Re: Updated Web Payments Working Group Charter

Wendy,

Thanks for comments.

David I’d like to discuss one of Wendy’s questions on Monday’s call.

Ian

> On Jul 18, 2015, at 11:20 AM, Wendy Seltzer <wseltzer@w3.org> wrote:
> 
> On 07/17/2015 07:39 PM, Ian Jacobs wrote:
>> Hi all,
>> 
>> It was very motivating to read the charter that was revised during my absence. Many thanks to all the people who have
>> sent comments to the list, and for Adrian for so diligently incorporating the feedback.
>> 
>> I took a pass today; here is the revised charter:
>> http://www.w3.org/2015/06/payments-wg-charter
> 
> Great work, IG! The charter gives a good sense of not just what we're
> thinking about, but how we plan to get there. I made a few editorial
> recommendations in pull requests.
> 
> A few more substantive questions (apologies if I missed someplace these
> were previously discussed):
> 
> 
> 2.2 Security and Privacy Considerations
>> verification of all message originators
> s/verification/authentication/

No objection.

> 
>> W3C is planning to charter other Working Groups to develop standards,
>> covering topics such as security, that will be important in
>> facilitating payments on the Web. The current Working Group will
>> follow that work to help ensure compatibility with the payment flow
>> standards produced by this Working Group. In particular, this group
>> will consider how hardware-based solutions may be used to generate
>> and store secrets for secure transactions, and how hardware devices
>> may be used to verify a user's authenticity via biometry or other
>> mechanisms.
> 
> proposed:
> W3C is developing additional security-related work. The current Working
> Group will follow that work to share use cases and to help assure
> interoperability. This group may consider how hardware-based solutions
> may be used to generate and store secrets for secure transactions and
> how multi-factor or biometric methods may be used for secure authentication.

+1

> 
> 
>> The design of any public facing API should ensure it is not possible
>> for such data to be leaked through exploitation of the API.
> 
> I like the goal, but I'm not sure we can make such strong assurances in
> API design.
> "...should guard against the unwanted leakage of such data through
> exploitation of the API.” ?

+1

> 
> 3.1 Recommendation-track deliverables
>> Proof of Payment: a verifiable payment authorization from the account
>> provider to the payee. The proof must include information about the
>> payment request (a transaction reference or similar) and the payer's
>> payment instrument.
> 
> is "verifiable" part of the vocabulary? or is that deliverable larger
> than a vocabulary, to include the method of verification?

Good question; I suggest we discuss at the Monday teleconference.

> 
> 4. Dependencies and Liaisons
>> Web Cryptography Working Group
>> Consultation on encryption of messages that are part of these APIs.
> 
> I don't think we expect to keep WebCrypto going after it publishes as
> Rec. The WebSec IG and IETF CFRG would be better places for these
> consultations.

The WebSec IG is already listed.

I am happy to replace the WebCrypto WG with (in the external liaisons section):

 IETF Crypto Forum Research Group (CFRG)
 https://irtf.org/cfrg

> 
> 7. Decision Policy
>> provisional until 5 working days after the publication of the resolution in draft minutes, available from the WG's calendar or home page
> Is someone committed to rapid updating of those Web pages with minutes
> links, or is sharing by email also a good way to circulate minutes drafts?

I would be happy to change:

 “after the publication of the resolution in draft minutes, available from the WG's calendar or home page”

to:

 "after the publication of the draft resolution.”

And leave mechanics out of the charter. Would that address your concern?

Ian


--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447