Re: [w3c/webpayments-crypto] Should we allow keys or only certificates? (#15) from mattsaxon on 2018-06-05 (public-webpayments-specs@w3.org from June 2018)

From: mattsaxon <notifications@github.com>
Date: Mon, 04 Jun 2018 23:33:36 -0700
To: w3c/webpayments-crypto <webpayments-crypto@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webpayments-crypto/issues/15/394597265@github.com>

Allowing only certificates that come from the merchant origin prevents the merchants processor from supplying the key and therefore put the merchant in more difficulty with PCI compliance. Also from a trust point of view the shopper is sharing their card with the merchant rather than just the payment processor. 

Enabling the pass-through of data was a key use case we were trying to enable.

However allowing certificates from other sources is a good idea. Allowing keys is a problem as anyone could have inserted that key into the payload.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-crypto/issues/15#issuecomment-394597265

Received on Tuesday, 5 June 2018 06:34:00 UTC