Re: [w3c/browser-payment-api] Should PaymentResponse include totalAmount and if so must it be one of the supplied totals (#215)

@msporny wrote:

> How do merchants know the response wasn't tampered with in transit?

I assume that payment apps that wish to provide additional guarantees can use digital signatures generally. I would not expect the API to have built-in support for digital signatures.

> That is, if we're putting the total in there so the merchants can feel safe that the amount requested was the amount paid (and we have no MiTM protection on totalAmount), doesn't that defeat the purpose of including the value in the response?

It seems to me that in many or most cases the merchant-sent total (call it "T") will be the same as the total received in the payment response. So a check that the response includes "T" would make a strong case that no tampering has occurred.




---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/215#issuecomment-226529968

Received on Thursday, 16 June 2016 15:57:36 UTC