- From: Ian Jacobs <ij@w3.org>
- Date: Tue, 19 May 2015 19:03:58 -0500
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments IG <public-webpayments-ig@w3.org>, Web Payments CG <public-webpayments@w3.org>
- Message-Id: <365944A2-EF97-45CF-98CC-C2487448063D@w3.org>
> On May 19, 2015, at 3:14 PM, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > > > > On 19 May 2015 at 22:02, Ian Jacobs <ij@w3.org> wrote: > > > On May 19, 2015, at 1:17 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > > > > On 05/19/2015 02:02 PM, Adrian Hope-Bailie wrote: > >> Personally I think some mention of security is necessary but if there > >> is a consensus that it is not I'll happily drop it. > > > > I'm strongly in favor of keeping the statement about security in the > > vision document. > > > > I understand what Melvin is getting at, but I don't think we can get > > away with saying nothing about security in the vision primarily because > > most other people won't understand the nuances of decentralized systems > > scaling security up as their size grows (e.g. Bitcoin). > > Although I am satisfied with "Being secure by design” here’s another perspective: security is > SO important to payments it deserves a bullet in the list that follows. For example, something like: > > * Supports a wide spectrum of security needs to meet industry and regulatory expectations. > To meet regulatory requirements and give people enough confidence to use the Web for > payments, the architecture must support a wide spectrum of security requirements and > solutions. This includes the ability to encrypt strongly both sensitive information and the > channels used to exchange the information, as well as supporting an evolving variety of > authentication techniques (multifactor, biometric, etc.). Trust in the Web of payments > is critical to its success. > > I like security, and I like all these features. > > However at an architectural level there's a continuum between connected and highly connected, and secure and highly secure. There's an inverse correlation between security and connectivity. > > So on the web you're going to get security evangelists, and connectivity evangelists. I'm in the latter camp because I think it adds significantly more value. Security evangelists are invited to back up their arguments, which might be quite valid, with value creation metrics. > > It seems that security evangelists outnumber connectivity evangelists, tho the web has a habit of turning traditional assumptions on their head. > > I can certainly live with the language used, but I do see the danger of packing security into the spec to the extent that it struggles to get traction. It's easy enough to vote stuff and make any of these requirements a *must*. Hi Melvin, One of my expectations is that there will be spectrum of needs and solutions. Allowing a spectrum suggests that we cannot have absolute requirements that would preclude a portion of the spectrum. That might increase traction (but it might also lower interoperability). I think we need to get more experience with, and more input, on how to find a sweet spot. > > I dont have any motives here apart from me personal mission which is maximize value creation. I personally love all these security features on offer, and have great admiration for the work that's been done to facilitate them. So, as an implementer I guess I'm spoilt to be able to hand pick the best parts from the spec, and just wanted to register my thoughts. > Thank you! Ian -- Ian Jacobs <ij@w3.org> http://www.w3.org/People/Jacobs Tel: +1 718 260 9447
Received on Wednesday, 20 May 2015 00:04:06 UTC