W3C home > Mailing lists > Public > public-payments-wg@w3.org > July 2016

Re: Encrypting basic card data

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Sat, 9 Jul 2016 14:07:29 +0100
Message-ID: <CA+eFz_LDTae4C3VYRWpFfYhSdT-Qi1FVKQU6oK98ODPYM=R1cA@mail.gmail.com>
To: Adam Roach <abr@mozilla.com>
Cc: Payments WG <public-payments-wg@w3.org>
On 9 July 2016 at 09:16, Adam Roach <abr@mozilla.com> wrote:

> On 7/9/16 08:52, Adrian Hope-Bailie wrote:
>
> It would however prevent sniffing data from this channel
>
>
> Before we add this complication, I think I'd want an existence proof of
> some method whereby an attacker could inject himself in a way that would
> perform passive interception without also allowing active tampering. At
> first blush, it seems like it's adding the illusion of increased security
> without actually making things better.
>

Yep, I thought of that. I'd not want to assert that anything is more secure
than it really is.


>
> Note: I'm leaving talk of a more sophisticated solution where the keys are
> bound to the merchant and can be verified by the payment app to another
> discussion, there was a decent size group of volunteers in London
> interested in exploring that topic.
>
>
> This seems more worthwhile.
>

And complex :)

>
>
> --
> Adam Roach
> Principal Platform Engineer
> Office of the CTO
>
Received on Saturday, 9 July 2016 13:08:23 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 9 July 2016 13:08:24 UTC