-
Notifications
You must be signed in to change notification settings - Fork 39
SPC Candidate Recommendation Vision
Status: This is a vision for Secure Payment Confirmation (SPC) at Candidate Recommendation. This document does not (yet) represent any consensus. Questions? [email protected].
W3C Process requirements to advance to CR are described in section 6.3.7 of the W3C Process Document.
Process: "must show that the specification has met all Working Group requirements, or explain why the requirements have changed or been deferred."
TODO: Evaluate SPC against the Working Group's requirements.
Process: "must document changes to dependencies during the development of the specification."
The Working Group Charter names groups for coordination. The Working Group has liaised on a regular basis with these:
- Web Authentication WG
- Web Payment Security IG
- EMVCo (especially their 3-D Secure Working Group)
- Various open banking API organizations: Open Banking UK, Berlin Group, and STET.
The WPWG has not found it necessary to liase with the Web Application Security WG or ISO TC 68.
- TODO: Track remaining open issues.
- The Working Group continues to record issues and has identified some that they do not expect to close in version 1 of the specification.
Process: "must show that the specification has received wide review."
The specification has been reviewed (at least) by:
- Implementers (Adyen, Stripe, Modirum)
- Horizontal Groups
- Other standards bodies (EMVCo)
In addition, because SPC depends heavily on Web Authentication / FIDO, there have been many discussions about features and interoperability among WPSIG and the Web Authentication WG.
- APA concluded there was no need to review the specification.
- Subsequently, Ian Jacobs raised an issue (127) on icon accessibility and sought APA review; APA indicated satisfaction.
- The TAG conducted a positive review of SPC; see issue 675.
- A PING review resulted in a set of privacy-related issues. All were resolved to the satisfaction of PING except where noted below.
- SPC issue 154 relates to the user's ability to override a relying parties desire for a credential to be usable both for login and payments. The Web Payments Working Group suggests that this issue is best handled either by Web Authentication, or via CTAP, or some combination.
- The WPWG is aware of one internationalization issue (93) related to the ability to localize strings that are provided as input to the API and that are displayed in the user agent's transaction dialog.
- We anticipate an ECMAScript-level solution in the long term. In the short term, we have proposed as a backwards-compatible solution for displayable strings: each one is defined as a union of String and a Localizable (WebIDL) structure. Whether the Working Group publishes the Localizable structure definition in SPC or the I18N WG publishes a standalone specification that may be referenced by various Working Groups has yet to be determined.
- We are awaiting replies from the I18N Working Group (who are themselves consulting with the TAG and others).
- Issue 14 raised 7 September 2021; no responses so far.
Process: "must document how adequate implementation experience will be demonstrated"