- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 10 Mar 2015 08:11:16 +0100
- To: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>, Web Payments CG <public-webpayments@w3.org>
Hi, Although it would be cool with a browser-based wallet, it hasn't happened. What has happened and on a major scale as well is using mobile phones as OOB (Out Of Band) wallets. AFAIK, the biggest e-commerce network of all, China's Alibaba uses mobile phones as a confirmation method which is more convenient and securer than CNP (Card Not Present). Since browser plugins have been "outlawed", Sweden's BankID also turned to an OOB-scheme which is far from perfect but allows them to use client-PKI in a mobile container. It works like this: 1. The user creates a tentative logon using a claimed identity 2. The BankID app is used to hook into this session and provide a PKI-signed assertion 3. If the claimed and asserted identities match, the user is logged in. I once created a variant of BankID which doesn't rely on hard-coded URLs and pre-authentication: https://openkeystore.googlecode.com/svn/resources/trunk/docs/QR-ID-presentation.pdf#page=3 https://play.google.com/store/apps/details?id=org.webpki.mobile.android Given the complete standstill on SDO activities for marrying smart cards with the web, using mobile phones in OOB-mode indeed turned out to be the right move! Anders
Received on Tuesday, 10 March 2015 07:11:59 UTC