Re: Mozilla and navigator.mozPay() for Firefox OS from Kumar McMillan on 2013-01-22 (public-webpayments@w3.org from January 2013)

From: Kumar McMillan <kmcmillan@mozilla.com>
Date: Tue, 22 Jan 2013 11:35:35 -0600
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: public-webpayments@w3.org
Message-Id: <AF8BE7EA-FCF1-469C-95B3-D887F3E28491@mozilla.com>
On Jan 22, 2013, at 8:17 AM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> 
> 
> On 19 January 2013 22:03, Kumar McMillan <kmcmillan@mozilla.com> wrote:
> Hi all,
> I am new to the list so please bear with me as I check out the archives and catch up with PaySwarm, etc.
> 
> I wanted to introduce myself (hello!) and the work I've been doing on payments at Mozilla. As you may know, Mozilla wants to disrupt the proprietary world of mobile apps by bringing open, standard, and soon-to-be-standard ways of building mobile apps. This effort is culminating in the release of Firefox OS, a mobile system based on Gecko. It will be shipping on phones very soon in Latin America and Europe and all development has been open from day one.
> 
> A critical part of this effort is making payments secure and easy on the mobile web. A user will already be on the phone so why not charge a payment to their bill? I've been involved in designing a web payment API from early lab prototypes up to now where we'll be shipping a payment API for use by any open web app running on Firefox OS (soon Android, then desktop, etc). This is navigator.mozPay() which you can read about in https://wiki.mozilla.org/WebAPI/WebPayment and also in https://wiki.mozilla.org/WebAPI/WebPaymentProvider The latter describes the server side of which Mozilla will ship an implementation, currently in progress at https://github.com/mozilla/webpay
> 
> But wait! I want to be ultra clear that this first version is not a *decentralized* payment API to facilitate trust between customers, merchants, and payment processors. At best, you could call it an open payment API where any whitelisted payment provider lets merchants (who have a pre-arranged relationship with that provider) sell goods to customers on the web. Only vendors who ship Firefox OS on their device can whitelist payment providers. It is not user editable.
> 
> Making the payment API fully decentralized was *very hard*. Mostly because setting up the trust part is tricky when money is involved. We instead focused on shipping something :) It is heavily based on Google Wallet's goog.payments.inapp.buy() and solves the "easier" problems like proving the intent of the merchant (yes, I want to sell this item for $X.XX), proving that payment was received (server to server postbacks), and minimizing spoofability in the browser UI. It does not attempt to provide distributable, decentralized receipts for purchased goods but we did address that problem with app receipts https://wiki.mozilla.org/Apps/WebApplicationReceipt
> 
> In the future, Mozilla is very interested in pursuing a decentralized payment model that works securely for all parties on the web and is quick and painless for users. Right now, anyone can participate as a payment provider on Firefox OS but they'd have to roll their own (like Stripe, PayPal, etc). It is in our interest to level the playing field for payments so that anyone on the web can participate in sending and receiving money for digital goods without rolling their own system.
> 
> I look forward to catching up on all the work already done by everyone here. Let me know if you have questions about navigator.mozPay().
> 
> Hi Kumar & welcome!
> 
> Quick question:  will the Mozilla payments system be based on the "email only" approach?  
> 
> In the web payments group we tend to support both user profiles as well as email style identifiers. 
> 
> Am interested to understand the approach to user identifiers that Mozilla wish to take with payments.

Hi Melvin.
Mozilla's v1 payment system is tightly coupled with Mozilla's implementation of the Web Payment Provider spec [1]. A buyer will use a Persona email to log in and make purchases. This is a long-term login on their phone so they will also need to enter a PIN each time they make a purchase. Merchants (third party apps, including Mozilla's Marketplace) will need to sign up on Mozilla's Developer Hub, enter in bank account details, and generate a secret key. They'll use that key on their app server to securely generate a JWT (JSON Web Token) that specifies the product name, description, and price point. Price points are converted to actual prices in a currency by Mozilla's Marketplace. The merchant passes that to navigator.mozPay() and the UI in Firefox OS guides the buyer through the payment process. So in this case email identifiers are probably moot because there is no decentralized way to connect merchants to payment processors and buyers to payment providers. We hope future versions will adopt a more decentralized model but this initial API is one that we'll ship and learn from.

[1] https://wiki.mozilla.org/WebAPI/WebPaymentProvider

>  
> 
> Kumar
> 
> 
> 
> 
>
Received on Tuesday, 22 January 2013 17:36:04 UTC