- From: Jeffrey Burdges <jeffrey.burdges@inria.fr>
- Date: Mon, 22 Aug 2016 15:13:48 +0200
- To: public-payments-wg@w3.org
- Message-ID: <1471871628.11550.107.camel@inria.fr>
On Thu, 2016-08-11 at 09:47 +0000, Telford-Reed, Nick wrote: > At the F2F in London there was support [1] for issuing a Call for > Consensus (CFC) to publish two specifications: > > 1. The HTTP API > > https://w3c.github.io/webpayments-http-api/ > > 2. The Core Messages API > > https://w3c.github.io/webpayments-core-messages/ > Taler and Inria supports creating an HTTP API. There are plenty of payment situations where Javascript should not be required. We remain unclear on the development process of W3C specifications. We support publishing these FPWD under the understanding that doing so in necessary to focus people's energy on them, and that publishing a working draft does not cast various questionable parts in stone. We find the specifications' text itself often premature. Some HTTP API shortcomings : - Needs error handling URLs for failed payments. - We're concerned about the placement of the contract in the HTTP request, i.e. header vs body. Some Core Message API shortcomings : - Various parts seem unclear or underspecified. - Repeating all of information in the payment response (2.2) seems redundant and wastes upstream bandwidth. We'd recommend identifying previously seen contracts by a cryptographic hash of canonicalized JSON. - Amounts being expressed as strings in the Core Message API invites several types of overflow attacks on poorly implemented wallets. In Taler, we constrain values to be 53bit integers so that Javascript can represent them correctly. At present, I'm unable to consult Inra about intellectual obligations, as the French take long vacations in August. I cannot imagine anything here being an issue though. And our team has no conflicts obviously. Best, Jeff
Received on Monday, 22 August 2016 13:14:21 UTC