- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 16 Sep 2015 15:47:29 +0200
- To: Adrian Hope-Bailie <adrian@hopebailie.com>
- Cc: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>, Web Payments CG <public-webpayments@w3.org>
On 2015-09-16 15:03, Adrian Hope-Bailie wrote: > <snip> > > The best example I could find is in the Web Notifications PR published > > > earlier this month:http://www.w3.org/TR/2015/PR-notifications-20150910/#displaying-notifications > > I don't understand much of this spec :-( But I doubt it has any bearings on invocation of wallets and such. > > > </snip> > > To be clear, I am not suggesting that the Web payments API in the > browser would invoke the notifications API on the host platform. I see. > I am drawing attention to a precedent for invocation of a platform > API as a result of a browser API being invoked. The difference is that notifications are passive and fairly innocent (unless you are bombarded by them), while wallets are active, "full-duplex", and attractive for various attacks. > > What is not clear to me is how this would work for cloud-based wallets. > Perhaps the recommendation would be that the browser allows the user to > provide a wallet API endpoint (URL) that conforms to our recommendations > or it will invoke the platform's payment API? I think we should do a distinction between Web-wallets like PayPal and Google Wallet for Android which was (is?) a local wallet using cloud-based payment credentials. The security model required by Web wallets won't permit payment instrument enumeration so they have rather different characteristics compared to any form of local wallet. Anders >
Received on Wednesday, 16 September 2015 13:48:12 UTC