STATUS: Withdrawn by the proponent.

Browser Security Task Force

Goals

Determine the bare maximum set of functionality to allow a payment API to be safely executed even when:

• Browser has been compromised with rogue plugins
• A hostile set of JavaScript libraries has been loaded in the browser
• Browser is removed of all capabilities, what capabilities would we add
• A Certificate Authority has been compromised.
• A Certificate Authority issued fake certificates
  • http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gives-symantec-an-offer-it-cant-refuse
• There is a man-in-the-middle of an HTTPS session
• No one is present at the computer and an Adware decided to try and self-execute a payments

Problem Statement

https://www.w3.org/Payments/IG/wiki/Security_Issues Browser should be stripped of all standards and capabilities. Standards and capabilities should be added until a payment can be safely executed.

Deliverables

• Bare maximum set of capabilities to safely execute a payment
• Document showing the browser is not a safe environment, today, to execute a payment. Ideally this will show legal liabilities in event that an unsafe standard is published.

Success criteria

• Requirements delivered to appropriate groups.

Task Force Operation

If formed, the WPIG Credentials Task Force will:

• Have weekly calls
• Work on completing the deliverables outlined above
• Presentable material for February F2F

Dependencies

• WebAppSec WG
• https://w3c.github.io/websec/web-authentication-charter
• https://w3c.github.io/websec/hasec-charter

Milestones / Timelines

• Perform background research listed in deliverables