stpeter
commented
6 years ago A good reference would be Recommendation for Key Management, NIST Special Publication 800-57 Part 1 Revision 4, Section 5.6.
Open ianbjacobs opened 6 years ago
stpeter
commented
6 years ago A good reference would be Recommendation for Key Management, NIST Special Publication 800-57 Part 1 Revision 4, Section 5.6.
stpeter
commented
6 years ago More detailed thoughts on this:
First, we don't specify a recommended or mandatory-to-implement key types. Do we only support public-private key pairs? Do we also allow symmetric keys? The text "only the party who has the corresponding private key (e.g., the gateway) can decrypt the response" might indicate that we're only supporting public-private key pairs (which would be fine with me).
Second, with public keys we should make it clear exactly what forms of key we recommend or require (e.g., Elliptic Curve keys with the P-256 curve). Are we expecting each payment method to define these matters? It seems safer to make a strong recommendation or mandatory-to-implement statement in this "core" encryption spec.
ianbjacobs
commented
6 years ago Here is a concrete proposal from @MasterKeyur: https://github.com/w3c/webpayments-crypto/blob/master/payment-encryption.md
It does not yet explicitly address requirements on keys.
Ian
Creating an individual issue from the list in #26 in reference to a previous review by @stpeter of https://github.com/w3c/webpayments-methods-tokenization/wiki/Tokenized-Card
"What public key formats are acceptable, any requirements around key length (etc.), and so on. It seems that some constraints would help us ensure interoperability."
Since the tokenization proposal seems to have a dependency on encryption; we are moving the issue here.
Ian