Trusted UIs. Was: proposed navigator.mozPay() changes from Anders Rundgren on 2013-09-16 (public-webpayments@w3.org from September 2013)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 16 Sep 2013 21:47:39 +0200
To: public-webpayments@w3.org
Message-ID: <5237605B.1080902@gmail.com>

Hi,
This feature have been discussed for ages. I heard about more than 15 years ago!

I believe this is not useful (unless you go to extremes such as dedicated PIN and signature terminals), because it will only really work for security-conscious people but they only represent _a_fraction_ of the user-base.

Is then all doom and gloom? No, the root of the problem is that (particularly in the US...) passwords and credit-card numbers is the norm and these are highly susceptible to various kinds of spoofing attacks.

One of the problems is articulated like this: If the user is tricked by logging in to "paypal.com.wondersite.com" this [presumably bad] site may get direct access to the user's payment credentials.
This is not the case if the credentials are only usable in an _indirect_ way such as PKI.

What does this have to do with trusted UIs you may [rightfully] wonder?
Not much, it is in the merchant end you have this problem because even if you have PKI you don't want evil merchants to withdraw money from your accounts. The (IMO) best way to do that is through limiting access to your payment credentials so that it can only be used by trusted software.

The problem with trusted software is that it is either built-in or have to be installed and then automagically be trusted by the user.
How can an average user have any opinion about what constitutes trusted software???
IMO, they will _never_ be able to do that.

Built-in trusted software is fine but put big constraints on the functionality and also suffer from serious standardization issues.

The solution which I'm advocating is that each payment network creates their own software but instead of letting the user decide if it is trustworthy or not, let the payment network's credentials declare which software is trusts. This is BTW an almost exact copy of how current physical payment systems work.

http://webpki.org/papers/PKI/pki-webcrypto.pdf

This may not be (surely is not...) the perfect solution but I think it is workable.

Disregarding implementation issues,
What are the concrete alternatives including pros and cons?

Cheers,
Anders

Received on Monday, 16 September 2013 19:48:10 UTC