Re: Payment App spec implementations

On 03/13/2017 12:07 PM, Steve Sommers wrote:
> Really both. I realize that some of the complexity will be distilled 
> down by the time it reaches the Payment Apps API layer that I'm most 
> interested it but still, no matter where the complexity resides, it 
> still introduces vulnerabilities or at least attack vectors.

Yes, agreed on your general point.

> Has anyone stepped back and reevaluated the problem to see if there 
> is a simpler, less complex solution?

Yes, there was a proposal in the beginning that was simpler, that didn't
try to do as much wrt. Shopping Cart / Checkout, but the group decided
that that solution was not compelling enough to gain adoption. So, we
have what we have today, which is more monolithic and complex, but is
(in theory) more compelling.

In general I think the group is concerned about unnecessary complexity,
but it's not clear what is and isn't unnecessary at this point and it's
only when we identify/discover an attack using the API will there be
more attention paid to reducing complexity (or increasing it in order to
re-establish security expectations).

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built

Received on Monday, 20 March 2017 18:24:24 UTC