Re: [w3c/webpayments-payment-apps-api] Use PaymentRequest and PaymentResponse (#99) from Marcos Cáceres on 2017-01-31 (public-webpayments-specs@w3.org from January 2017)

From: Marcos Cáceres <notifications@github.com>
Date: Mon, 30 Jan 2017 18:39:22 -0800
To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-payment-apps-api/issues/99/276258222@github.com>

@adrianhopebailie wrote:
> Actually i think you are. The PaymentRequest object contains all of the method specific data for all payment methods accepted by a website. It contains information that the merchant may not have intended any app except one that is permitted by the payment method to receive.

I'd like us to investigate then using Web Crypto to solve this problem. I'm going to see if I can use your example:

> Bobpay.com can declare in its manifest that only the Bobpay app can process payment requests for the payment method bobpay.com.
>

Ok. 

> Fred installs a new payment app called OtherPay which supports basic-card payments.

Ok. 

> Fred visits a website that supports bobpay.com and basic-card payments.

But BobPay was never authorized to handle payments by the user - so it can't be used to make payments. As such, it doesn't enter the equation here, right? A user cannot choose a payment method they never authorized.  

So, to continue, let's pretend that Fred did register BobPay. And let's make it part of merchant.com's  `.canMakePayment()` call.   

> The payment request that is passed to the browser contains the bobpay.com payment method details including a merchant identifier etc.

Ok, let's pretend a merchant identifier is passed for argument's sake.

Couldn't the payment method details and the merchant identifier (i.e., `.data`) be encrypted using bobpay's public key? Thus, OtherPay can't read them. 

> Fred chooses to pay with OtherPay (he's never even heard of bobpay.com) 

Ok. 

> so the request is passed to the OtherPay app which sees the bobpay.com data and stores this in it's competitor analysis system. Yay free competitor information!

But if the`.data` is encrypted, then all OtherPay sees is garbage?

> This is the crux of #2 which provides good background to why the group took this decision.

Be nice to work through the above with real code.... diagramming it out... be right back. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/99#issuecomment-276258222

Received on Tuesday, 31 January 2017 02:39:58 UTC