Re: Authenticating Merchants from Adam Roach on 2017-02-23 (public-payments-wg@w3.org from February 2017)

From: Adam Roach <abr@mozilla.com>
Date: Thu, 23 Feb 2017 15:44:11 -0600
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments Working Group <public-payments-wg@w3.org>
Message-ID: <500a5cdf-aaf7-79f5-02f9-7a3140859e51@mozilla.com>

On 2/22/17 01:58, Anders Rundgren wrote:
> Merchant authentication seems to have two primary goals:
> 1) giving the Payment Provider a chance to block a payment request 
> because the Merchant has been black-listed.

The current specification does pass along the (authenticated) origin of 
the payment requester. This origin could be used as input to any kind of 
desired whitelist/blacklist scheme.

> 2) if authentication is performed through a digital signature, verify 
> that the payment request haven't been tampered with. 

By whom? I've heard this mentioned a couple of times already, but always 
in a hand-wavy kind of way. Describe, concretely, the attack you are 
attempting to avoid.

-- 
Adam Roach
Principal Engineer, Mozilla

Received on Thursday, 23 February 2017 21:44:56 UTC