Re: [webpayments] Should we be concerned about the use of the Browser API in a non-HTTPS environment? (#20)

I think HTTPS should be default even considering Web Crypto API.
but allow switching to HTTP with user consent.

On Thu, Dec 10, 2015 at 2:58 AM, ianbjacobs <>

> I hear @adrianhopebailie <> (and
> perhaps others) saying "If it's meant to be encrypted, the Web app and
> the Payment app will both do what's necessary."
> This sounds about right if the Web app and the payment app are the
> endpoints, and they can
> encrypt and decrypt the message data. The spec probably *should* say that
> the Web application and
> the payment app SHOULD secure message data.
> Aside: The flow diagrams could aid us in seeing whether there are steps in
> the transaction where the messages must be secured.
> It also sounds like we would want to advise those who want to do
> encryption to at least consider using the W3C WebCrypto spec (as an
> informative reference):
> I do not have any sense yet that a stronger requirement to use WebCrypto
> for all encryption is appropriate.
> —
> Reply to this email directly or view it on GitHub
> <>.

Mountie Lee

Tel : +82 2 2140 2700
E-Mail :
Twitter : mountielee

Reply to this email directly or view it on GitHub:

Received on Thursday, 10 December 2015 00:50:19 UTC