- From: Sauski <notifications@github.com>
- Date: Mon, 25 Jan 2021 07:22:41 -0800
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/issues/936/766891640@github.com>
I'd would echo @samuelweiler's general concerns; we should be referring to concrete mitigations where available. If I'm understanding correctly, @ianbjacobs, you're suggesting that the Payment Request API set the bar (at "adequate consent") for payment handlers to meet, _without_ referring to concrete mitigations. Given that the specifications that would be required to meet this bar are earlier in development (and thus may not yet have well-defined mitigations), at a high level I could see this being a valid approach. But nevertheless, if we take this path, I think we should be mores specific about what we mean by "adequate consent". Consent is a notoriously nebulous idea. The [threat model analysis even makes mention of this](https://w3c.github.io/webpayments/proposals/privacy-threat-model.html#user-consent). Helpfully though, it already offers a deeper explanation of what is important (rather than attempting to define consent), these two points feel particularly pertinent: - The ability to identify the parties they are interacting with; - Deliberate expression of intent to interact and consent to share data. If you'd like to avoid including specific mitigations, and instead opt for stating a more general requirement, what do you think about including these points? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/936#issuecomment-766891640
Received on Monday, 25 January 2021 15:22:54 UTC