[w3c/webpayments-crypto] Should we allow keys or only certificates? (#15)

If we only allow certificates then we have a way to ensure that the key (in the certificate) comes from the merchant since the certificate would be required to have been issued to same origin that is making the payment request.

FYI: I don't think it is practical to use the actual TLS cert that the website is using to secure the connection

An argument against this is that it makes the barrier to using encryption higher as you need to be able to get certificates issued for your domain.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-crypto/issues/15

Received on Friday, 1 June 2018 01:52:39 UTC