Author: Aaron Voisine 2014-09-12 18:43:32
Published on: 2014-09-12T18:43:32+00:00
The discussion is about whether or not signed payment requests should be from the same domain and require https as per BIP72. If the request object is signed by the owner of the domain, then the worst an attacker who doesn't have the signing key can do is replace the request with another validly signed request intended for someone else. Aaron Voisine suggests an approach that adds another marker param like &s to the end of the URL and another field to PaymentRequest that contains an ECC signature calculated using the public key that hashes to the address in the URI. Upgraded wallets look for the additional param and if it's there, expect to find the PaymentDetails signed with the address key. PKI signing of course is still useful to provide an actual identity for receipts, display on hardware wallets, dispute mediation etc. He also asks if signed payment requests be from the same domain and also require https as per BIP72.
Updated on: 2023-06-09T02:30:23.603802+00:00