- From: Peter Saint-Andre <notifications@github.com>
- Date: Mon, 12 Feb 2018 19:23:23 +0000 (UTC)
- To: w3c/3ds <3ds@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 12 February 2018 19:23:47 UTC
Thanks for further discussion @asolove-stripe. Here's what I'm struggling with.... The last mile is the browser. Even if my issuer thinks I'm automatically signed up with 3DS 2.0 and there are contractual relationships in place among all the "server-side" parties (brand, issuer, PSP, merchant, etc.), my browser doesn't know that. All it knows is that it's receiving a device authentication (fingerprinting) request from a particular web origin. From a permissions and privacy perspective, how does the user agent know it's OK to run that script? IMHO the glue here might be the user's installation of a payment handler associated with the issuer and the inclusion in that payment handler of a whitelist of origins that are allowed to engage in device authentication. If we don't establish some sort of trust model, then any arbitrary web origin could gather way too much information about the user's device, location, settings, etc. - and that's not a desirable outcome given the prevalence of malefactors on the web. Am I missing something obvious in the picture we've painted so far...? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/3ds/issues/2#issuecomment-365033212
Received on Monday, 12 February 2018 19:23:47 UTC