- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 06 Mar 2015 14:30:18 +0100
- To: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>, Web Payments CG <public-webpayments@w3.org>
Provisioning of Payment Credentials is a major issue for local wallets. This topic is hardly mentioned in the charter. It is actually a complex and politically troubled area. The methods used by Apple for bootstrapping Apple Pay wallets wouldn't be accepted in the EU for any other party than Apple. Recent fraud reports seems to support my claim that bootstrapping secure credentials using unsecure dittos isn't the future. PayPal's solution ("bank-roundtrip") seems better but is anything but convenient. In the EU the banks [mostly] already have strong authentication so they already handle secure on-line provisioning. Related stuff from the IG charter: "Minimize risk in identifying users by building on top of the Web Cryptography API implemented by all major browsers, OK. Continued... including hardware tokens, smartcards, biometrics, mobile, two-factor authentication, Secure Elements, SIM or UICC, etc. Explore possible mechanisms for Trusted UI'" The features do not exist and are currently unchartered as well. WebCrypto's reliance on SOP makes it awkward for payments which usually doesn't have an origin as a natural boundary. Anders
Received on Friday, 6 March 2015 13:31:09 UTC