Where to communicate responseEncryptionKey

w3c / webpayments-crypto

Crypto discussions of the Web Payments Working Group

https://github.com/w3c/webpayments-crypto/wiki

Other

5 stars 7 forks source link

Where to communicate responseEncryptionKey #6

Open stpeter opened 6 years ago

stpeter commented 6 years ago

The example shows the responseEncryptionKey as part of the method data for a particular payment method:

supportedMethods: "https://example.com/bobpay",
data: {
  [...method data...],
  dataSecurity: {
    responseEncryptionKey: {...}
  }

If the merchant supports multiple payment methods using the same payment service provider, would the responseEncryptionKey be provided in each supportedMethods construct? That would lead to redundant data, but perhaps that is OK.

stpeter commented 6 years ago

BTW, these keys might not be large. Here is an example of an Elliptic Curve key (from RFC 7517):

     {"kty":"EC",
      "crv":"P-256",
      "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
      "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
      "use":"enc",
      "kid":"1"},

adrianhopebailie commented 6 years ago

We COULD define this to be a JWK, in which case a valid form is to simply provide a key id.

Then we can have a top-level data element that holds a keyset where the actual keys are defined once and assigned an id.