W3C home > Mailing lists > Public > public-webpayments@w3.org > May 2015

Re: Final countdown for NPAPI

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 03 May 2015 14:05:26 +0200
Message-ID: <55460F06.1070104@gmail.com>
To: Jonathan Kingston <jonathan@jooped.com>, Melvin Carvalho <melvincarvalho@gmail.com>
CC: Web Payments CG <public-webpayments@w3.org>
On 2015-05-03 11:17, Jonathan Kingston wrote:
> I'm not really sure how NPAPI helps with implementing something like Apple pay here though?

Well, the primary mission with the original posting was showing that the browser vendors are out of touch with the development community.

NPAPI has indeed nothing to do with Apple Pay since Apple Pay isn't Web-based.  However, if you want to create a Web-based payment system, you should probably use Apple Pay as measuring stick and this requires interfaces that currently are missing.  With the deprecation of NPAPI & friends this suddenly becomes a critical part.


>  From what I understand is WebCrypto WG is mostly stalled by the TLS specification agreeing on the next crypto for TLS.

WebCrypto "v1" is almost ready and functional.  It was the continuation (.Next) with support for security hardware that failed:
https://lists.w3.org/Archives/Public/public-web-security/2015Feb/0034.html


> How is U2F only focusing on "super providers"? There is only one browser implementation that is stable and Yubikey have shown enough demos for anyone to integrate with that.
> Mozilla is implementing the same API which will be the production version.

This is a good question.  U2F is based on SOP (Same Origin Policy) which IMO doesn't scale particularly well since neither the Web nor U2F doesn't support a discovery mechanism.


> I feel as if the web doesn't have a native crypto platform as you suggest however comparing that to apps which are designed for set hardware isn't comparable. MessagePorts could be leveraged with the right vendors to create the same sort of experience as Apple Pay however I suspect most are holding out for U2F support which is coming soon.

I'm rather waiting for a write-up how U2F is supposed to be the virtual credit cards of the future.  I have a feeling that this wasn't really on the "menu"...


> There was a thread from early 2014 which you were on from the WG chairs which seemed to suggest an interest, again I don't really think it was dropped at all just in that up until very recently there as not been much progress with FIDO.
> Besides there are lots of examples of competing specifications, I don't think the W3C is shy about when they get it wrong either.
>
> How do non standardised apps help anything here?

I think the Web2Native Bridge presentation describes this pretty well:
https://cyberphone.github.io/openkeystore/resources/docs/web2native-bridge.pdf#page=5


> As mentioned earlier, the interface is setup to talk to these features already it is mostly getting the interest and standardising the API that is the issue here.

There is no proof whatsoever for such an interest among the browser-vendors which is why I suggest another way forward:
https://lists.w3.org/Archives/Public/www-tag/2015Apr/0053.html

Anders

>
>
>
>     This really depends on what your ambition is and who you are targeting.
>
>     If (for example) you would be targeting the credit-card networks, it is simply put not technically feasible creating anything comparable to Apple Pay for the Web.
>
>     There was some hope that the WebCrypto.Next effort would address this but this activity failed and it appears that everybody nowadays has left the party.
>
>     The browser-vendors (and just about everyone else as well) lead by Google have rather fled to the FIDO Alliance and what's cooking there is hard to say since members have to sign NDAs.  Based on their initial deliverable, U2F, it seems that they are focusing on the needs of "SuperProviders", something which I believe is the opposite to what the world in general wants.
>
>     The W3C staff seem unable dealing with the fact that they lost to FIDO although there's an obvious way to regain the interest: Create technology for a distributed Web which effectively competes with FIDO.  OTOH, this would create considerable tension so I guess it won't happen in the W3C either.
>
>      From what I can see in the market and also have received privately as actual feedback, the world outside the (somewhat elitist and academic) W3C has no problems with "Apps".
>
>     Anders
>     https://lists.w3.org/Archives/Public/www-tag/2015Apr/0053.html
>
>>
>>         Anders
>>
>>
>
Received on Sunday, 3 May 2015 12:05:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:40 UTC