- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 01 Apr 2014 16:29:49 -0400
- To: public-webpayments@w3.org
On 03/31/2014 04:19 AM, Anders Rundgren wrote: > Since trusted payment UIs were mentioned by several of the speakers, > it may be worth repeating that although not acknowledged by the W3C, > there is actually a fairly complete trusted web UI proposal designed > with payments in mind: > > http://webpki.org/papers/PKI/pki-webcrypto.pdf#page=2 Hey Anders, I read through your proposal. We've seen a few like it before and I do think a number of the core concepts are valid. For example, assigning a virtual domain (or just a domain per key type / use) and then using postMessage() to do digital signatures into other sites makes sense. You need to define a protocol for doing that, which is sort of what the Identity Credentials spec does (as does the key registration in the Secure Messaging spec). I'm not saying those are the same thing as what you're doing in the spec you refer to above, but they're in the same area and it would be good to just come up with a fairly standard protocol for doing that on the Web (registering a resource w/ a site, and then instructing the site to do something w/ that resource). For example, register a public key with a site (A) and then use the private key associated w/ the public key to digitally sign a piece of information on another site (B) and then deliver that signed information to another site (C). There is a bit too much hand-waving when it comes to "signed Javascript" in the paper. How do you expect to deliver signed Javascript to the browser? What validates the signature and how do you know that piece of software hasn't been compromised? (We have answers to these questions, btw, but I just wanted to get your opinion first). -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Worlds First Web Payments Workshop http://www.w3.org/2013/10/payments/
Received on Tuesday, 1 April 2014 20:30:11 UTC