Re: P2P Payments from Anders Rundgren on 2014-12-05 (public-webpayments@w3.org from December 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 05 Dec 2014 16:26:01 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: Kingsley Idehen <kidehen@openlinksw.com>, Web Payments <public-webpayments@w3.org>
Message-ID: <5481CE89.2020000@gmail.com>
On 2014-12-05 15:48, Melvin Carvalho wrote:
<snip>
>     There are two issues which currently are not addressed.
>
>     1. This storage is usually not comparable in robustness to the
>     HW-based solutions. Or to be fully correct this is outside of
>     the WebCrypto spec which is a problem in itself.
>
>     However, the biggest hurdle is that such data is governed by SOP
>     which of course is fine from a security and privacy point of view
>     but is at odds with payment systems.  Well, the WebPayment CG has
>     a method for "neutralizing" SOP but I feel uneasy about it since
>     it appears to be very complex.  Somebody ought to spend a bit more
>     time on this spec.
>
>
> Are you saying that all key material is governed by same origin policy?

Yes.

> So what's the difference between this and just using localStorage?

The biggest difference is that key-pair are generated inside of the UA
(or something the UA uses) which means that private keys are never exposed
to the web-code.  This is great but maybe a little bit less significant
if the keys anyway only can be used by a single domain.


> Sounds like a bit of a train smash, if so, for web payments and the
 > decentralized social web in general.  Are there any ways round it?

Yes, the WebPayment CG has a workaround which I don't understand :-(
https://web-payments.org/specs/source/web-commerce-api/

This thing ("breaking away from SOP") is currently my only line of work.
WebCrypto++ is an example.

I'm currently considering a revision that would combine it with SysApps
since the latter seems to be running out of gas due to Google's exodus but
I have no idea how this will go.  Touching the web security / privacy architecture
is not an easy task no matter what perspective you have...

Anders

>
>
>
>
>             Seen from that perspective the web is effectively going *backwards* while
>             the App-environment is security-wise getting stronger and stronger, with
>             Apple Pay as a recent example.
>
>
>         Apple Pay treats the device as the user-agent. Apple understands the
>         importance of the host operating system i.e., that browser based
>         user-agents != only kind of user agent.
>
>         The Web is not about one kind of user agent, far from it, as mobile
>         platforms continue to demonstrate.
>
>
>     Sure.
>
>
>             In theory the WebCrypto.Next project could address this "deficit" but
>             I have
>             to date not seen anything that has even the slightest chance of
>             getting adoption.
>
>
>         There is more than one kind of user-agent that can operate on the World
>         Wide Web or any other HTTP based network. Web Browser are overrated, if
>         you ask me :)
>
>
>     If you take out the browser from the equation life gets much simpler but I
>     don't want to do that unless I have to.
>
>     Anders
>
>
>
>
>
>         Kingsley
>
>
>             Anders
>
>
>                 I do know of the Architecture of the World Wide Web (AWWW) which covers
>                 the key components for building a Web-like abstraction atop the
>                 Internet, comprised of:
>
>                 1. URIs -- for denotation
>                 2. HTTP URIs -- for implicit denotation and identification (courtesy of
>                 implicit Name->Address indirection for URI meaning interpretation)
>                 3. HTML - language and notation combo for describing and representing
>                 documents
>                 4. RDF - language for representing entity relations using a variety of
>                 loosely-coupled notations.
>
>                 1-4 are the basis of the Web as we know it.
>
>                 #4 in regards to the "RDF" moniker is just a formalization (by the W3C)
>                 of what was always intrinsic to the Web's original design [1][2].
>
>                 Being "Standard Web Technology" based (as I understand it) is a little
>                 different from you continue frame this matter.
>
>                 Links:
>
>                 [1]
>                 http://bit.ly/evidence-that-__the-world-wide-web-was-based-__on-linked-data-from-inception <http://bit.ly/evidence-that-the-world-wide-web-was-based-on-linked-data-from-inception>
>
>                 [2] http://bit.ly/world-wide-web-__25-years-later <http://bit.ly/world-wide-web-25-years-later>
>                 [3] http://www.openlinksw.com/__data/turtle/general/__GlossaryOfTerms.ttl <http://www.openlinksw.com/data/turtle/general/GlossaryOfTerms.ttl> --
>                 Glossary of Terms
>
>
>
>
>
>
>
>
>
Received on Friday, 5 December 2014 15:26:32 UTC