Re: First draft of Browser Payments 1.0 spec published from Melvin Carvalho on 2013-05-07 (public-webpayments@w3.org from May 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 7 May 2013 20:05:54 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>
Message-ID: <CAKaEYhL6XYCXfpdi+0qpricUu_60K0BDbGR7ewb1YCvVbdd=6A@mail.gmail.com>

On 7 May 2013 19:14, Manu Sporny <msporny@digitalbazaar.com> wrote:

> Browser Payments 1.0 API
> ------------------------
>
> Kumar McMillan (Mozilla) and I (PaySwarm/Web Payments) have just
> published the first Web Payments Community Group draft of the Browser
> Payments 1.0 API.
>
> The purpose of the spec is to establish a way to initiate payments from
> within the browser. It is currently a direct port of the mozPay API
> framework that is integrated into Firefox OS. It enables Web content to
> initiate payment or issue a refund for a product or service. Once
> implemented in the browser, a Web author may issue navigator.payment()
> function to initiate a payment.
>
> The current spec can be read here:
>
> http://web-payments.github.io/browser-payments/
>
> The github repo for the spec is here:
>
> https://github.com/web-payments/browser-payments/
>
> Keep in mind that this is a very, very early draft of the spec. There
> are lots of prose issues as well as bugs that need to be sorted out.
> There are also a number of things that we need to discuss about the spec
> and how it fits into the larger Web ecosystem. Things like how it
> integrates with Persona and PaySwarm are still details that we need to
> suss out. There is an bug issue tracker for the spec here:
>
> https://github.com/web-payments/browser-payments/issues
>
> The Mozilla guys will be on next week's Web Payments telecon for a Q/A
> session about this specification. Join us if you're interested in
> payments in the browser. The call is open to the public, details about
> joining and listening in can be found here:
>
> https://payswarm.com/minutes/
>

Looks cool!

I think perhaps there needs to be some thought about security.  Maybe even
a security considerations section.

One thing that springs to mind is.  If I have an email, but do not
implement /.well-known/browserid would it be possible for mozilla to
impersonate me and send a payment?


>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/launch/
>
>

Received on Tuesday, 7 May 2013 18:06:29 UTC