Re: Proposed W3C Charter: Web Payments Working Group
On Wednesday, December 4, 2019 at 1:58:54 AM UTC+11, L. David Baron wrote: > Please reply to this thread if you think there's something we should > say as part of this charter review, or if you think we should > support or oppose it. Feedback I send a little while back: https://lists.w3.org/Archives/Public/public-payments-wg/2019Nov/.html My proposed changes were accepted in the charter. FWIW, I'm personally happy with the charter and the scope. I'd like for Mozilla to continue to support this WG. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Proposed W3C Charter: Web Payments Working Group
The W3C is proposing a revised charter for: Web Payments Working Group https://www.w3.org/Payments/WG/charter-201910.html https://lists.w3.org/Archives/Public/public-new-work/2019Nov/0003.html The differences from the previous charter are: https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FPayments%2FWG%2Fcharter-201803.html&doc2=https%3A%2F%2Fwww.w3.org%2FPayments%2FWG%2Fcharter-201910.html Mozilla has the opportunity to send comments or objections through Friday, December 13. Please reply to this thread if you think there's something we should say as part of this charter review, or if you think we should support or oppose it. (My one note so far is that the charter should link to the previous charter; it currently only links to the charter before that.) -David -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
Based on the discussion in this thread, I've submitted the comments with the suggested revisions as a formal objection: https://lists.w3.org/Archives/Public/public-new-work/2018Feb/0002.html -David -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) signature.asc Description: PGP signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On Fri, Feb 2, 2018 at 11:40 AM, Peter Saint-Andre wrote: > On 2/2/18 11:57 AM, Anne van Kesteren wrote: >> On Fri, Feb 2, 2018 at 7:49 PM, Peter Saint-Andre >> wrote: >>> What you have seems fine (modulo s/Web Auth/Web Authentcation/). The >>> first comment is just housekeeping, whereas the second comment is >>> substantive and concerning. Phrasing it as a formal objection might >>> result in greater attention to the seemingly significant overlap. I'd be >>> curious what other folks here think (Marcos, Tantek, Anne, etc.). >> >> I'd lean towards objecting as otherwise you might get a group of >> people with lots of different objectives and nobody really getting >> what they want. > > That's where we're heading at the moment. Given that "Payments" has some history with that in the early days (different groups trying to pull things in different directions), I think that's a real threat that needs addressing up front. >> (Both 1.2 and 1.3 are pretty concerning, and 1.2 >> sounds like the thing that made the Web Crypto effort somewhat >> dysfunctional.) > > Agreed. Also agreed (that we should make this an FO right?). Thanks for your analysis on this Peter. That's exactly the kind of precise feedback we need to give to help present a good case for an objection (and the changes to address it). Thanks, Tantek ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On 2/2/18 11:57 AM, Anne van Kesteren wrote: > On Fri, Feb 2, 2018 at 7:49 PM, Peter Saint-Andre wrote: >> What you have seems fine (modulo s/Web Auth/Web Authentcation/). The >> first comment is just housekeeping, whereas the second comment is >> substantive and concerning. Phrasing it as a formal objection might >> result in greater attention to the seemingly significant overlap. I'd be >> curious what other folks here think (Marcos, Tantek, Anne, etc.). > > I'd lean towards objecting as otherwise you might get a group of > people with lots of different objectives and nobody really getting > what they want. That's where we're heading at the moment. > (Both 1.2 and 1.3 are pretty concerning, and 1.2 > sounds like the thing that made the Web Crypto effort somewhat > dysfunctional.) Agreed. Peter signature.asc Description: OpenPGP digital signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On Fri, Feb 2, 2018 at 7:49 PM, Peter Saint-Andre wrote: > What you have seems fine (modulo s/Web Auth/Web Authentcation/). The > first comment is just housekeeping, whereas the second comment is > substantive and concerning. Phrasing it as a formal objection might > result in greater attention to the seemingly significant overlap. I'd be > curious what other folks here think (Marcos, Tantek, Anne, etc.). I'd lean towards objecting as otherwise you might get a group of people with lots of different objectives and nobody really getting what they want. (Both 1.2 and 1.3 are pretty concerning, and 1.2 sounds like the thing that made the Web Crypto effort somewhat dysfunctional.) -- https://annevankesteren.nl/ ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On 2/2/18 1:25 AM, L. David Baron wrote: > On Thursday 2018-01-18 19:05 -0700, Peter Saint-Andre wrote: >> On 1/8/18 10:17 PM, mcace...