Warning:
This wiki has been archived and is now read-only.
Main Page/FTF June2015/SecurityNextSteps
From Web Commerce Interest Group
< Main Page | FTF June2015
Contents
PowerPoint Presentation
https://www.w3.org/Payments/IG/wiki/File:Security_Next_Steps.ppt
Goals
- Gap analysis
- Which parts of the payment process don’t have existing standards or inadequate standards?
- Which parts need to have a flexible security model or conversely can benefit from a common model?
- Relate to capabilities
- Prioritize many security needs
Items to review Needed
Federal Reserve Secure Payments Taskforce inaugural meeting
https://www.w3.org/Payments/IG/wiki/Security_Task_Force/Feds_06_04_15_meeting
Capabilities Needed
- Encryption for Message Channels (is HTTPS enough?)
- Public Key Infrastructure (is X.509 the way?)
- Authentication / Authorization
- Privacy Enhancing Identity/Credentials/Assertions
- Tokenization
Related Work
- Digital Signatures
- JSON Object Signing and Encryption (JOSE) [IETF]
- Linked Data Signatures [W3C]
- Web Crypto [W3C]
- EMVCo as a standard for digital signatures (an EMV transaction is at its core a signature of a payment transaction, with the added benefits its already supported by all EMV processors)
- Authentication / Authorization
- FIDO-based authentication (same origin) [FIDO Alliance / W3C]
- Hardware-based authentication (cross origin) [W3C]
- Secure-element based standards [@@]
- Encryption
- Web Crypto [W3C]
- JSON Object Signing and Encryption (JOSE) [IETF]
- Dynamic Key Management - (Constructive Key Management) [TecSec]
- Linked Data Encryption [W3C]
- Cryptography Forum Research Group? (re: credentials)
- Public Key Infrastructure
- X.509 / Certificate Authority system [IETF]
- Web Keys [W3C]
- Privacy Enhancing Security
- Bearer Credentials [W3C]
- IdeMix / Camenisch-Lysyanskaya signature schemes [IBM]
- U-Prove [Microsoft research]
- Tokenization
- EMVCo Tokenization [EMVCo]
- X9.119 part 2: Using Tokenization Methods (security not payment) (X9 members only) [X9]
- Backend
- ISO 8583 )to understand what’s the messaging security of the financial back ends_
Questions
- What problems do we think there are that we don't have solutions for yet?
- What do we think the security technology stack should look like?
- What are the patent/IP issues related to security?
- Are the technologies we think we're going to use acceptable for use in the global financial service industry?