- From: Manu Sporny <notifications@github.com>
- Date: Wed, 12 Oct 2016 08:08:51 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Message-ID: <w3c/browser-payment-api/issues/291/253241364@github.com>
## Digital Signatures - Fragment Signatures
If the group desires to only forward the selected payment method information to the payment app, then a new signature construction algorithm will need to be defined which follows the basic algorithm below:
For each payment method `pm` in `paymentMethods`, generate a digital signature by:
1. Create a new empty JSON object `toSign`.
1. Set the `toSign.paymentMethods` key to the value of `pm`.
1. Set the `toSign.paymentDetails` key to the value of the payment details.
1. Set the `toSign.paymentOptions` key to the value of the payment options.
1. Digitally sign `toSign` using the signature algorithm of choice.
1. Store the digital signature as `sig`.
1. Set the `pm.signature` key to the value of `sig`.
This will result in a payment methods array that looks like the following if using Linked Data Signatures:
```
[{
"supportedMethods": ["visa","bitcoin"],
"signature": {
"type": "LinkedDataSignature2015",
"created": "2016-10-12T14:14:39Z",
"creator": "https://merchant.example.com/keys/1",
"signatureValue": "kC/MZTvo3ro8/yR+OPY4ZtWWpaddFmWDH35U0F5
UuwRgH9KXs9ersJEznQ3zOXIPALZTW/cXdzhDT5ogA+TLQcr7+YY0yGd6z
YgDdg1HVtzRDaXULCi+Admu6A3tKCLzku0+cHiRjDx/mIRTFHE6zoaUcTZJ
Gf8JiMSrHPRJBGQ="
}
}, {
"supportedMethods": ["bobpay.com"],
"data": {
"merchantIdentifier": "XXXX",
"bobPaySpecificField": true
},
"signature": {
"type": "LinkedDataSignature2015",
"created": "2016-10-12T14:14:39Z",
"creator": "https://merchant.example.com/keys/1",
"signatureValue": "RlNJFKeeJax5I592PPGbN0IoCVqhLKothrq6DA9BX3
7RhoDWlVGCCBZLRgPbAeCw7HvDZIi7IXm0R4vXNEIeDsy6kKFzjooUm9IO
p6NADi6n1cMgbKzytJ7sXMhKWVgQZNZopNxWpT7f+SEPbF2FiOhJFN3wg
LyyqT62x8OUCI8="
}
}]
```
or the following if using JWTs:
```
[{
"supportedMethods": ["visa","bitcoin"],
"jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJAY
29udGV4dCI6eyJAdm9jYWIiOiJodHRwczovL3czaWQub
3JnL3BheW1lbnRzIyJ9LCJwYXltZW50TWV0aG9kcyI6W
3sic3VwcG9ydGVkTWV0aG9kcyI6WyJ2aXNhIiwiYml0Y2
9pbiJdfV0sInBheW1lbnREZXRhaWxzIjp7ImRpc3BsYXlJd
GVtcyI6W3sibGFiZWwiOiJTdWItdG90YWwiLCJhbW91bn
QiOnsiY3VycmVuY3kiOiJVU0QiLCJ2YWx1ZSI6IjU1LjAwIn
19LHsibGFiZWwiOiJTYWxlcyBUYXgiLCJhbW91bnQiOnsi
Y3VycmVuY3kiOiJVU0QiLCJ2YWx1ZSI6IjUuMDAifX1dLC
J0b3RhbCI6eyJsYWJlbCI6IlRvdGFsIGR1ZSIsImFtb3VudC
I6eyJjdXJyZW5jeSI6IlVTRCIsInZhbHVlIjoiNjAuMDAifX19LC
JwYXltZW50T3B0aW9ucyI6eyJyZXF1ZXN0U2hpcHBpbmci
OnRydWV9fQ.SNvvQouMMOoYwwYHUb4m_Lvf7-iuB3fhUgJaYkhCLxXGvwN8aVwgzyUUj12PMbwnvjzxQ_Lu
HEQUn2WW6lNvb-8BD1CZytUyW103FCyTvPMauho4TtQ7
GclurrKfDs1CUpXiy91XGm_wlpqTWc5eSTl1J-OrBYWTpJZ
Oy6KOvJ0"
}, {
"supportedMethods": ["bobpay.com"],
"data": {
"merchantIdentifier": "XXXX",
"bobPaySpecificField": true
},
"jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJAY
29udGV4dCI6eyJAdm9jYWIiOiJodHRwczovL3czaWQub
3JnL3BheW1lbnRzIyJ9LCJwYXltZW50TWV0aG9kcyI6W
3sic3VwcG9ydGVkTWV0aG9kcyI6WyJib2JwYXkuY29tIl0
sImRhdGEiOnsibWVyY2hhbnRJZGVudGlmaWVyIjoiWFh
YWCIsImJvYlBheVNwZWNpZmljRmllbGQiOnRydWV9fV0
sInBheW1lbnREZXRhaWxzIjp7ImRpc3BsYXlJdGVtcyI6W
3sibGFiZWwiOiJTdWItdG90YWwiLCJhbW91bnQiOnsiY3
VycmVuY3kiOiJVU0QiLCJ2YWx1ZSI6IjU1LjAwIn19LHsib
GFiZWwiOiJTYWxlcyBUYXgiLCJhbW91bnQiOnsiY3Vycm
VuY3kiOiJVU0QiLCJ2YWx1ZSI6IjUuMDAifX1dLCJ0b3Rhb
CI6eyJsYWJlbCI6IlRvdGFsIGR1ZSIsImFtb3VudCI6eyJjdX
JyZW5jeSI6IlVTRCIsInZhbHVlIjoiNjAuMDAifX19LCJwYXltZ
W50T3B0aW9ucyI6eyJyZXF1ZXN0U2hpcHBpbmciOnRyd
WV9fQ.m28k93A9nOlrsTcGfvVBT4yJxOB2j0xPJwbc2P3o
n9UJLGcslR0FNQYmito6LdH8RIng470FYOyf_eIYd6MqC
q5lWyDayfgQarjnZ9JDXDTzZ8QpTjJGyPChPal-shZ9edE
NgHSHUxojKFqM4JcYZ7xk9pyy8NRhGfVMP29tKRg"
}
}]
```
Note that in the case of the JWT above, all data is duplicated and no data outside of the base64 encoded blob of information should be used. In addition, all data is duplicated N times for every payment method in the array of payment methods. So, if a merchant has 32 payment methods that they accept, the data will be duplicated 32 times (this isn't the case for the Linked Data Signatures approach).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/291#issuecomment-253241364
Received on Wednesday, 12 October 2016 15:36:28 UTC