Warning:
This wiki has been archived and is now read-only.

Main Page/FTF June2015/SecurityNextSteps

From Web Commerce Interest Group

Jump to: navigation, search

PowerPoint Presentation

Gap analysis
- Which parts of the payment process don’t have existing standards or inadequate standards?
- Which parts need to have a flexible security model or conversely can benefit from a common model?
Relate to capabilities
Prioritize many security needs

Digital Signatures
- JSON Object Signing and Encryption (JOSE) [IETF]
- Linked Data Signatures [W3C]
- Web Crypto [W3C]
- EMVCo as a standard for digital signatures (an EMV transaction is at its core a signature of a payment transaction, with the added benefits its already supported by all EMV processors)
Authentication / Authorization
- FIDO-based authentication (same origin) [FIDO Alliance / W3C]
- Hardware-based authentication (cross origin) [W3C]
- Secure-element based standards [@@]
Encryption
- Web Crypto [W3C]
- JSON Object Signing and Encryption (JOSE) [IETF]
- Dynamic Key Management - (Constructive Key Management) [TecSec]
- Linked Data Encryption [W3C]
- Cryptography Forum Research Group? (re: credentials)
Public Key Infrastructure
- X.509 / Certificate Authority system [IETF]
- Web Keys [W3C]
Privacy Enhancing Security
- Bearer Credentials [W3C]
- IdeMix / Camenisch-Lysyanskaya signature schemes [IBM]
- U-Prove [Microsoft research]
Tokenization
- EMVCo Tokenization [EMVCo]
- X9.119 part 2: Using Tokenization Methods (security not payment) (X9 members only) [X9]
Backend
- ISO 8583 )to understand what’s the messaging security of the financial back ends_

What problems do we think there are that we don't have solutions for yet?
What do we think the security technology stack should look like?
What are the patent/IP issues related to security?
Are the technologies we think we're going to use acceptable for use in the global financial service industry?