Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider EMV for the Web #32

Closed
cyberphone opened this issue Oct 23, 2020 · 2 comments
Closed

Consider EMV for the Web #32

cyberphone opened this issue Oct 23, 2020 · 2 comments

Comments

@cyberphone
Copy link

I haven't "deciphered" the entire spec but the following lines caught my eyes:

While the credential ID may be used as a tracker to correlate a user across origins, an origin (e.g. a merchant) needs to already have access to the credential ID in order to invoke the new API. A merchant also already has a more powerful identifier, i.e. the raw credit card number the user provided, that it used to exchange to the credential ID via trusted server side integration with the issuing bank.

Creating a new system that needs card numbers in clear outside of the RP/Bank environment seems somewhat short-sighted and may even be in conflict with GDPR. Since WebAuthn was built for the Web, wouldn't it be reasonable using Web-methods to overcome deficiencies that stems from technology that was created 25 years ago?

This presentation outlines such a system: https://www.youtube.com/watch?v=OWn8sg7Oy3I&t=306s

That is, payment credentials are also fitted with

  • A URL to the issuing RP/Bank. This replaces the card number routing system and probably works for just about any account based system including IBAN
  • An issuer-specific (non-personal) Encryption Key

making authorizations only reveal which bank the user have.

The hashing mentioned in the presentation has recently got a suitable solution that is 100% JavaScript compatible: https://www.rfc-editor.org/rfc/rfc8785.html

This is effectively a souped-up EMV adapted for the Web. EMV is more "protocol-efficient" than 3DS-like concepts.

Browser-wise I believe this is quite simple to achieve. Backend-wise not so. The ability to support IBAN & friends is probably a necessity to get traction. Note that such systems do not provide any "fallbacks" and such.
@cyberphone cyberphone changed the title Sub-optimal privacy concepts Sub-optimal privacy concepts - consider EMV for the Web Oct 23, 2020
@cyberphone cyberphone changed the title Sub-optimal privacy concepts - consider EMV for the Web Consider EMV for the Web Oct 23, 2020
@cyberphone
Copy link
Author

This scheme also permits a payment request performing a pre-authorization only where the result is a token that can be used at a later stage.

The very same model can also be used to increase the security of card-on-file schemes, since (valid) activations (in a properly designed system NB...), should only be possible to create by the party it was originally issued for.

There seems to be no need for specific tokenization services either.

@ianbjacobs
Copy link
Collaborator

Closing this for now. We can reopen if needed.

@cyberphone cyberphone mentioned this issue Aug 17, 2021
Closed
1 task
@cyberphone cyberphone mentioned this issue Nov 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ianbjacobs @cyberphone