- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 03 Jun 2016 14:51:20 -0400
- To: Web Payments CG <public-webpayments@w3.org>
On 06/03/2016 12:08 PM, Melvin Carvalho wrote:
> http://digitalbazaar.github.io/flex-ledger/vocabulary.html
>
> Looking at :
>
> "source": "https://example.org/accounts/jane/7",
> "destination": "https://foo.com/accounts/bob/3",
> "remoteLedger": "https://foo.com/ledgers/blah/3445",
> "transfer": {
> "amount": "23.45",
> "currency": "USD"
> }
>
> Having coded in this area Im super nervous about sending money to
> documents (ie without a fragment ID). In this case ... jane/7
I wouldn't put a great deal of weight on that example, Melvin. It was
just a rough approximation of what an interledger payment could look
like between two ledgers that didn't require the Interledger protocol.
Highly experimental, so don't take it as a proposed way forward.
> I strongly suspect this is an anti pattern and perhaps should be
> considered harmful. Just consider, all possibly http headers (present
> and future) that apply to this entity also apply to the entity you are
> transferring money to. Is this not an accident waiting to happen?
I'm curious, what's the attack you're concerned about?
Also, if it's an issue, no problem w/ changing it to a hash-based URL.
We've taken this approach for account IDs and haven't hit an issue with
them yet, but that doesn't mean there isn't an issue.
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Web Browser API Incubation Anti-Pattern
http://manu.sporny.org/2016/browser-api-incubation-antipattern/
Received on Friday, 3 June 2016 18:51:44 UTC