Re: First draft of Browser Payments 1.0 spec published

On 9 May 2013 22:17, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 05/07/2013 02:05 PM, Melvin Carvalho wrote:
> > https://github.com/web-payments/browser-payments/
> >
> > I think perhaps there needs to be some thought about security.
> > Maybe even a security considerations section.
>
> Good point, I added an issue to track this:
>
> https://github.com/web-payments/browser-payments/issues/9
>
> > One thing that springs to mind is.  If I have an email, but do not
> > implement /.well-known/browserid would it be possible for mozilla to
> > impersonate me and send a payment?
>
> The current design of Persona allows the centralized identity service
> that they currently run to impersonate anyone on any site that uses a
> Persona login. The underlying assumption with Persona today is that the
> web trusts Mozilla when it comes to identity.
>

I believe mozilla was voted the webs most trusted brand recently.  However,
even still, while you may trust someone in the context of using a browser,
you may be less willing to trust them with the keys to your bank account.


>
> Even when Persona becomes more decentralized, the underlying system will
> still require you to trust your identity/email provider to make claims
> about the validity of your e-mail address.
>

As above email as identity is a great option, but need not be the only
choice.


>
> Ultimately, if you are going to have identity on the web, you have to
> trust the server running the software. :)
>

User choice is a good when it comes to financial systems I think, which is
why I also like payswarm's identity solution here.


>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/launch/
>
>