Re: [Uri-review] Review request for payto URI scheme, draft 01

Adrian Hope-Bailie <> Wed, 11 April 2018 16:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AFA661270AE for <>; Wed, 11 Apr 2018 09:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RjVuhHnkDIMM for <>; Wed, 11 Apr 2018 09:39:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ABD78126DED for <>; Wed, 11 Apr 2018 09:39:18 -0700 (PDT)
Received: by with SMTP id 188-v6so2323523oih.8 for <>; Wed, 11 Apr 2018 09:39:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xLBUGG5RfpVFWotcchyg6Qmty7s5zuhKeE9Pp2n26mc=; b=LWqxoqnYjuJFq1NfgheMh1H5chHSdcAT2F0mN50UfumMnFGyRnEZiP0oWh0nHrnCoq HqWvjQDfKVM+wDfDFANQS/f9RLNZnUIoIdMAQwPBwpKLBtQ8wgnoai0pKsU5cvixJe20 7jkbOE12s0Cb+4ECG1lq2nadm4EOGJcbP2EpU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xLBUGG5RfpVFWotcchyg6Qmty7s5zuhKeE9Pp2n26mc=; b=bh5xHV11/C0orE39PCUADwa6vgbCXZNJ5wjEDZgJhpR843AJTZQED/S5X6kud8LB6R hUoFCKA1shykaNFyfjLycyjV5tsq6+WIG+NhP9B5FrJfFR+ErL34H4X/FNUBb8+Y8gJy SU4qPu3IPYKrjV8ThMsnlWQcMjmkkj8M62dAsysB9H0v7wB57qqUYOC2kwNTxJd9a6r1 VvxLT1I6lmcqBEB7Q0aAM9BHoPa2/nC1zOumrNr4vG5IBsMy4QoP6IS43eDVi40GgPZJ Ox/CCFhWxqBoGkni3t0ybE2n6CcRBqDlWi/tk9ywpvjtOMlE5BivP8X/NYokY781KCxu TtDw==
X-Gm-Message-State: ALQs6tA/WujZm1gcBJ/5XHWQ0WSdEQsKU62b2OGaVnol0VGylkCBmLEk UbMQaZF7KbBtlSiAyHjC+ZPeUl4b43kqxQk2jQa6Bg==
X-Google-Smtp-Source: AIpwx4+n4LHCWLMlPSEaokq572aY+79MuitWeD1H6MWStMYSwHyTSR6duDST9T+fl/50hTcCUzU57RviaSeoAjENbLY=
X-Received: by 2002:aca:5147:: with SMTP id f68-v6mr3229320oib.99.1523464757945; Wed, 11 Apr 2018 09:39:17 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 11 Apr 2018 09:39:17 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Adrian Hope-Bailie <>
Date: Wed, 11 Apr 2018 09:39:17 -0700
Message-ID: <>
To: Florian Dold <>
Content-Type: multipart/alternative; boundary="000000000000b9be6c0569954731"
Archived-At: <>
Subject: Re: [Uri-review] Review request for payto URI scheme, draft 01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Proposed URI Schemes <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Apr 2018 16:39:22 -0000

This seems a very sensible idea to me. A few questions and comments:

How should userinfo and port data in the authority be interpreted in this
scheme? Are they allowed at all?
Would it not be more appropriate to have the method-specific account
identifier in the userinfo?
Example: payto://CH9300762011623852957@sepa/

I'd also like to see if we can align your concepts of payment method with
those being defined in the W3C Web Payments APIs such that there is a clear
mapping between the URI and the payment APIs.

This would make it possible to use these URIs as a declarative way of
invoking the API.

Clicking an element like <a href="payto://CH9300762011623852957@sepa/
?amount=EUR:10">Pay by SEPA transfer</a> would invoke the same browser
processing as calling the API from Javascript.

new PaymentRequest(
  [{supportedMethods: "sepa", data: {account: "CH9300762011623852957"}}],
  {total:{amount:{currency: "EUR", value: "10.00" }}},

Perhaps we can adopt the same payment method registry?

