Author: Mike Hearn 2013-04-25 10:52:33
Published on: 2013-04-25T10:52:33+00:00
The author argues that there is no payment request signing key that is safer than an SSL key. While it may be possible to use an offline intermediate cert for both SSL and payment request signing, no certificate authorities (CAs) will issue such certificates. Even if possible, this setup would not work for most merchants. For EV certs, an offline restricted intermediate cert might make more sense, but this is still not possible with current CA policies. Without this option, if a web server is compromised, the attacker can issue themselves a new cert and sign as the legitimate site until the certificate expires, unless wallets are checking revocation lists.
Updated on: 2023-06-06T15:36:58.122092+00:00