Re: Updated Web Payments Working Group Charter

On 07/17/2015 07:39 PM, Ian Jacobs wrote:
> Hi all,
> 
> It was very motivating to read the charter that was revised during my absence. Many thanks to all the people who have
> sent comments to the list, and for Adrian for so diligently incorporating the feedback.
> 
> I took a pass today; here is the revised charter:
>  http://www.w3.org/2015/06/payments-wg-charter

Great work, IG! The charter gives a good sense of not just what we're
thinking about, but how we plan to get there. I made a few editorial
recommendations in pull requests.

A few more substantive questions (apologies if I missed someplace these
were previously discussed):


2.2 Security and Privacy Considerations
> verification of all message originators
s/verification/authentication/

> W3C is planning to charter other Working Groups to develop standards,
> covering topics such as security, that will be important in
> facilitating payments on the Web. The current Working Group will
> follow that work to help ensure compatibility with the payment flow
> standards produced by this Working Group. In particular, this group
> will consider how hardware-based solutions may be used to generate
> and store secrets for secure transactions, and how hardware devices
> may be used to verify a user's authenticity via biometry or other
> mechanisms.

proposed:
W3C is developing additional security-related work. The current Working
Group will follow that work to share use cases and to help assure
interoperability. This group may consider how hardware-based solutions
may be used to generate and store secrets for secure transactions and
how multi-factor or biometric methods may be used for secure authentication.


> The design of any public facing API should ensure it is not possible
> for such data to be leaked through exploitation of the API.

I like the goal, but I'm not sure we can make such strong assurances in
API design.
"...should guard against the unwanted leakage of such data through
exploitation of the API." ?

3.1 Recommendation-track deliverables
> Proof of Payment: a verifiable payment authorization from the account
> provider to the payee. The proof must include information about the
> payment request (a transaction reference or similar) and the payer's
> payment instrument.

is "verifiable" part of the vocabulary? or is that deliverable larger
than a vocabulary, to include the method of verification?

4. Dependencies and Liaisons
> Web Cryptography Working Group
> Consultation on encryption of messages that are part of these APIs.

I don't think we expect to keep WebCrypto going after it publishes as
Rec. The WebSec IG and IETF CFRG would be better places for these
consultations.

7. Decision Policy
> provisional until 5 working days after the publication of the resolution in draft minutes, available from the WG's calendar or home page
Is someone committed to rapid updating of those Web pages with minutes
links, or is sharing by email also a good way to circulate minutes drafts?

Thanks,
--Wendy

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Saturday, 18 July 2015 16:20:06 UTC