On 1/8/18 10:17 PM, mcace...@mozilla.com wrote: > > >> On Jan 9, 2018, at 4:29 AM, L. David Baron <dba...@dbaron.org> wrote: >> >> Please reply to this thread if you think there's something we should >> say as part of this charter review, or if you think we should >> support or oppose it. (Given our involvement, we should almost >> certainly say something.) > > Fyi, I sent feedback before TPAC (all of which was addressed, including > dropping HTTP Payments, which can be addressed by the Fetch API). I’m > personally supportive of current direction and the reduced work items on > which the group is focused on. This includes incrementally supporting the > whole gamut of payment systems: from credit cards, tokenized payments, to > crypto currencies. > > I’d personally like to see Mozilla continue to support the working group, > particularly as we continue to open up (and see continued innovation in) the > payments ecosystems over the next 5-10 years.
Overall I agree with Marcos. There are two aspects of the charter that could use some clarification. §1.2 states that the WG might develop "an encryption module for one or more payment methods"; however, WG members do not necessarily have the expertise to do this work. At the least, it would be helpful to mention the parties (e.g., Web Cryptography WG or Web Application Security WG) that will be consulted to ensure the security of any such encryption module. §1.3 suggests that work might happen around "the relationship of Payment Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been spun up). My very early impression is that such work might involve two-factor authentication methods that do not use a standardized technology such as what's being developed within the Web Authentication Working Group. If the outcome is that browsers need to support both a 3DS method and a Web Auth method, I would be concerned about duplication of effort, architectural confusion, and differential security profiles. I'd prefer it if we could nudge the WG and W3C in the direction of settling on one method for user identification and authentication. Peter _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
