RE: [Payments Architecture] A vision statement for the web payments architecture work

Hi Folks:

Ian wrote:
>  * Supports a wide spectrum of security needs to meet industry and regulatory expectations.
>    To meet regulatory requirements and give people enough confidence to use the Web for
>    payments, the architecture must support a wide spectrum of security requirements and
>    solutions. This includes the ability to encrypt strongly both sensitive information and the
>    channels used to exchange the information, as well as supporting an evolving variety of
>    authentication techniques (multifactor, biometric, etc.). Trust in the Web of payments
>    is critical to its success.

Yes, all good.  Gives a list of things that will be included.  Somehow (and there's a lot there already) I think it should say what we will attempt >not< to require.
Perhaps a second bullet for clarity:
"* Minimizes (eliminates?) reliance on Personally Identifiable Information (PII) to fulfill any requirements."

Best regards,
David

-----Original Message-----
From: Ian Jacobs [mailto:ij@w3.org]
Sent: Tuesday, May 19, 2015 4:03 PM
To: Manu Sporny
Cc: Web Payments IG; Web Payments CG
Subject: Re: [Payments Architecture] A vision statement for the web payments architecture work

* PGP Signed by an unknown key


> On May 19, 2015, at 1:17 PM, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
> On 05/19/2015 02:02 PM, Adrian Hope-Bailie wrote:
>> Personally I think some mention of security is necessary but if there
>> is a consensus that it is not I'll happily drop it.
>
> I'm strongly in favor of keeping the statement about security in the
> vision document.
>
> I understand what Melvin is getting at, but I don't think we can get
> away with saying nothing about security in the vision primarily
> because most other people won't understand the nuances of
> decentralized systems scaling security up as their size grows (e.g. Bitcoin).

Although I am satisfied with "Being secure by design” here’s another perspective: security is SO important to payments it deserves a bullet in the list that follows. For example, something like:

  * Supports a wide spectrum of security needs to meet industry and regulatory expectations.
    To meet regulatory requirements and give people enough confidence to use the Web for
    payments, the architecture must support a wide spectrum of security requirements and
    solutions. This includes the ability to encrypt strongly both sensitive information and the
    channels used to exchange the information, as well as supporting an evolving variety of
    authentication techniques (multifactor, biometric, etc.). Trust in the Web of payments
    is critical to its success.

Ian

--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs

Tel:                       +1 718 260 9447




* Unknown Key
* 0x0ECB09CB
________________________________
This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary, and may include confidential work product. If you are not the intended recipient, please be aware that any unauthorized use, dissemination, distribution or copying of this message is strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and deleting this email immediately.

Received on Tuesday, 19 May 2015 20:11:15 UTC