Re: [w3c/browser-payment-api] Why another API? (#203)

Actually, the browser version number should not be considered a browser differences available for fingerprinting.  It is of course, but it's unavoidable. 

We should obviously not allow anything into this API specification that allows for fingerprinting beyond the browser version number, even if the wallet app is badly behaved.  It appears a some active participants were conscious of that requirement, although maybe it should be given an issue an verbiage in the spec. 

I'm mentioned in a few places that payment apps must be treated as hostile to the user because merchant provided payment apps are occasionally discussed.  I believe that never literally made it into the specification itself though.  

In any case, it's ridiculous to imagine that payment apps will be secure, anonymous, etc., not when the financial world runs on "zero factor authentication".  Now [Taler](http://taler.net/) actually does do things correctly, except that we leak that Taler is installed, but we're an extreme case. 

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/203#issuecomment-220843381

Received on Sunday, 22 May 2016 17:02:08 UTC