Re: [webpayments] Should we be concerned about the use of the Browser API in a non-HTTPS environment? (#20)

I think HTTPS should be default even considering Web Crypto API.
but allow switching to HTTP with user consent.


On Thu, Dec 10, 2015 at 2:58 AM, ianbjacobs <notifications@github.com>
wrote:

> I hear @adrianhopebailie <https://github.com/adrianhopebailie> (and
> perhaps others) saying "If it's meant to be encrypted, the Web app and
> the Payment app will both do what's necessary."
>
> This sounds about right if the Web app and the payment app are the
> endpoints, and they can
> encrypt and decrypt the message data. The spec probably *should* say that
> the Web application and
> the payment app SHOULD secure message data.
>
> Aside: The flow diagrams could aid us in seeing whether there are steps in
> the transaction where the messages must be secured.
>
> It also sounds like we would want to advise those who want to do
> encryption to at least consider using the W3C WebCrypto spec (as an
> informative reference):
> http://www.w3.org/TR/WebCryptoAPI/
>
> I do not have any sense yet that a stronger requirement to use WebCrypto
> for all encryption is appropriate.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/w3c/webpayments/issues/20#issuecomment-163340651>.
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net
Twitter : mountielee


---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/20#issuecomment-163451054

Received on Thursday, 10 December 2015 00:50:19 UTC