W3C home > Mailing lists > Public > public-payments-wg@w3.org > July 2016

Re: Encrypting basic card data

From: Adam Roach <abr@mozilla.com>
Date: Sat, 9 Jul 2016 09:16:10 +0100
To: Adrian Hope-Bailie <adrian@hopebailie.com>, Payments WG <public-payments-wg@w3.org>
Message-ID: <51ca60a2-a9fe-896f-1937-ca8e38852f47@mozilla.com>
On 7/9/16 08:52, Adrian Hope-Bailie wrote:
> It would however prevent sniffing data from this channel

Before we add this complication, I think I'd want an existence proof of 
some method whereby an attacker could inject himself in a way that would 
perform passive interception without also allowing active tampering. At 
first blush, it seems like it's adding the illusion of increased 
security without actually making things better.

> Note: I'm leaving talk of a more sophisticated solution where the keys 
> are bound to the merchant and can be verified by the payment app to 
> another discussion, there was a decent size group of volunteers in 
> London interested in exploring that topic.

This seems more worthwhile.


-- 
Adam Roach
Principal Platform Engineer
Office of the CTO
Received on Saturday, 9 July 2016 08:16:44 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 9 July 2016 08:16:44 UTC