https://www.w3.org/2018/10/22-wpwg-minutes
https://www.w3.org/2018/10/23-wpwg-minutes
Ian: A word on scope....tokenization, 3ds, src
Jonathan: What will discussion be
tomorrow?
... Will this task force be the technical arm?
(IJ: Yes)
(3 total sessions on tokenization)
IJ: I think there is movement about browser role in tokenization ecosystem
benoit: Since tokenization is overloaded, can we narrow down what we are discussing here?
IJ: Not gateway tokens
... Main focus has been network tokens (emvco-type)
... we have also discussed encryption
https://rawgit.com/w3c/webpayments-crypto/gh-pages/
IJ: So the focus is really
network tokens
... a bit on encryption but not done much lately
david: It would be great if FPANs
were not available to any untrusted entity.
... it would be reasonable to say we only trust browsers and
gateways
... I don't think, for example, that JS running in the browser
should have access to the browser.
Jonathan: At TPAC we discussed
wanting to (1) provide info only to "real" merchants, thus
registration and (2) the user agent is a facilitator of
collection of card metadata (and addresses, etc.)
... the metadata might not be a card but rather a token
reference ID
... or it could be an encrypted payload
IJ: Have not made convincing
argument to have the browser do all the encryption
... strategy of hte group was to start with basic card but move
away from it.
benoit: We've been talking a lot
about keeping the PAN secure, but you also have to take into
account GDPR (and Calif. and Brazil, etc.)
... where no information is allowed to be passed around without
any controls
IJ: What are controls?
benoit: With PII, you need to keep track of what information is circulating, and what consent the person has given to you.
IJ: What do we need to do in the API around that?
benoit: We need to make sure that we expose as little information as possible to entities that don't need it.
deanezra: I agree with David's
point. You can get to that point of the GDPR...any PII should
not be shared with anyone without their permission
... you can deal this with something like a 1-time token
... or you can have a virtual FPAN (useable one time)
https://www.w3.org/Security/strong-authentication-and-identity-workshop/cfp.html
https://www.w3.org/2018/Talks/jg-security-20181022.pdf
Actions at end of the deck
IJ: Let's review those
Jonathan: At TPAC we discussed
wanting tokenization, consumer authentication. ... web met with
the WebAuthn WG for authentication...
... another topic was merchant registration, as well as
transparency about what a user has available to pay with
... so next steps were:
- Discuss SRC. That is underway
scribe: this task force will have a big role to play in identifying roles and flows
IJ: Any desired outcomes regarding the call tomorrow?
Jonathan: Tricky because we don't yet know the role the UAs will play
https://www.w3.org/2018/Talks/ij_tpac_auth/#start
IJ: Do they know already what we
want them to do (as token requestors)?
... Would it be useful to clarify that the role may not be a
formal "token requestor"?
Jonathan: It's more about
facilitating the collection of payment-related
information
... that doesn't make the user agent a token requestor
necessarily
https://github.com/w3c/webpayments-methods-tokenization/issues/53
https://github.com/w3c/webpayments-methods-tokenization/issues/54
https://w3c.github.io/payment-method-manifest/
IJ: Should we focus on tokenization first?
https://w3c.github.io/3ds/index.html
Jonathan: We will probably be mixing
28 November