Warning:
This wiki has been archived and is now read-only.
Main Page/ProposalsQ42015/Browser Sec TF
From Web Commerce Interest Group
< Main Page | ProposalsQ42015
STATUS: Withdrawn by the proponent.
Contents
Browser Security Task Force
Goals
Determine the bare maximum set of functionality to allow a payment API to be safely executed even when:
- Browser has been compromised with rogue plugins
- A hostile set of JavaScript libraries has been loaded in the browser
- Browser is removed of all capabilities, what capabilities would we add
- A Certificate Authority has been compromised.
- A Certificate Authority issued fake certificates
- There is a man-in-the-middle of an HTTPS session
- No one is present at the computer and an Adware decided to try and self-execute a payments
Problem Statement
https://www.w3.org/Payments/IG/wiki/Security_Issues Browser should be stripped of all standards and capabilities. Standards and capabilities should be added until a payment can be safely executed.
Deliverables
- Bare maximum set of capabilities to safely execute a payment
- Document showing the browser is not a safe environment, today, to execute a payment. Ideally this will show legal liabilities in event that an unsafe standard is published.
Success criteria
- Requirements delivered to appropriate groups.
Task Force Operation
If formed, the WPIG Credentials Task Force will:
- Have weekly calls
- Work on completing the deliverables outlined above
- Presentable material for February F2F
Dependencies
- WebAppSec WG
- https://w3c.github.io/websec/web-authentication-charter
- https://w3c.github.io/websec/hasec-charter
Milestones / Timelines
- Perform background research listed in deliverables