Re: Encrypting basic card data from Adam Roach on 2016-07-09 (public-payments-wg@w3.org from July 2016)

From: Adam Roach <abr@mozilla.com>
Date: Sat, 9 Jul 2016 09:16:10 +0100
To: Adrian Hope-Bailie <adrian@hopebailie.com>, Payments WG <public-payments-wg@w3.org>
Message-ID: <51ca60a2-a9fe-896f-1937-ca8e38852f47@mozilla.com>

On 7/9/16 08:52, Adrian Hope-Bailie wrote:
> It would however prevent sniffing data from this channel

Before we add this complication, I think I'd want an existence proof of 
some method whereby an attacker could inject himself in a way that would 
perform passive interception without also allowing active tampering. At 
first blush, it seems like it's adding the illusion of increased 
security without actually making things better.

> Note: I'm leaving talk of a more sophisticated solution where the keys 
> are bound to the merchant and can be verified by the payment app to 
> another discussion, there was a decent size group of volunteers in 
> London interested in exploring that topic.

This seems more worthwhile.

-- 
Adam Roach
Principal Platform Engineer
Office of the CTO

Received on Saturday, 9 July 2016 08:16:44 UTC