- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 07 Oct 2013 22:31:14 +0200
- To: Alex Sexton <alex@stripe.com>
- CC: Web Payments CG <public-webpayments@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>
On 2013-10-07 19:59, Alex Sexton wrote: > > > > On Mon, Oct 7, 2013 at 12:43 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > Kingsley Idehen <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote: > > On 10/6/13 4:02 PM, Anders Rundgren wrote: > > > Exactly. > > > > > > And browser's were not designed for performing secure transactions either. > > > > > > That is, there is no foundation for payment standards in this space > > > unless you have some 10 years or so to spend. > > > > Browsers are poor tools for any kind of secure interaction with > > protected data. Even when they implement PKI, they ultimately get the > > UX/UI wrong. That said, and this is really important to understand, they > > are but one type of HTTP user agent. As the mobile space demonstrates, a > > Web Browser doesn't have totally own how end-users interact with HTTP > > accessible resources. > > > > Thus, we don't need to wait 10 years to fix this problem. The standards > > being discussed and shaped on this list will go a long way towards > > fixing this problem i.e., decoupling the solution from a specific type > > of HTTP user agent :-) > > Apparently yes because the banks in Sweden are now rewriting their > PKI-client for n:th time, this time ignoring the browser altogether. > Since Mozilla's <keygen> was created 1995/6, improvements in > this space takes even more than 10 years to accomplish :-( > > > I don't think we can consider the time since the keygen tag as the time it takes to get features on the web. Unfortunately keygen remains stuck in its 1995 form. In fact, certificate enrollment appears to be an "undiscussable" topic. WebCrypto does (in its current incarnation) NOT address payments. Anders > We've had a *huge* uptick in standardization, and an even bigger uptick of evergreen (or quick release) browsers to get these APIs in front of people within months of inception. This is vastly different than the way things used to work. It hasn't been 10+ constant years of effort. We've only recently set out to solve many of these problems. > > We now have a much brighter future with things like the Web Crypto API ( http://www.w3.org/TR/WebCryptoAPI/ ) -- which came out of the Crypto proposal to the WHATWG back in Feb 2011. So we're coming up on only 2 years here. It's already in (prefixed) all major desktop browsers, and the most popular mobile browsers. > > All that to say is that with the right buy-in, the right fallbacks, and the right standards, we don't have to wait 10+ years to make a significant change. HTML5 and CSS3 aren't but a few years old themselves and have seen massive adoption. > > > > Anders > > > > Alex
Received on Monday, 7 October 2013 20:31:46 UTC