Re: [w3c/payment-request] Pass SKU instead of Total (#879)

Ah thanks @ianbjacobs. Yes I believe #858 is raising essentially the same issue as this thread. Should we combine them?

Just to add to the list of use cases: donation is another one where optional 'total' can be useful. PayPal currently has a flow where website simply adds a "donate" button. When user clicks on it, it takes them to a PayPal page where they can enter a custom amount. The web payments equivalent would be website creating a PaymentRequest without a total, then user completing the amount in the payment handler's UI.

@cyberphone: IIUC, Saturn [1] is about establishing an e2e encrypted channel between the merchant bank and the user bank without having to rely on intermediaries. It does so by attaching a merchant bank signed object in the PaymentRequest which the user bank can verify. Then user bank returns an encrypted payment credentials only the merchant bank can process. Is this roughly correct?

If so, I believe the optional total proposal here is orthogonal to Saturn because "total" is just another piece of information that the user bank (represented by the payment handler) sends back in the response. It can either be included in the encrypted blob in `PaymentResponse.details` or as plaint text outside. Either option has the same security property because "total" by itself is not enough to perpetrate an attack.

[1] https://cyberphone.github.io/doc/saturn/enhanced-four-corner-model.pdf

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/879#issuecomment-530388239

Received on Wednesday, 11 September 2019 13:47:49 UTC