- From: Brent Shambaugh <brent.shambaugh@gmail.com>
- Date: Fri, 5 Dec 2014 09:49:32 -0600
- To: Web Payments <public-webpayments@w3.org>
- Message-ID: <CACvcBVpDsBEVLxqqV6p4hdcS+oD=8d_OyaB7RkS-AFpN-O83jA@mail.gmail.com>
Anders, Perhaps you might like project Bitmark that builds (or aims to) on top of HTTP and REST? They have a "P2P Network of blockchain-securing nodes, exposing data publicly via web services" and "Compatible public data consuming clients and services". https://github.com/project-bitmark/bitmark/wiki/API-Innovation -Brent Shambaugh Website: bshambaugh.org On Fri, Dec 5, 2014 at 9:26 AM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2014-12-05 15:48, Melvin Carvalho wrote: > <snip> > >> There are two issues which currently are not addressed. >> >> 1. This storage is usually not comparable in robustness to the >> HW-based solutions. Or to be fully correct this is outside of >> the WebCrypto spec which is a problem in itself. >> >> However, the biggest hurdle is that such data is governed by SOP >> which of course is fine from a security and privacy point of view >> but is at odds with payment systems. Well, the WebPayment CG has >> a method for "neutralizing" SOP but I feel uneasy about it since >> it appears to be very complex. Somebody ought to spend a bit more >> time on this spec. >> >> >> Are you saying that all key material is governed by same origin policy? >> > > Yes. > > So what's the difference between this and just using localStorage? >> > > The biggest difference is that key-pair are generated inside of the UA > (or something the UA uses) which means that private keys are never exposed > to the web-code. This is great but maybe a little bit less significant > if the keys anyway only can be used by a single domain. > > > Sounds like a bit of a train smash, if so, for web payments and the >> > > decentralized social web in general. Are there any ways round it? > > Yes, the WebPayment CG has a workaround which I don't understand :-( > https://web-payments.org/specs/source/web-commerce-api/ > > This thing ("breaking away from SOP") is currently my only line of work. > WebCrypto++ is an example. > > I'm currently considering a revision that would combine it with SysApps > since the latter seems to be running out of gas due to Google's exodus but > I have no idea how this will go. Touching the web security / privacy > architecture > is not an easy task no matter what perspective you have... > > Anders > > >> >> >> >> Seen from that perspective the web is effectively going >> *backwards* while >> the App-environment is security-wise getting stronger and >> stronger, with >> Apple Pay as a recent example. >> >> >> Apple Pay treats the device as the user-agent. Apple understands >> the >> importance of the host operating system i.e., that browser based >> user-agents != only kind of user agent. >> >> The Web is not about one kind of user agent, far from it, as >> mobile >> platforms continue to demonstrate. >> >> >> Sure. >> >> >> In theory the WebCrypto.Next project could address this >> "deficit" but >> I have >> to date not seen anything that has even the slightest chance >> of >> getting adoption. >> >> >> There is more than one kind of user-agent that can operate on the >> World >> Wide Web or any other HTTP based network. Web Browser are >> overrated, if >> you ask me :) >> >> >> If you take out the browser from the equation life gets much simpler >> but I >> don't want to do that unless I have to. >> >> Anders >> >> >> >> >> >> Kingsley >> >> >> Anders >> >> >> I do know of the Architecture of the World Wide Web >> (AWWW) which covers >> the key components for building a Web-like abstraction >> atop the >> Internet, comprised of: >> >> 1. URIs -- for denotation >> 2. HTTP URIs -- for implicit denotation and >> identification (courtesy of >> implicit Name->Address indirection for URI meaning >> interpretation) >> 3. HTML - language and notation combo for describing and >> representing >> documents >> 4. RDF - language for representing entity relations using >> a variety of >> loosely-coupled notations. >> >> 1-4 are the basis of the Web as we know it. >> >> #4 in regards to the "RDF" moniker is just a >> formalization (by the W3C) >> of what was always intrinsic to the Web's original design >> [1][2]. >> >> Being "Standard Web Technology" based (as I understand >> it) is a little >> different from you continue frame this matter. >> >> Links: >> >> [1] >> http://bit.ly/evidence-that-__ >> the-world-wide-web-was-based-__on-linked-data-from-inception < >> http://bit.ly/evidence-that-the-world-wide-web-was-based- >> on-linked-data-from-inception> >> >> [2] http://bit.ly/world-wide-web-__25-years-later < >> http://bit.ly/world-wide-web-25-years-later> >> [3] http://www.openlinksw.com/__data/turtle/general/__ >> GlossaryOfTerms.ttl <http://www.openlinksw.com/data/turtle/general/ >> GlossaryOfTerms.ttl> -- >> Glossary of Terms >> >> >> >> >> >> >> >> >> >> > >
Received on Friday, 5 December 2014 15:50:07 UTC