- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Sat, 9 Jul 2016 14:07:29 +0100
- To: Adam Roach <abr@mozilla.com>
- Cc: Payments WG <public-payments-wg@w3.org>
Received on Saturday, 9 July 2016 13:08:23 UTC
On 9 July 2016 at 09:16, Adam Roach <abr@mozilla.com> wrote: > On 7/9/16 08:52, Adrian Hope-Bailie wrote: > > It would however prevent sniffing data from this channel > > > Before we add this complication, I think I'd want an existence proof of > some method whereby an attacker could inject himself in a way that would > perform passive interception without also allowing active tampering. At > first blush, it seems like it's adding the illusion of increased security > without actually making things better. > Yep, I thought of that. I'd not want to assert that anything is more secure than it really is. > > Note: I'm leaving talk of a more sophisticated solution where the keys are > bound to the merchant and can be verified by the payment app to another > discussion, there was a decent size group of volunteers in London > interested in exploring that topic. > > > This seems more worthwhile. > And complex :) > > > -- > Adam Roach > Principal Platform Engineer > Office of the CTO >
Received on Saturday, 9 July 2016 13:08:23 UTC