- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 5 Oct 2015 06:24:22 +0200
- To: Web Payments CG <public-webpayments@w3.org>
In Manu's response to me and list regarding Proximity versus Web https://lists.w3.org/Archives/Public/public-webpayments-ig/2015Oct/0015.html he mentions EMV tokens. I haven't found any good definition of such but I found this interesting paper from FirstData: http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF It outlines multi-pay tokens which could be significant since some major sites like Amazon.com as well as third-party payment providers like PayPal, may need/want a static payment instrument to simplify transactions and dealing with automatic renewals. The latter may become even more important due to the SaaS (software as a service) trend. Static payment instruments though represent a risk since they are vulnerable to theft. The best protection against theft is making such payment instruments useless for anyone but the original payee. This seems to be yet another possible use-case for the "Russian-doll" kind of signatures which is the core of WebPKI.org WebPay PoC: http://xmlns.webpki.org/webpay/v1/webpay-account-2-account-direct-debit-messages.html#p9 Well, a standardization effort would of course have to use JOSE and shroud messages in Base64 but that's not my headache :-) An obstacle here is that keys tend to expire. One solution to that problem is to use the scheme featured in e-passports which is letting an about-to-be-renewed key sign its replacement and supply the entire list during authorization which makes it possible to verify an old payment instrument. This eliminates the need for having a specific renewal process for stored payment instruments. Anders
Received on Monday, 5 October 2015 04:24:55 UTC