- From: mountielee <notifications@github.com>
- Date: Wed, 09 Dec 2015 16:49:16 -0800
- To: w3c/webpayments <webpayments@noreply.github.com>
- Message-ID: <w3c/webpayments/issues/20/163451054@github.com>
I think HTTPS should be default even considering Web Crypto API. but allow switching to HTTP with user consent. On Thu, Dec 10, 2015 at 2:58 AM, ianbjacobs <notifications@github.com> wrote: > I hear @adrianhopebailie <https://github.com/adrianhopebailie> (and > perhaps others) saying "If it's meant to be encrypted, the Web app and > the Payment app will both do what's necessary." > > This sounds about right if the Web app and the payment app are the > endpoints, and they can > encrypt and decrypt the message data. The spec probably *should* say that > the Web application and > the payment app SHOULD secure message data. > > Aside: The flow diagrams could aid us in seeing whether there are steps in > the transaction where the messages must be secured. > > It also sounds like we would want to advise those who want to do > encryption to at least consider using the W3C WebCrypto spec (as an > informative reference): > http://www.w3.org/TR/WebCryptoAPI/ > > I do not have any sense yet that a stronger requirement to use WebCrypto > for all encryption is appropriate. > > — > Reply to this email directly or view it on GitHub > <https://github.com/w3c/webpayments/issues/20#issuecomment-163340651>. > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net Twitter : mountielee --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments/issues/20#issuecomment-163451054
Received on Thursday, 10 December 2015 00:50:19 UTC