@mozilla.com wrote: >>> >>> On Jan 9, 2018, at 4:29 AM, L. David Baron wrote: Please reply to this thread if you think there's something we should say as part of this charter review, or if you think we should support or oppose it. (Given our involvement, we should almost certainly say something.) >>> >>> Fyi, I sent feedback before TPAC (all of which was addressed, including >>> dropping HTTP Payments, which can be addressed by the Fetch API). Iβm >>> personally supportive of current direction and the reduced work items on >>> which the group is focused on. This includes incrementally supporting the >>> whole gamut of payment systems: from credit cards, tokenized payments, to >>> crypto currencies. >>> >>> Iβd personally like to see Mozilla continue to support the working group, >>> particularly as we continue to open up (and see continued innovation in) >>> the payments ecosystems over the next 5-10 years. >> >> Overall I agree with Marcos. >> >> There are two aspects of the charter that could use some clarification. >> >> Β§1.2 states that the WG might develop "an encryption module for one or >> more payment methods"; however, WG members do not necessarily have the >> expertise to do this work. At the least, it would be helpful to mention >> the parties (e.g., Web Cryptography WG or Web Application Security WG) >> that will be consulted to ensure the security of any such encryption module. >> >> Β§1.3 suggests that work might happen around "the relationship of Payment >> Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been >> spun up). My very early impression is that such work might involve >> two-factor authentication methods that do not use a standardized >> technology such as what's being developed within the Web Authentication >> Working Group. If the outcome is that browsers need to support both a >> 3DS method and a Web Auth method, I would be concerned about duplication >> of effort, architectural confusion, and differential security profiles. >> I'd prefer it if we could nudge the WG and W3C in the direction of >> settling on one method for user identification and authentication. > > So how does the following response to the charter sound: > > (X) suggests changes to this Charter, but supports the proposal > whether or not the changes are adopted (your details below). > > Comments (which are just a slightly reworded version of Peter's > above): > > Β§1.2 states that the WG might develop "an encryption module for one or > more payment methods"; however, WG members do not necessarily have the > expertise to do this work. At the least, it would be helpful to mention > the parties (e.g., Web Cryptography WG or Web Application Security WG) > that will be consulted to ensure the security of any such encryption module. > > Β§1.3 suggests that work might happen around "the relationship of Payment > Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been > spun up). Our very early impression is that such work might involve > two-factor authentication methods that do not use a standardized > technology such as what's being developed within the Web Authentication > Working Group. If the outcome is that browsers need to support both a > 3DS method and a Web Auth method, we would be concerned about duplication > of effort, architectural confusion, and differential security profiles. > We'd prefer that these W3C working groups move in the direction of > settling on one method for user identification and authentication. > > > > Or do you think one or both of these comments should constitute a > formal objection? What you have seems fine (modulo s/Web Auth/Web Authentcation/). The first comment is just housekeeping, whereas the second comment is substantive and concerning. Phrasing it as a formal objection might result in greater attention to the seemingly significant overlap. I'd be curious what other folks here think (Marcos, Tantek, Anne, etc.). Peter signature.asc Description: OpenPGP digital signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On Thursday 2018-01-18 19:05 -0700, Peter Saint-Andre wrote: > On 1/8/18 10:17 PM, mcace...@mozilla.com wrote: > > > > > >> On Jan 9, 2018, at 4:29 AM, L. David Baron wrote: > >> > >> Please reply to this thread if you think there's something we should > >> say as part of this charter review, or if you think we should > >> support or oppose it. (Given our involvement, we should almost > >> certainly say something.) > > > > Fyi, I sent feedback before TPAC (all of which was addressed, including > > dropping HTTP Payments, which can be addressed by the Fetch API). Iβm > > personally supportive of current direction and the reduced work items on > > which the group is focused on. This includes incrementally supporting the > > whole gamut of payment systems: from credit cards, tokenized payments, to > > crypto currencies. > > > > Iβd personally like to see Mozilla continue to support the working group, > > particularly as we continue to open up (and see continued innovation in) > > the payments ecosystems over the next 5-10 years. > > Overall I agree with Marcos. > > There are two aspects of the charter that could use some clarification. > > Β§1.2 states that the WG might develop "an encryption module for one or > more payment methods"; however, WG members do not necessarily have the > expertise to do this work. At the least, it would be helpful to mention > the parties (e.g., Web Cryptography WG or Web Application Security WG) > that will be consulted to ensure the security of any such encryption module. > > Β§1.3 suggests that work might happen around "the relationship of Payment > Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been > spun up). My very early impression is that such work might involve > two-factor authentication methods that do not use a standardized > technology such as what's being developed within the Web Authentication > Working Group. If the outcome is that browsers need