Re: [webpayments] How are payment instruments registered? (#14)

> It's not clear to me that the mediator needs it; they can use their own internal id when the app is registered.

There is nothing from stopping them doing that too. There needs to be a globally unique id for the app that is known to the publisher and the mediator. If the id is not provided by the publisher what would the publisher use to detect if their app is installed?
i.e. When calling: `navigator.payments.isPaymentAppInstalled({""});`

> I would not trust the URI to determine origin; that can be faked. Instead, the system should have data from the actual origin where the information was retrieved (thus, through a protocol like HTTP). 

At this stage there are a number of ways proposed that an app could be registered and not all of them are done via the browser so there is no way for the mediator to associate the app with an origin other than through some property of the app (like it's ID). 

e.g. If the app is a mobile app and is installed from the mobile platform's app store how does the mediator know which origin to link the app to? There may be some mechanism to do this already, I'm not an expert when it comes to mobile apps so I don't know. I know that publishers are verified and have certificates which they use to sign their apps etc but I'm not sure if these are tied to an origin in any way.

As we are developing a Web standard, it feels correct to me to use URLs as a platform independent way to identify the same app across various deployments.

Reply to this email directly or view it on GitHub:

Received on Thursday, 10 December 2015 16:58:31 UTC