[w3c/webpayments-payment-apps-api] Should we distinguish the identifier for a payment app from the identifier for the app server that processes payments? (#20) from ianbjacobs on 2016-08-09 (public-webpayments-specs@w3.org from August 2016)

From: ianbjacobs <notifications@github.com>
Date: Tue, 09 Aug 2016 09:58:14 -0700
To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
Message-ID: <w3c/webpayments-payment-apps-api/issues/20@github.com>

In the spec up to now, we have defined "request_url" as serving two purposes:

* service that accepts payment request messages via HTTP POST. 
* identifier for the app.

I have made changes in the spec to distinguish these two functionalities by adding "payment_app_id" for the latter role. This allows, for example, multiple payment apps to reuse the same processing service.

Adrian points out a couple of things:
 
 * If we want to use origin information to do security (or other) checks, the more URLs we use the higher the cost of cross-checking them all.
 * We need to discuss further what the expectations are for the payment_app_id URL. Is the expectation that one can dereference it, e.g., to fetch information about the payment app? Or to get registration data about the payment app?

Ian
 

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/20

Received on Tuesday, 9 August 2016 16:58:55 UTC