Open stpeter opened 6 years ago
BTW, these keys might not be large. Here is an example of an Elliptic Curve key (from RFC 7517):
{"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use":"enc",
"kid":"1"},
We COULD define this to be a JWK, in which case a valid form is to simply provide a key id.
Then we can have a top-level data element that holds a keyset where the actual keys are defined once and assigned an id.
The example shows the responseEncryptionKey as part of the method data for a particular payment method:
If the merchant supports multiple payment methods using the same payment service provider, would the responseEncryptionKey be provided in each supportedMethods construct? That would lead to redundant data, but perhaps that is OK.