- From: Anders Rundgren <notifications@github.com>
- Date: Fri, 27 Aug 2021 21:07:57 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 28 August 2021 04:08:10 UTC
For the reviewers it might be useful knowing that SPC introduces lots of non-trivial issues like: - Changes in the WebAuthn access model: https://w3c.github.io/secure-payment-confirmation/#sctn-payment-extension-registration - https://w3c.github.io/secure-payment-confirmation/#sctn-privacy-probing-credential-ids Anyway, the by far biggest (_but not mentioned_) issue, is the reliance on merchant access to bank-related security services which in practice makes SPC out of scope for the majority of merchants who are thus forced to use outsourced "checkout" services. That practically all WPWG members who have publicly given SPC their support are into this kind of business does not come as surprise. As a contrast, a properly designed "wallet" isolates merchants from accessing user specific data like card numbers and FIDO authenticators. Only the wallet has access to such data. In addition, a wallet does not need external access to perform user authorization, making a wallet API potentially usable by _any_ merchant, regardless of size. Don't get me wrong, SPC seems legit as a "vendor" standard/initiative. As an international standard from an organization like the W3C, maybe not. @torgo @hober @kenchris @hadleybeeman -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/544#issuecomment-907563806
Received on Saturday, 28 August 2021 04:08:10 UTC