On 2/2/18 1:25 AM, L. David Baron wrote: > On Thursday 2018-01-18 19:05 -0700, Peter Saint-Andre wrote: >> On 1/8/18 10:17 PM, mcace...@mozilla.com wrote: >>> >>> >>>> On Jan 9, 2018, at 4:29 AM, L. David Baron <dba...@dbaron.org> wrote: >>>> >>>> Please reply to this thread if you think there's something we should >>>> say as part of this charter review, or if you think we should >>>> support or oppose it. (Given our involvement, we should almost >>>> certainly say something.) >>> >>> Fyi, I sent feedback before TPAC (all of which was addressed, including >>> dropping HTTP Payments, which can be addressed by the Fetch API). I’m >>> personally supportive of current direction and the reduced work items on >>> which the group is focused on. This includes incrementally supporting the >>> whole gamut of payment systems: from credit cards, tokenized payments, to >>> crypto currencies. >>> >>> I’d personally like to see Mozilla continue to support the working group, >>> particularly as we continue to open up (and see continued innovation in) >>> the payments ecosystems over the next 5-10 years. >> >> Overall I agree with Marcos. >> >> There are two aspects of the charter that could use some clarification. >> >> §1.2 states that the WG might develop "an encryption module for one or >> more payment methods"; however, WG members do not necessarily have the >> expertise to do this work. At the least, it would be helpful to mention >> the parties (e.g., Web Cryptography WG or Web Application Security WG) >> that will be consulted to ensure the security of any such encryption module. >> >> §1.3 suggests that work might happen around "the relationship of Payment >> Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been >> spun up). My very early impression is that such work might involve >> two-factor authentication methods that do not use a standardized >> technology such as what's being developed within the Web Authentication >> Working Group. If the outcome is that browsers need to support both a >> 3DS method and a Web Auth method, I would be concerned about duplication >> of effort, architectural confusion, and differential security profiles. >> I'd prefer it if we could nudge the WG and W3C in the direction of >> settling on one method for user identification and authentication. > > So how does the following response to the charter sound: > > (X) suggests changes to this Charter, but supports the proposal > whether or not the changes are adopted (your details below). > > Comments (which are just a slightly reworded version of Peter's > above): > > §1.2 states that the WG might develop "an encryption module for one or > more payment methods"; however, WG members do not necessarily have the > expertise to do this work. At the least, it would be helpful to mention > the parties (e.g., Web Cryptography WG or Web Application Security WG) > that will be consulted to ensure the security of any such encryption module. > > §1.3 suggests that work might happen around "the relationship of Payment > Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been > spun up). Our very early impression is that such work might involve > two-factor authentication methods that do not use a standardized > technology such as what's being developed within the Web Authentication > Working Group. If the outcome is that browsers need to support both a > 3DS method and a Web Auth method, we would be concerned about duplication > of effort, architectural confusion, and differential security profiles. > We'd prefer that these W3C working groups move in the direction of > settling on one method for user identification and authentication. > > > > Or do you think one or both of these comments should constitute a > formal objection?
What you have seems fine (modulo s/Web Auth/Web Authentcation/). The first comment is just housekeeping, whereas the second comment is substantive and concerning. Phrasing it as a formal objection might result in greater attention to the seemingly significant overlap. I'd be curious what other folks here think (Marcos, Tantek, Anne, etc.). Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform