Intent to Prototype: Secure payment confirmation

291 views
Skip to first unread message

Nick Burris

unread,
Jul 30, 2020, 11:51:39 AM7/30/20
to blink-dev, Rouslan Solomakhin, Danyao Wang
rou...@chromium.org, nbu...@chromium.org, dan...@chromium.org https://github.com/rsolomakhin/secure-payment-confirmation https://bit.ly/secure-payment-confirmation Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method. This feature enables a consistent, low friction, strong authentication experience using platform authenticators. Strong authentication with the user's bank is becoming a requirement for online payments in many regions, including the European Union. The proposed feature provides better user experience and stronger security than existing solutions.
This feature adds a WebAuthn credential type and PaymentRequest payment method type, so the interop risk is that other browsers do not implement these types. The PaymentRequest API allows developers to specify multiple supported payment methods in case some are not supported. Gecko: Positive signal from informal conversation in W3C Payment Handler meetings. This feature is part of the Payment Handler API for which Mozilla recently filed an intent to implement. WebKit: No signal

Web developers: Positive signals from Stripe, which is interested in experimenting with the feature.
No We intend to experiment with Stripe on Mac to first prove the user benefit, and then extend the feature to all platforms, except WebView where PaymentRequest is not supported.
No To be added to the payment-request suite. https://chromestatus.com/feature/5702310124584960
This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Jul 31, 2020, 7:38:35 AM7/31/20
to Nick Burris, blink-dev, Rouslan Solomakhin, Danyao Wang
Is the Web Payments community aware of this work? Would it make sense to move it to an incubation venue?
 

TAG review?
 
Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method. This feature enables a consistent, low friction, strong authentication experience using platform authenticators. Strong authentication with the user's bank is becoming a requirement for online payments in many regions, including the European Union. The proposed feature provides better user experience and stronger security than existing solutions.
This feature adds a WebAuthn credential type and PaymentRequest payment method type, so the interop risk is that other browsers do not implement these types. The PaymentRequest API allows developers to specify multiple supported payment methods in case some are not supported. Gecko: Positive signal from informal conversation in W3C Payment Handler meetings. This feature is part of the Payment Handler API for which Mozilla recently filed an intent to implement. WebKit: No signal


Web developers: Positive signals from Stripe, which is interested in experimenting with the feature.
No We intend to experiment with Stripe on Mac to first prove the user benefit, and then extend the feature to all platforms, except WebView where PaymentRequest is not supported.
No To be added to the payment-request suite. https://chromestatus.com/feature/5702310124584960
This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHPdSHHtH1XhmNLy1DCL2uO-DHVDOUUUutjs_KLJSzShYw%40mail.gmail.com.

Danyao Wang

unread,
Jul 31, 2020, 11:31:20 AM7/31/20
to Yoav Weiss, Nick Burris, blink-dev, Rouslan Solomakhin
On Fri, Jul 31, 2020 at 7:38 AM Yoav Weiss <yo...@yoav.ws> wrote:


On Thu, Jul 30, 2020 at 5:51 PM Nick Burris <nbu...@chromium.org> wrote:

Is the Web Payments community aware of this work? Would it make sense to move it to an incubation venue?

Yes. We're actively discussing this work in both the Web payments Working Group, the Web Payments Security Interest Group and the Web Authentication and Payments Joint Task Force.
We plan to move the explainer to an incubation venue, or possibly adopt it as a project in the WPWG after the API design stabilizes a bit more. We will file the TAG review then as well.
 
 

TAG review?
 
Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new PaymentCredential credential type to the Credential Management spec, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the proposed secure-payment-confirmation payment method. This feature enables a consistent, low friction, strong authentication experience using platform authenticators. Strong authentication with the user's bank is becoming a requirement for online payments in many regions, including the European Union. The proposed feature provides better user experience and stronger security than existing solutions.
This feature adds a WebAuthn credential type and PaymentRequest payment method type, so the interop risk is that other browsers do not implement these types. The PaymentRequest API allows developers to specify multiple supported payment methods in case some are not supported. Gecko: Positive signal from informal conversation in W3C Payment Handler meetings. This feature is part of the Payment Handler API for which Mozilla recently filed an intent to implement. WebKit: No signal


Yep will do.

Yoav Weiss

unread,
Jul 31, 2020, 11:50:12 AM7/31/20
to Danyao Wang, Nick Burris, blink-dev, Rouslan Solomakhin
That's great to hear. Thank you! :)

Marcos Caceres

unread,
Jul 31, 2020, 7:29:39 PM7/31/20
to blink-dev, nbu...@chromium.org, Rouslan Solomakhin, Danyao Wang
On Friday, July 31, 2020 at 1:51:39 AM UTC+10 nbu...@chromium.org wrote:
Gecko: Positive signal from informal conversation in W3C Payment Handler meetings. This feature is part of the Payment Handler API for which Mozilla recently filed an intent to implement.

Just to clarify, we sent an "intent to prototype", not "implement"... but we think this new proposal is "cool"™️. I'm tracking it on GitHub and my colleague JC (from WebAuthn fame) left some comments too. Can't commit to anything, but certainly wanting to see where it goes.   


nbu...@google.com

unread,
Aug 10, 2020, 5:45:15 PM8/10/20
to blink-dev, rou...@chromium.org, dan...@chromium.org
Reply all
Reply to author
Forward
0 new messages