to support both a > 3DS method and a Web Auth method, I would be concerned about duplication > of effort, architectural confusion, and differential security profiles. > I'd prefer it if we could nudge the WG and W3C in the direction of > settling on one method for user identification and authentication. So how does the following response to the charter sound: (X) suggests changes to this Charter, but supports the proposal whether or not the changes are adopted (your details below). Comments (which are just a slightly reworded version of Peter's above): Β§1.2 states that the WG might develop "an encryption module for one or more payment methods"; however, WG members do not necessarily have the expertise to do this work. At the least, it would be helpful to mention the parties (e.g., Web Cryptography WG or Web Application Security WG) that will be consulted to ensure the security of any such encryption module. Β§1.3 suggests that work might happen around "the relationship of Payment Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been spun up). Our very early impression is that such work might involve two-factor authentication methods that do not use a standardized technology such as what's being developed within the Web Authentication Working Group. If the outcome is that browsers need to support both a 3DS method and a Web Auth method, we would be concerned about duplication of effort, architectural confusion, and differential security profiles. We'd prefer that these W3C working groups move in the direction of settling on one method for user identification and authentication. Or do you think one or both of these comments should constitute a formal objection? -David -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) signature.asc Description: PGP signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On 1/8/18 10:17 PM, mcace...@mozilla.com wrote: > > >> On Jan 9, 2018, at 4:29 AM, L. David Baron wrote: >> >> Please reply to this thread if you think there's something we should >> say as part of this charter review, or if you think we should >> support or oppose it. (Given our involvement, we should almost >> certainly say something.) > > Fyi, I sent feedback before TPAC (all of which was addressed, including > dropping HTTP Payments, which can be addressed by the Fetch API). Iβm > personally supportive of current direction and the reduced work items on > which the group is focused on. This includes incrementally supporting the > whole gamut of payment systems: from credit cards, tokenized payments, to > crypto currencies. > > Iβd personally like to see Mozilla continue to support the working group, > particularly as we continue to open up (and see continued innovation in) the > payments ecosystems over the next 5-10 years. Overall I agree with Marcos. There are two aspects of the charter that could use some clarification. Β§1.2 states that the WG might develop "an encryption module for one or more payment methods"; however, WG members do not necessarily have the expertise to do this work. At the least, it would be helpful to mention the parties (e.g., Web Cryptography WG or Web Application Security WG) that will be consulted to ensure the security of any such encryption module. Β§1.3 suggests that work might happen around "the relationship of Payment Request API to EMVCo 3D Secure" (and in fact a 3DS Task Force has been spun up). My very early impression is that such work might involve two-factor authentication methods that do not use a standardized technology such as what's being developed within the Web Authentication Working Group. If the outcome is that browsers need to support both a 3DS method and a Web Auth method, I would be concerned about duplication of effort, architectural confusion, and differential security profiles. I'd prefer it if we could nudge the WG and W3C in the direction of settling on one method for user identification and authentication. Peter ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
> On Jan 9, 2018, at 4:29 AM, L. David Baron wrote: > > Please reply to this thread if you think there's something we should > say as part of this charter review, or if you think we should > support or oppose it. (Given our involvement, we should almost > certainly say something.) Fyi, I sent feedback before TPAC (all of which was addressed, including dropping HTTP Payments, which can be addressed by the Fetch API). Iβm personally supportive of current direction and the reduced work items on which the group is focused on. This includes incrementally supporting the whole gamut of payment systems: from credit cards, tokenized payments, to crypto currencies. Iβd personally like to see Mozilla continue to support the working group, particularly as we continue to open up (and see continued innovation in) the payments ecosystems over the next 5-10 years. Kind regards, Marcos ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Proposed W3C Charter: Web Payments Working Group