Finally, I'd like to make you aware of some related work we're doing in the
Interledger community.

1. Payment Pointers

These are intended to be the equivalent of email addresses for payment

I don't entirely agree with your analogy between payto and mailto which is
why we invented payment pointers.

Mailto was an after-thought and a way turn an existing identifier into a
URI form.
Email addresses on their own are very recognizable as such so the URI for
is only useful in machine-read contexts.

The purpose of payment pointers is to create a similar concept for payments.
I.e. An identifier that is simple to exchange and easily recognizable as,
a) not an email address and b) a pointer to a payment account.

That is not to say there is not a need for the payto URI but I don't think
the payto/mailto comparison is a good one or explains the purpose of payto

2. Interledger Addresses

I'd like to request that you add Interledger to your payment method
The authority would be an ILP Address as defined in:

On 11 April 2018 at 04:21, Florian Dold <>; wrote:

> On 4/11/2018 9:45 AM, Graham Klyne wrote:
> > I'm struggling to understand what this idea gains from being a URI (as
> > opposed to a string that happens to conform to URI syntax).
> >
> > Specifically, what resource is a payto: URI actually intended to
> > *identify*?
> It identifies a target for a payment (such as a bank account or a
> bitcoin wallet address) in a unified way.  The options in the URI
> specify further details for making a payment to that target.
> > And what protocol, if any, is it associated with?
> As I understand RFC7595, URIs do not have to be associated with a protocol.
> The application associated with a payto URI is typically a banking
> application (or an electronic wallet app) that allows to make payments
> to the target.
> Its use should not be restricted to the Web or "apps", it may also be
> used by financial back-end applications.  You could imagine a library
> that makes payments to targets identified by a payto URI, with different
> plugins handling different payment methods.
> > The idea of using the authority component of a URI to determine a
> > processing method seems rather strange to me (and, though here I must
> > defer to other experts, I'm not sure that browsers would be able to
> > respond appropriately to this:  I understand that the URI scheme itself
> > is more commonly used for selecting separate applications to be
> launched).
> There are already cases where browsers behave differently depending on
> the authority part of the URI.  It is common for apps on mobile
> platforms (such as Android) to register themselves as a handler for a
> domain.  If the user clicks a URI with a matching authority, the browser
> launches the associated app instead of navigating to the URI.
> It would not be an acceptable solution to register a separate URI for
> each payment system (such as sepa:, ach:, bitcoin:, paypal:, vemmo:,
> ...) because the URIs themselves would be very similar (modulo renaming
> and minor details), and more importantly it would be a big effort for
> applications each time a new payment scheme would be added.  I would
> want to be able to click on a payto URI in an electronic invoice that I
> received, but my email client or messenger should not have to add
> support for each new payment method that is defined.
> > The security considerations seem a bit thin to me, for something as
> > security critical as making payments.
> Do you have any suggestions for what's missing?  The most important
> aspect to me seems to be that no transaction is made until after the
> user can review the details and confirms the payment.  Other aspects are
> inherent to the specific payment system, and would be out of scope for
> this specification.
> > So here is a thought:  why is this URI scheme specific to making
> > payments?  Why not a generic scheme for invoking a local application,
> > with parameters, which might happen to be a payment app?  The question
> > here is mainly rhetorical, underscoring a dissonance with the web
> > architecture principle that a URI should be opaque with respect to the
> > type of resource that it references (cf.
> >  A URI scheme specifically
> > to identify payment-related resources seems at odds with this principle
> > (as opposed to a scheme that indicates how to obtain access to a
> > resource representation).
> Your concern about URI opacity seems to be specific to the Web and maybe
> even to HTTP, it is not something that applies to URIs in general.  I
> would, for example, expect that a geo: URI actually represents a
> geographic location as opposed to a video or spreadsheet.
> Just using a generic "app invocation URI" would not be acceptable for
> two reasons:  It raises security concerns, and it does not cover use
> cases unrelated to the Web or "apps".
> Best,
> Florian
> _______________________________________________
> Uri-review mailing list