-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How are digital signatures supported for Payment Requests? #291
Comments
Document SignaturesThe Web Payments CG specs addressed this issue by digitally signing the entire Payment Request, which would look something like this if we were to use Linked Data Signatures:
and it would look like this if we were to use JWTs (SHA256 + RSA signature):
The problem that is introduced by the design of the Payment Request API is that we only want to forward the payment method to the payment app that has been selected by the user. The simplest form of signature is what has been provided above, but because of the requirement to not share all supported payment methods, we end up in search of something more complex (as I'll demonstrate in the next comment in this threads). One thing we could do is re-visit the decision to not share all supported payment methods w/ the payment app. If we can't find a compelling reason to only forward the pertinent payment app data (other than message size), then we may want to remove that requirement on the PaymentRequest API. |
@msporny wrote "If we can't find a compelling reason to only forward the pertinent payment app data (other than message size)..." In addition to those efficiency questions (the payment app will ignore most data it receives otherwise, which is an inefficient use of time and bandwidth), privacy was cited - sharing more data (from the merchant) than needed to handle the payment. Ian |
Constructed SignaturesIf the group desires to only forward the selected payment method information to the payment app, then a new signature construction algorithm will need to be defined which follows the basic algorithm below: For each payment method
This will result in a payment methods array that looks like the following if using Linked Data Signatures:
or the following if using JWTs:
Note that in the case of the JWT above, all data is duplicated and no data outside of the base64 encoded blob of information should be used. In addition, all data is duplicated N times for every payment method in the array of payment methods. So, if a merchant has 32 payment methods that they accept, the data will be duplicated 32 times (this isn't the case for the Linked Data Signatures approach). |
@ianbjacobs wrote:
So, I'm hearing the decision was made due to:
I'm not taking a position on this yet because we're talking about a fairly complex trade-off, but pushing back on those points above a bit: Regarding inefficient use of time - perhaps we should have some timing statistics to see how much time we're talking about. I expect that it will be on the order of a few hundred microseconds at most since the Payment Request communication channel is web page to web page. Page bloat is at least 2MB at present: https://gigaom.com/2014/12/29/the-overweight-web-average-web-page-size-is-up-15-in-2014/ so even if it's shoved down an HTTP pipeline, I can't imagine it being more than a few milliseconds (a tiny fraction of page load time). I don't find this argument compelling. Regarding inefficient use of bandwidth - the biggest contributor to the bandwidth is the array of payment methods which are a couple of hundred bytes in all the cases we've seen. Again, a few hundred microseconds at most since the Payment Request communication channel is page to page. I know WorldPay has stated that they support 200+ payment methods, but do those boil down to mostly cards? The question is, what's the largest array of payment methods we're expecting and how many transactions are going to use that largest array? If we multiply the example in the spec by 10x, we get around 1.8KB for the payment method array. That doesn't seem like a waste of bandwidth. Multiplying it to 200x gives us 36.6Kb, which is much larger, but certainly a drop in the bucket compared to what the rest of the page is using. I'm not convinced by the inefficient use of bandwidth argument. Regarding the privacy argument - the assumption is that the merchant doesn't want to advertise all of the payment methods that they support to payment apps. I find this argument the most compelling, but don't fully understand how we're protecting this information from being leaked. For example, (in 80+% of cases) can't anyone come to the merchants website and execute a payment request and then cancel it? In that scenario, one can find out the payment methods that the merchant supports even with the "protections" we've built in. The only time the merchant is protected against this "privacy violation" is when the transaction is such that the payment app provider can't get access to the merchant website to execute a payment request. Do merchants really care about this form of privacy? Do they understand that we can't really protect them against this privacy violation unless they put access control of some kind in front of their Buy button? So, I think there is a very thin "privacy protection" argument for only forwarding payment app specific payment method information to the payment app. If that argument holds, then we're going to have to create an entirely new type of algorithm for digitally signing and verifying payment requests. |
I also recall that we said that payees could verify data upon receipt of the payment response. For what use cases does that not suffice? Ian |
Which data are you talking about? Digital signatures are a solution for use cases where the merchant isn't immediately in the loop (e.g. execution of a Digital Offer from a search results page) or where the payer wants assurance that the push payment method they are about to use will send the proper amount of money to the proper party (in return for the proper goods/services). In these scenarios, payee verification of information after the fact will not protect users and will lead to undue liability on the merchant end. |
It does not suffice for at least the 3 scenarios listed at the top of this issue:
In this scenario, the payment app would like to make sure that the amount is correct before executing the payment. This is even more important for any sort of push-based payment.
How can a payment app ensure that a payment request published on a merchant website, indexed by a search crawler, and executed by a customer to a has not been tampered with before the payment request got to the payment app?
The business requirement here is on the payment app to collect something equivalent to a "proof of invoice", not the merchant. So, in each one of these cases, the payee checking the result doesn't achieve the desired results of the use case. |
What's the motivation to sign the whole request and not just provide the signature in the payment method specific data? i.e. For payment methods that support signatures |
Signing the whole request is simpler in at least these ways:
There are some downsides:
There are two options as far as I can see wrt. digital signatures on payment requests (there may be more):
|
Another way to phrase this question is "What is the information that needs to be digitally signed?" The assertion is that there are some scenarios (like the ones mentioned above) where you'd want to digitally sign the payment items, the payment options, and the payment method data. In the very least, we'll want to sign the payment method data. If that's the only requirement, then the solution is fairly easy. Unfortunately, that means that we definitely wouldn't be signing the payment details, which means none of the products or totals/discounts are digitally signed (which doesn't address a number of the use cases). If we are able to sign everything (like the WPCG spec supported), then we don't have to keep coming up with piece meal solutions every time we find out that we need to sign something else. The entire message is protected instead of developers having to understand what parts of the message are protected and what parts are not. Again, I'm not taking a position on this. I'm just outlining the options available to us and noting that none of them seem to be easy decisions based on the series of design decisions that have gone into the Payment Request API. |
No, I think it's possible for each payment method to define a signature mechanism that also specifies what information needs to be signed. Different payment systems are going to have different requirements for the digital signatures and so the data that is signed for each payment method is likely to be different (and the algorithm used etc). I would class signatures in the same category as callbacks. They will likely be used by a lot of payment methods but it's not clear that we should try to standardize them at the top-level yet. |
Yes, but we're making a decision where we may never be able to standardize a good design at the top-level due to the way the PaymentRequest constructor is currently designed. I agree that we may not want to standardize the top-level yet, but we're specifically making a decision where we cannot easily standardize it at the top-level later on. If someone can produce a well designed strategy for standardizing at the top level later on, that would go a long way to alleviating my concerns around digital signatures and this API. |
I don't follow this logic. If the change that is required later is the addition of a new constructor parameter then that can be done easily without breaking the API. It will simply be added as an optional parameter. |
I'm sure people can debate to death how Merchant signatures should be introduced and formatted. However, a bigger problem is how you create scalable trust infrastructures, because without such, Merchant signatures are merely "decoration" :-) |
Given the work happening in tokenized payments, I'm closing this so discussions can happen there. |
I had a brief chat with @rsolomakhin about digital signature support for the Payment Request API.
To recap, here's the use case:
The merchant (and the payment app) desire that the payment request is digitally signed so that they may be certain that it has not been tampered with in transit.
There are a number of scenarios where a digital signature on a payment request is desirable:
To be clear, this issue isn't requesting that digital signatures are implemented in the Payment Request API. The request is to demonstrate that the Payment Request API is capable of supporting digital signatures in a way that is not onerous to Web developers.
The text was updated successfully, but these errors were encountered: