search

w3c / webpayments-crypto

Crypto discussions of the Web Payments Working Group
https://github.com/w3c/webpayments-crypto/wiki
Other
5 stars 7 forks source link

Partial vs. full encryption of response data #7

Open stpeter opened 6 years ago

stpeter commented 6 years ago

It seems that we're envisioning partial encryption of response data: "Each payment method defines which response fields are not sensitive. Those fields are returned in the response along with the encryption of the full response." Is there a good reason to include both encryptedData and plainData? Why not encrypt the entire response? What are the use cases behind this suggestion? Do entities in the middle (say, the merchant or a PSP if the response is going to an issuer or other entity) need access to some of the response fields?

adrianhopebailie commented 6 years ago

Plain data is required for display purposes or for tracking where, for example, the payment is being processed by a third party but the merchant wants access to some data like a tx id.

I do think we should make this simpler though, I think that the way this is done in the tokenization spec is best. i.e. Define two schemas; a clear-text schema which contains unencrypted data (at least one data element is the encrypted data in the form of a JWT) and a data schema for the data that is encrypted inside the JWT.

See my proposal in #13