More detailed thoughts on this:
First, we don't specify a recommended or mandatory-to-implement key types. Do we only support public-private key pairs? Do we also allow symmetric keys? The text "only the party who has the corresponding private key (e.g., the gateway) can decrypt the response" might indicate that we're only supporting public-private key pairs (which would be fine with me).
Second, with public keys we should make it clear exactly what forms of key we recommend or require (e.g., Elliptic Curve keys with the P-256 curve). Are we expecting each payment method to define these matters? It seems safer to make a strong recommendation or mandatory-to-implement statement in this "core" encryption spec.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-crypto/issues/1#issuecomment-371349118