<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2020-04-13 06:45, Anders Rundgren wrote:<br>
> <a href="https://www.w3.org/2020/02/3p-creds-20200219.pdf" rel="noreferrer" target="_blank">https://www.w3.org/2020/02/3p-creds-20200219.pdf</a><br>
<br>
Another way dealing with this scenario could be as follows:<br>
- Bind a FIDO key to the ServiceWorker domain ("<a href="http://boa.com" rel="noreferrer" target="_blank">boa.com</a>" in the Dirk's presentation)<br>
- Use a ServiceWorker-local UI (<a href="https://github.com/adrianhopebailie/modal-window" rel="noreferrer" target="_blank">https://github.com/adrianhopebailie/modal-window</a> ?) to show Merchant payment requests<br>
- Perform ServiceWorker-local FIDO-assertions based on received payments request data<br>
- Encrypt assertions using a ServiceWorker-local public key where "<a href="http://boa.com" rel="noreferrer" target="_blank">boa.com</a>" would have the private counterpart<br>
- Send completed packages (+ related domain identifiers for "routing") back to Merchants for fulfillment<br>
<br>
This should be "fairly compatible" with existing card processing systems and vendors.<br>
No updates to FIDO would be required and the UX could be close to optimal.<br></blockquote><div>Why shall we try to use FIDO for payment? As an authentication protocol, we can let it service that single purpose. We can use the same mechanism to manage private keys on the user device. </div><div><br></div><div>This is what we tried with defining Open Banking SCA on top of oAuth2. Now a lot of trouble, we have to bend oAuth2 to satisfy PIS constraints (see PAR, JAR, ...).</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
However, to the W3C folks great dismay, I claim that:<br>
- There is no need for a specific "Payment API" in Web browsers[1,2,3]<br>
- Most current payment providers target "omnichannel" which calls for quite different solutions[4,5,6]<br>
<br></blockquote><div>+1 </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
1] In fact, I published an open letter about this *before* any significant work had been performed: <a href="https://cyberphone.github.io/doc/web//webpayments-taleof2roadmaps.html" rel="noreferrer" target="_blank">https://cyberphone.github.io/doc/web//webpayments-taleof2roadmaps.html</a><br>
2] Some of the W3C members have indeed recently also "observed" the problem (and associated *opportunity*): <a href="https://github.com/adrianhopebailie/modal-window/blob/master/explainer.md#solutions-considered" rel="noreferrer" target="_blank">https://github.com/adrianhopebailie/modal-window/blob/master/explainer.md#solutions-considered</a><br>
3] "Workaround": <a href="https://cyberphone.github.io/doc/web/calling-apps-from-the-web.pdf" rel="noreferrer" target="_blank">https://cyberphone.github.io/doc/web/calling-apps-from-the-web.pdf</a><br>
<br>
4] Open solution: <a href="https://cyberphone.github.io/openbankingwallet/" rel="noreferrer" target="_blank">https://cyberphone.github.io/openbankingwallet/</a><br>
5] Closed and secret solution(s): <a href="https://empsa.org/" rel="noreferrer" target="_blank">https://empsa.org/</a><br>
6] Ridiculous "solution": <a href="https://www.europeanpaymentscouncil.eu/sites/default/files/kb/file/2020-01/MSG%20MSCT%20061-19v1.1%20Extended%20Mandate%20MSG%20MSCT.pdf" rel="noreferrer" target="_blank">https://www.europeanpaymentscouncil.eu/sites/default/files/kb/file/2020-01/MSG%20MSCT%20061-19v1.1%20Extended%20Mandate%20MSG%20MSCT.pdf</a><br><br></blockquote><div>+1</div><div class="gmail-gs" style="margin:0px;padding:0px 0px 20px;width:713.835px;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div class="gmail-"><div id="gmail-:2xm" class="gmail-ii gmail-gt" style="font-size:0.875rem;direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-:2xn" class="gmail-a3s gmail-aXjCH" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif"><div dir="ltr"><div class="gmail_quote"><div class="gmail-adL"><div class="gmail-im" style="color:rgb(80,0,80)"><div>Regards.<br>--<br>Francis Pouatcha<br>Co-Founder and Technical Lead at adorys<br><a href="https://adorsys-platform.de/solutions/" rel="noreferrer" target="_blank">https://adorsys-platform.de/solutions/</a><br></div><div><br></div></div></div></div></div><div class="gmail-adL"></div></div></div><div class="gmail-hi" style="border-bottom-left-radius:1px;border-bottom-right-radius:1px;padding:0px;width:auto;background:rgb(242,242,242);margin:0px"></div></div></div><br class="gmail-Apple-interchange-newline"><div> </div></div></div>