On 9 July 2016 at 09:16, Adam Roach <abr@mozilla.com> wrote: > On 7/9/16 08:52, Adrian Hope-Bailie wrote: > > It would however prevent sniffing data from this channel > > > Before we add this complication, I think I'd want an existence proof of > some method whereby an attacker could inject himself in a way that would > perform passive interception without also allowing active tampering. At > first blush, it seems like it's adding the illusion of increased security > without actually making things better. > Yep, I thought of that. I'd not want to assert that anything is more secure than it really is. > > Note: I'm leaving talk of a more sophisticated solution where the keys are > bound to the merchant and can be verified by the payment app to another > discussion, there was a decent size group of volunteers in London > interested in exploring that topic. > > > This seems more worthwhile. > And complex :) > > > -- > Adam Roach > Principal Platform Engineer > Office of the CTO >Received on Saturday, 9 July 2016 13:08:23 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:18 UTC