W3C home > Mailing lists > Public > public-webpayments@w3.org > May 2013

Re: First draft of Browser Payments 1.0 spec published

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 09 May 2013 16:17:51 -0400
Message-ID: <518C046F.9040006@digitalbazaar.com>
To: Web Payments CG <public-webpayments@w3.org>
On 05/07/2013 02:05 PM, Melvin Carvalho wrote:
> https://github.com/web-payments/browser-payments/
> 
> I think perhaps there needs to be some thought about security.
> Maybe even a security considerations section.

Good point, I added an issue to track this:

https://github.com/web-payments/browser-payments/issues/9

> One thing that springs to mind is.  If I have an email, but do not 
> implement /.well-known/browserid would it be possible for mozilla to 
> impersonate me and send a payment?

The current design of Persona allows the centralized identity service
that they currently run to impersonate anyone on any site that uses a
Persona login. The underlying assumption with Persona today is that the
web trusts Mozilla when it comes to identity.

Even when Persona becomes more decentralized, the underlying system will
still require you to trust your identity/email provider to make claims
about the validity of your e-mail address.

Ultimately, if you are going to have identity on the web, you have to
trust the server running the software. :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Thursday, 9 May 2013 20:18:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:23 UTC