The W3C is proposing a revised charter for: Web Payments Working Group https://w3c.github.io/webpayments/proposals/charter-2017 https://lists.w3.org/Archives/Public/public-new-work/2018Jan/0002.html Mozilla has the opportunity to send comments or objections through Monday, February 5. A diff relative to the current charter is: https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FPayments%2FWG%2Fcharter-201510.html&doc2=https%3A%2F%2Fw3c.github.io%2Fwebpayments%2Fproposals%2Fcharter-2017 The participants in the working group are: https://www.w3.org/2000/09/dbwg/details?group=83744&public=1&order=org Please reply to this thread if you think there's something we should say as part of this charter review, or if you think we should support or oppose it. (Given our involvement, we should almost certainly say something.) -David -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) signature.asc Description: PGP signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On Monday 2015-08-10 07:37 +0200, Anne van Kesteren wrote: > On Sun, Aug 9, 2015 at 9:01 PM, L. David Baron wrote: > > I've been somewhat involved in the discussion that led to this > > charter, which occured on the list > > https://lists.w3.org/Archives/Public/public-webpayments-ig/ . See > > also my blog posts at http://dbaron.org/log/20150731-payments and > > http://dbaron.org/log/20150803-ecosystems on the topic. > > > > Please reply to this thread if you think there's something we should > > say as part of this charter review. > > Can we change the charter such that it explicitly addresses the risks > you mention in your post? E.g., by disallowing such a solution? For what it's worth, I've drafted the following comments on http://www.w3.org/2015/06/payments-wg-charter.html , although I'm still unsure if they're concrete enough. (I don't really feel like I have the expertise to make them more concrete.) -David I'd like to ensure that it's possible to build a Web browser that can make payments using the deliverables of the working group, as they are actually deployed, without also building a payment processing system (e.g., building the relationships with banks, etc., that have been necessary for Apple to build Apple Pay) or having a business partnership with somebody who has done that. Doing this seems possible technically, but it requires participation from banks or payment systems in order to register payment instruments (and run whatever systems are required by that registration). I don't think the deliverables and scope described in the current charter are precise enough to tell whether that's the case. I regret not previously pushing back harder against the charter being unclear and using terms (like "digital wallet") that abstract away what is actually happening. I think both the scope of the charter and the deliverables need to be clear about what the working group is actually being chartered to build. Who are the parties involved in the Web payments ecosystem, which of the group's deliverables apply to each party, and are all of those parties actually willing to make this happen in the way that the charter describes? In slightly more detail: I think the Scope section of the current charter draft could be interpreted in different ways. It's not clear which communications between parties in the payment process are part of the standardized message flow, and which are part of the proprietary "delivery mechanism". Nor is it clear which common delivery mechanisms will be standardized. The use of the concept of "digital wallet" doesn't seem to add anything, since it is described only as a container for payment instruments, of which a user may have more than one. The partitioning of payment instruments into digital wallets is completely undefined, as is the relationship of digital wallets to any implementation concept. The deliverables section doesn't really say what is being delivered. The first three bullets are goals, the middle three bullets are messages between unspecified parties (in which the term "digital wallet service" appears out of nowhere, undefined), and the last three bullets are use cases. -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) signature.asc Description: Digital signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Proposed W3C Charter: Web Payments Working Group
On Sun, Aug 9, 2015 at 9:01 PM, L. David Baron wrote: > I've been somewhat involved in the discussion that led to this > charter, which occured on the list > https://lists.w3.org/Archives/Public/public-webpayments-ig/ . See > also my blog posts at http://dbaron.org/log/20150731-payments and > http://dbaron.org/log/20150803-ecosystems on the topic. > > Please reply to this thread if you think there's something we should > say as part of this charter review. Can we change the charter such that it explicitly addresses the risks you mention in your post? E.g., by disallowing such a solution? -- https://annevankesteren.nl/ ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Proposed W3C Charter: Web Payments Working Group
The W3C is proposing a new charter for: Web Payments Working Group http://www.w3.org/2015/06/payments-wg-charter https://lists.w3.org/Archives/Public/public-new-work/2015Aug/0001.html Mozilla has the opportunity to send comments or objections through Tuesday, September 15. I've been somewhat involved in the discussion that led to this charter, which occured on the list https://lists.w3.org/Archives/Public/public-webpayments-ig/ . See also my blog posts at http://dbaron.org/log/20150731-payments and http://dbaron.org/log/20150803-ecosystems on the topic. Please reply to this thread if you think there's something we should say as part of this charter review. -David -- π L. David Baron http://dbaron.org/ π π’ Mozilla https://www.mozilla.org/ π Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914) signature.asc Description: Digital signature ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform