[Openid-specs-fapi] Google proposal: FIDO/PISP Integration
fpo at adorsys.de
Sun Apr 19 12:39:39 UTC 2020
> On 2020-04-13 06:45, Anders Rundgren wrote:
> > https://www.w3.org/2020/02/3p-creds-20200219.pdf
> Another way dealing with this scenario could be as follows:
> - Bind a FIDO key to the ServiceWorker domain ("boa.com" in the Dirk's
> - Use a ServiceWorker-local UI (
> https://github.com/adrianhopebailie/modal-window ?) to show Merchant
> payment requests
> - Perform ServiceWorker-local FIDO-assertions based on received payments
> request data
> - Encrypt assertions using a ServiceWorker-local public key where "boa.com"
> would have the private counterpart
> - Send completed packages (+ related domain identifiers for "routing")
> back to Merchants for fulfillment
> This should be "fairly compatible" with existing card processing systems
> and vendors.
> No updates to FIDO would be required and the UX could be close to optimal.
Why shall we try to use FIDO for payment? As an authentication protocol, we
can let it service that single purpose. We can use the same mechanism to
manage private keys on the user device.
This is what we tried with defining Open Banking SCA on top of oAuth2. Now
a lot of trouble, we have to bend oAuth2 to satisfy PIS constraints (see
PAR, JAR, ...).
> However, to the W3C folks great dismay, I claim that:
> - There is no need for a specific "Payment API" in Web browsers[1,2,3]
> - Most current payment providers target "omnichannel" which calls for
> quite different solutions[4,5,6]
> 1] In fact, I published an open letter about this *before* any significant
> work had been performed:
> 2] Some of the W3C members have indeed recently also "observed" the
> problem (and associated *opportunity*):
> 3] "Workaround":
> 4] Open solution: https://cyberphone.github.io/openbankingwallet/
> 5] Closed and secret solution(s): https://empsa.org/
> 6] Ridiculous "solution":
Co-Founder and Technical Lead at adorys
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi