-
Notifications
You must be signed in to change notification settings - Fork 39
SPC Candidate Recommendation Vision
Status: This is a vision for Secure Payment Confirmation (SPC) at Candidate Recommendation. This vision does not (yet) represent any consensus. Questions? [email protected].
Note that process requirements to advance to CR are described in section 6.3.7 of the W3C Process Document.
Process: "must show that the specification has met all Working Group requirements, or explain why the requirements have changed or been deferred."
TODO: Evaluate SPC against the Working Group's requirements.
Process: "must document changes to dependencies during the development of the specification."
The Working Group Charter names groups for coordination. The Working Group has liaised on a regular basis with these:
- Web Authentication WG
- Web Payment Security IG
- EMVCo (especially their 3-D Secure Working Group)
- Various open banking API organizations: Open Banking UK, Berlin Group, and STET.
The WPWG has not found it necessary to liase with the Web Application Security WG or ISO TC 68.
- The Working Group continues to record issues and has identified some that they do not expect to close in version 1 of the specification.
Process: "must show that the specification has received wide review."
The specification has been reviewed (at least) by:
- Implementers (Adyen, Stripe, Modirum)
- Horizontal Groups
- Other standards bodies (EMVCo)
In addition, because SPC depends heavily on Web Authentication / FIDO, there have been many discussions about features and interoperability among WPSIG and the Web Authentication WG.
- APA concluded there was no need to review the specification.
- Subsequently, Ian Jacobs raised an issue (127) on icon accessibility and sought APA review; APA indicated satisfaction.
- The TAG conducted a positive review of SPC; see issue 675.
- A PING review resulted in a set of privacy-related issues. All were resolved to the satisfaction of PING except where noted below.
- SPC issue 154 relates to the user's ability to override a relying parties desire for a credential to be usable both for login and payments. The Web Payments Working Group suggests that this issue is best handled either by Web Authentication, or via CTAP, or some combination.
- Issue 14 raised 7 September 2021; no responses so far.
Process: "must document how adequate implementation experience will be demonstrated"