Re: [w3c/browser-payment-api] How are digital signatures supported for Payment Requests? (#291)

## Digital Signatures - Proposal 1

The Web Payments CG specs addressed this issue by digitally signing the entire Payment Request, which would look something like this if we were to use Linked Data Signatures:

```
{
  "@context": "https://w3id.org/payments/v1",
  "paymentMethods": [{
    "supportedMethods": ["visa","bitcoin"]
  }, {
    "supportedMethods": ["bobpay.com"],
    "data": {
      "merchantIdentifier": "XXXX",
      "bobPaySpecificField": true
    }
  }],
  "paymentDetails": {
    "displayItems": [{
      "label": "Sub-total",
      "amount": { "currency": "USD", "value": "55.00" }
    },{
      "label": "Sales Tax",
      "amount": { "currency": "USD", "value": "5.00" }
    }],
    "total":  {
      "label": "Total due",
      "amount": { "currency": "USD", "value": "60.00" }
    }
  },
  "paymentOptions": {
    "requestShipping": true
  },
  "signature": {
    "type": "LinkedDataSignature2015",
    "created": "2016-10-12T14:14:39Z",
    "creator": "https://merchant.example.com/keys/1",
    "nonce": "eb4bc9ef",
    "signatureValue": "kC/MZTvo3ro8/yR+OP...HPRJBGQ="
  }
}
```

and it would look like this if we were to use JWTs (SHA256 + RSA signature):

```
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJAY29udGV4dCI6eyJAdm9jYWIiOiJodHRwczovL3czaWQub3JnL3BheW1lbnRzIyJ9LCJwYXltZW50TWV0aG9kcyI6W3sic3VwcG9ydGVkTWV0aG9kcyI6WyJ2aXNhIiwiYml0Y29pbiJdfSx7InN1cHBvcnRlZE1ldGhvZHMiOlsiYm9icGF5LmNvbSJdLCJkYXRhIjp7Im1lcmNoYW50SWRlbnRpZmllciI6IlhYWFgiLCJib2JQYXlTcGVjaWZpY0ZpZWxkIjp0cnVlfX1dLCJwYXltZW50RGV0YWlscyI6eyJkaXNwbGF5SXRlbXMiOlt7ImxhYmVsIjoiU3ViLXRvdGFsIiwiYW1vdW50Ijp7ImN1cnJlbmN5IjoiVVNEIiwidmFsdWUiOiI1NS4wMCJ9fSx7ImxhYmVsIjoiU2FsZXMgVGF4IiwiYW1vdW50Ijp7ImN1cnJlbmN5IjoiVVNEIiwidmFsdWUiOiI1LjAwIn19XSwidG90YWwiOnsibGFiZWwiOiJUb3RhbCBkdWUiLCJhbW91bnQiOnsiY3VycmVuY3kiOiJVU0QiLCJ2YWx1ZSI6IjYwLjAwIn19fSwicGF5bWVudE9wdGlvbnMiOnsicmVxdWVzdFNoaXBwaW5nIjp0cnVlfX0.gff0EfDnNzi61KyeCEwcT6ktx2HDG1Qy2UF1DshXp5uWkpbbfa9hirO1oC_CGaxgWjrJDOa0HaEtMVUIpM1ta7AGWD7zhZdczRiUWjzppN9e8j6ZPV1I2YgERfP4-nuNSvWI7TqELlfZ8fb06449ULL-Fu1znNY-JCeWwgKc75U
```

The problem that is introduced by the design of the Payment Request API is that we only want to forward the payment method to the payment app that has been selected by the user.

The simplest form of signature is what has been provided above, but because of the requirement to not share all supported payment methods, we end up in search of something more complex (as I'll demonstrate in the next comment in this threads).

One thing we could do is re-visit the decision to not share all supported payment methods w/ the payment app. If we can't find a compelling reason to only forward the pertinent payment app data (other than message size), then we may want to remove that requirement on the PaymentRequest API.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/291#issuecomment-253229863

Received on Wednesday, 12 October 2016 14:54:30 UTC