[SEC-F22] Potentially sensitive invoice details are stored in plain text on the canister

[krpeacock]

Observation

Invoice content is usually private information (what did I order, how much, etc.)

Risk description

Every node can see the data (independent of permissions) since they are stored in plain text

Recommendations

• This should be documented.
• The data could be encrypted for the buyer

[atengberg]

Until threshold key derivation is available, does anyone have an idea if there is a way to resolve this in the meantime?

Otherwise afaict the data has to be encrypted before entering the canister, which puts handling this outside of the canister's scope. Anticipating this however, there could be an opt field designating the buyer's principal in the invoice's type (or a dedicated field in the metadata) that way integrating encryption could be simpler. Although I'm not sure how often a buyer is actually going to be accessing the invoice canister directly, since the invoice creator would presumably be the one actually processing the invoices; if future work incorporates transfer notify functionality, that would make more sense integrating buyer information for direct access (and even without, a buyer could request an invoice be verified and the result could be released if they are on the already created read permission).