Re: P2P Payments

On 12/8/14 1:16 PM, Melvin Carvalho wrote:
>
>
> On 8 December 2014 at 18:56, Kingsley Idehen <kidehen@openlinksw.com 
> <mailto:kidehen@openlinksw.com>> wrote:
>
>     On 12/5/14 9:41 AM, Anders Rundgren wrote:
>
>         On 2014-12-05 15:22, Kingsley Idehen wrote:
>
>             On 12/5/14 8:50 AM, Anders Rundgren wrote:
>
>                 On 2014-12-05 14:29, Kingsley Idehen wrote:
>
>                     On 12/4/14 2:48 AM, Anders Rundgren wrote:
>
>
>                         P2P payments are established in many places in
>                         the world. My guess is
>                         that none of these are based on standard web
>                         technology because this
>                         technology simply isn't up to such tasks; it
>                         will take many years to
>                         get on par with "Apps", if even possible.
>
>                         It is sad but the web is lagging and the lag
>                         is increasing due to the
>                         success of Android and iOS.
>
>                         Anders (on Android)
>
>
>                     What does "Standard Web Technology" mean?
>
>
>                 To simplify the discussion a bit: The web does not
>                 support client-based
>                 cryptographic keys (except through HTTPS CCA which
>                 doesn't not sign
>                 data).
>
>
>             To me you are really saying: there isn't a W3C spec for
>             user-agent-based
>             cryptography.
>
>
>         There is a spec and it is called WebCrypto.  See next section.
>
>
>     I didn't say or imply: "There isn't a spec" . I said: To me you
>     are really saying: there isn't a W3C spec for user-agent based
>     cryptography".
>
>     I think it should be pretty obvious to you that I know about the
>     W3C WebCrypto spec.
>
>
>
>
>                 Well, the web actually *did* support signatures but
>                 the browser-vendors
>                 (and W3C...) sitting in their ivory towers simply
>                 declared browser
>                 plugins
>                 as a bad thing without coming up with any kind of
>                 "replacement scheme".
>
>                 WebCrypto does *not* match up with the browser-plugins.
>
>
>             Why not? You can now store data in storage associated with
>             a browser
>             that's local, since HTML5.
>
>
>         There are two issues which currently are not addressed.
>
>         1. This storage is usually not comparable in robustness to the
>         HW-based solutions. Or to be fully correct this is outside of
>         the WebCrypto spec which is a problem in itself.
>
>
>     Contradictory.
>
>     A spec != technical implementation i.e., you have a spec and then
>     you have technical implementations of said spec.
>
>
>         However, the biggest hurdle is that such data is governed by SOP
>         which of course is fine from a security and privacy point of view
>         but is at odds with payment systems.
>
>
>     SOP?
>
>
> SOP = Same Origin Policy.
>
> Imagine a version of CORS that you cant configure, cant turn off, cant 
> write an extension to get around.
>
> For your own protection, of course :)

Who genuinely needs that in a Web of Trust where verifiable identity is 
intrinsic and policies are driven by logic?

These flaky and inflexible "big brother" hacks eternally undermine the 
Web, especially via browsers (which are clearly now living on borrowed 
time) :)

-- 
Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this