Re: P2P Payments from Brent Shambaugh on 2014-12-05 (public-webpayments@w3.org from December 2014)

From: Brent Shambaugh <brent.shambaugh@gmail.com>
Date: Fri, 5 Dec 2014 09:49:32 -0600
To: Web Payments <public-webpayments@w3.org>
Message-ID: <CACvcBVpDsBEVLxqqV6p4hdcS+oD=8d_OyaB7RkS-AFpN-O83jA@mail.gmail.com>
Anders,

Perhaps you might like project Bitmark that builds (or aims to) on top of
HTTP and REST?

They have a "P2P Network of blockchain-securing nodes, exposing data
publicly via web services" and "Compatible public data consuming clients
and services".

https://github.com/project-bitmark/bitmark/wiki/API-Innovation

-Brent Shambaugh

Website: bshambaugh.org

On Fri, Dec 5, 2014 at 9:26 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-12-05 15:48, Melvin Carvalho wrote:
> <snip>
>
>>     There are two issues which currently are not addressed.
>>
>>     1. This storage is usually not comparable in robustness to the
>>     HW-based solutions. Or to be fully correct this is outside of
>>     the WebCrypto spec which is a problem in itself.
>>
>>     However, the biggest hurdle is that such data is governed by SOP
>>     which of course is fine from a security and privacy point of view
>>     but is at odds with payment systems.  Well, the WebPayment CG has
>>     a method for "neutralizing" SOP but I feel uneasy about it since
>>     it appears to be very complex.  Somebody ought to spend a bit more
>>     time on this spec.
>>
>>
>> Are you saying that all key material is governed by same origin policy?
>>
>
> Yes.
>
>  So what's the difference between this and just using localStorage?
>>
>
> The biggest difference is that key-pair are generated inside of the UA
> (or something the UA uses) which means that private keys are never exposed
> to the web-code.  This is great but maybe a little bit less significant
> if the keys anyway only can be used by a single domain.
>
>
>  Sounds like a bit of a train smash, if so, for web payments and the
>>
> > decentralized social web in general.  Are there any ways round it?
>
> Yes, the WebPayment CG has a workaround which I don't understand :-(
> https://web-payments.org/specs/source/web-commerce-api/
>
> This thing ("breaking away from SOP") is currently my only line of work.
> WebCrypto++ is an example.
>
> I'm currently considering a revision that would combine it with SysApps
> since the latter seems to be running out of gas due to Google's exodus but
> I have no idea how this will go.  Touching the web security / privacy
> architecture
> is not an easy task no matter what perspective you have...
>
> Anders
>
>
>>
>>
>>
>>             Seen from that perspective the web is effectively going
>> *backwards* while
>>             the App-environment is security-wise getting stronger and
>> stronger, with
>>             Apple Pay as a recent example.
>>
>>
>>         Apple Pay treats the device as the user-agent. Apple understands
>> the
>>         importance of the host operating system i.e., that browser based
>>         user-agents != only kind of user agent.
>>
>>         The Web is not about one kind of user agent, far from it, as
>> mobile
>>         platforms continue to demonstrate.
>>
>>
>>     Sure.
>>
>>
>>             In theory the WebCrypto.Next project could address this
>> "deficit" but
>>             I have
>>             to date not seen anything that has even the slightest chance
>> of
>>             getting adoption.
>>
>>
>>         There is more than one kind of user-agent that can operate on the
>> World
>>         Wide Web or any other HTTP based network. Web Browser are
>> overrated, if
>>         you ask me :)
>>
>>
>>     If you take out the browser from the equation life gets much simpler
>> but I
>>     don't want to do that unless I have to.
>>
>>     Anders
>>
>>
>>
>>
>>
>>         Kingsley
>>
>>
>>             Anders
>>
>>
>>                 I do know of the Architecture of the World Wide Web
>> (AWWW) which covers
>>                 the key components for building a Web-like abstraction
>> atop the
>>                 Internet, comprised of:
>>
>>                 1. URIs -- for denotation
>>                 2. HTTP URIs -- for implicit denotation and
>> identification (courtesy of
>>                 implicit Name->Address indirection for URI meaning
>> interpretation)
>>                 3. HTML - language and notation combo for describing and
>> representing
>>                 documents
>>                 4. RDF - language for representing entity relations using
>> a variety of
>>                 loosely-coupled notations.
>>
>>                 1-4 are the basis of the Web as we know it.
>>
>>                 #4 in regards to the "RDF" moniker is just a
>> formalization (by the W3C)
>>                 of what was always intrinsic to the Web's original design
>> [1][2].
>>
>>                 Being "Standard Web Technology" based (as I understand
>> it) is a little
>>                 different from you continue frame this matter.
>>
>>                 Links:
>>
>>                 [1]
>>                 http://bit.ly/evidence-that-__
>> the-world-wide-web-was-based-__on-linked-data-from-inception <
>> http://bit.ly/evidence-that-the-world-wide-web-was-based-
>> on-linked-data-from-inception>
>>
>>                 [2] http://bit.ly/world-wide-web-__25-years-later <
>> http://bit.ly/world-wide-web-25-years-later>
>>                 [3] http://www.openlinksw.com/__data/turtle/general/__
>> GlossaryOfTerms.ttl <http://www.openlinksw.com/data/turtle/general/
>> GlossaryOfTerms.ttl> --
>>                 Glossary of Terms
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
Received on Friday, 5 December 2014 15:50:07 UTC