Re: [w3c/browser-payment-api] Should the browser API support the concept of "messages"? (#154) from Manu Sporny on 2016-04-25 (public-webpayments-specs@w3.org from April 2016)

From: Manu Sporny <notifications@github.com>
Date: Mon, 25 Apr 2016 09:00:03 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc:
Message-ID: <w3c/browser-payment-api/issues/154/214416891@github.com>

@adrianhopebailie wrote:
> I can see arguments for the mediator trimming down the request (protect privacy of the payee) but also arguments against (mediator must understand too much about the request and therefor limits extensibility of the message).

Also keep in mind that merchants may want to digitally sign payment requests in the future, and anything that changes the payment request (including the mediator) would invalidate that digital signature.

Really, the payment mediator re-writing the payment request intended for the payment app should be off limits. If we don't put it off limits, we're forcing a few decisions around security and digital signatures which may paint us into a corner wrt. security.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/154#issuecomment-214416891

Received on Monday, 25 April 2016 16:00:59 UTC