W3C home > Mailing lists > Public > public-payments-wg@w3.org > December 2015

Re: [webpayments] Should we be concerned about the use of the Browser API in a non-HTTPS environment? (#20)

From: mountielee <notifications@github.com>
Date: Wed, 09 Dec 2015 16:49:16 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Message-ID: <w3c/webpayments/issues/20/163451054@github.com>
I think HTTPS should be default even considering Web Crypto API.
but allow switching to HTTP with user consent.

On Thu, Dec 10, 2015 at 2:58 AM, ianbjacobs <notifications@github.com>

> I hear @adrianhopebailie <https://github.com/adrianhopebailie> (and
> perhaps others) saying "If it's meant to be encrypted, the Web app and
> the Payment app will both do what's necessary."
> This sounds about right if the Web app and the payment app are the
> endpoints, and they can
> encrypt and decrypt the message data. The spec probably *should* say that
> the Web application and
> the payment app SHOULD secure message data.
> Aside: The flow diagrams could aid us in seeing whether there are steps in
> the transaction where the messages must be secured.
> It also sounds like we would want to advise those who want to do
> encryption to at least consider using the W3C WebCrypto spec (as an
> informative reference):
> http://www.w3.org/TR/WebCryptoAPI/
> I do not have any sense yet that a stronger requirement to use WebCrypto
> for all encryption is appropriate.
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/w3c/webpayments/issues/20#issuecomment-163340651>.

Mountie Lee

Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net
Twitter : mountielee

Reply to this email directly or view it on GitHub:
Received on Thursday, 10 December 2015 00:50:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:12 UTC