Hi All, Since I'm probably the origin of this thread, I owe you all an explanation.
A problem as I see it, is that considerations regarding the viability of a certain quest for a new standard apparently is considered as "inappropriate". If you look very close, the fundamental model used in the Gemalto and Microsoft proposals were in fact already rejected a couple of years ago when launched by a Korean group. I.e. they build on the user granting exceptions from the Same Origin Policy. If this analysis of is wrong, then the whole debate and arguments presented by Google and Facebook were missing the point. I (of course) assumed that the analysis was correct, but worded it this in a way which violates W3C's rules of conduct. I apologize for that. A generic issue in standardization contexts is the gap between practitioners and standardizers which IMO may require more efforts from both sides. FWIW I tried outlining payments using the mentioned proposals and found a _major_disconnect_. Since the standardizing side haven't bothered with such experiments, there is a risk that this indeed is infeasible which raises questions regarding the scope of this work. BTW, regarding my own suggestions I'm not "selling" anything, I'm just slightly obsessed (no other word applies according to my wife), with researching a topic from _different_ perspectives including building fairly advanced proof-of-concept systems. After a series of PoCs in which insurmountable deployment or privacy issues were identified, I have come to the conclusion that a "Polished and Standardized" version of http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html _maybe_ could support not only the applications talked about in the Mountain View WebCrypto.Next F2F, but also play an instrumental role in future web payment systems. Since I (using W3C terms) am a practitioner, the ball obviously is in W3C's court. Sincerely, Anders Rundgren
