
>
> Dear Chairs,
>
> In April 2016 the Web Payments Working Group (WPWG) published first drafts of three specifications to make payments on the Web easier and more secure.
> In the nine months since, the specifications have matured significantly through the feedback and experience of multiple implementers:
>
>  * Payment Request API (PR API)
>    https://w3c.github.io/browser-payment-api/
>
>       PR API issues list:
>       https://github.com/w3c/browser-payment-api/issues
>
>  * Payment Method Identifiers (PMI)
>    http://w3c.github.io/webpayments-method-identifiers/
>
>       PMI issues list:
>       https://github.com/w3c/webpayments-method-identifiers/issues
>
>  * Basic Card Payment
>    https://w3c.github.io/webpayments-methods-card/
>
>       Basic Card issues list:
>       https://github.com/w3c/webpayments-methods-card/issues
>
> In order to prepare for advancement to Candidate Recommendation, the WPWG now invites further review by other W3C groups, and these in particular:
>
>   - Accessible Platform Architectures (APA) Working Group
>   - Internationalization Working Group
>   - Privacy Interest Group
>   - Web Security Interest Group
>
> The WPWG does not yet have a timetable for requesting to advance to Candidate Recommendation, but encourages review by the end of February 2017 (in advance of the group's March face-to-face meeting [3]).
>
> Web Payments Overview 1.0 [4] provides an introduction. For more information about the Web Payments Working Group, see:
>    https://github.com/w3c/webpayments/wiki
>
> For the co-Chairs Adrian Hope-Bailie and Nick Telford-Reed; Ian Jacobs, W3C Payments Lead
>
> [1] https://www.w3.org/blog/news/archives/5371
> [2] https://www.w3.org/2015/Process-20150901/#wide-review
> [3] https://github.com/w3c/webpayments/wiki/FTF-March2017
> [4] https://www.w3.org/TR/payments-overview/
>
> --
> Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
> Tel:                       +1 718 260 9447
>
>
>
> ________________________________
>  This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
>

________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Friday, 6 January 2017 13:32:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:41 UTC