Re: [w3c/payment-request] Pass SKU instead of Total (#879) from Anders Rundgren on 2019-09-15 (public-webpayments-specs@w3.org from September 2019)

From: Anders Rundgren <notifications@github.com>
Date: Sun, 15 Sep 2019 00:48:49 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/879/531543268@github.com>

@danyao et al.  I have just scrapped(!) signing `PaymentRequest` data.  By building on https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-09 for creating a hash of the JSON input data, signing it together with a bunch of related objects, and finally encrypting the result as performed in step 3, followed by the Merchant's signature in step 4, the scheme appears to anyway be "air-tight" from a security point of view.  I.e. the signature was _redundant_.

However, I would still be a bit concerned about limitations on what you can update in an event.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/879#issuecomment-531543268

Received on Sunday, 15 September 2019 07:49:11 UTC