Re: [Uri-review] Review request for payto URI scheme, draft 01
Graham Klyne <gk@ninebynine.org> Wed, 11 April 2018 07:45 UTC
Return-Path: <gk@ninebynine.org>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886071270FC for <uri-review@ietfa.amsl.com>; Wed, 11 Apr 2018 00:45:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi8OTmEfegCV for <uri-review@ietfa.amsl.com>; Wed, 11 Apr 2018 00:45:07 -0700 (PDT)
Received: from relay11.mail.ox.ac.uk (relay11.mail.ox.ac.uk [129.67.1.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723E6124235 for <uri-review@ietf.org>; Wed, 11 Apr 2018 00:45:07 -0700 (PDT)
Received: from smtp5.mail.ox.ac.uk ([163.1.2.207]) by relay11.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <gk@ninebynine.org>) id 1f6ARF-0002YN-bB for uri-review@ietf.org; Wed, 11 Apr 2018 08:45:05 +0100
Received: from gklyne38.plus.com ([81.174.129.24] helo=conina.atuin.ninebynine.org) by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <gk@ninebynine.org>) id 1f6ARF-0000i4-Gx for uri-review@ietf.org; Wed, 11 Apr 2018 08:45:05 +0100
Message-ID: <5ACDBCFE.4030706@ninebynine.org>
Date: Wed, 11 Apr 2018 08:45:02 +0100
From: Graham Klyne <gk@ninebynine.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: uri-review@ietf.org
References: <496f8300-4df8-2ca9-751b-e7b481203175@inria.fr>
In-Reply-To: <496f8300-4df8-2ca9-751b-e7b481203175@inria.fr>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: zool0635
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/ykQ3FHvaPfVZmDFRRYqluxdVQAk>
Subject: Re: [Uri-review] Review request for payto URI scheme, draft 01
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 07:45:09 -0000
I'm struggling to understand what this idea gains from being a URI (as opposed to a string that happens to conform to URI syntax). Specifically, what resource is a payto: URI actually intended to *identify*? And what protocol, if any, is it associated with? (Concerning the comparison with mailto: I have similar concerns with mailto:, but history. But at least it's generally clear how a mailto: URI should be processed when dereferenced (e.g, clicked on in a browser); I can rationalize mailto: to myself by considering that it identifies an Internet email composition resource, in a similar way that http: URIs can be used to represent web forms.) The idea of using the authority component of a URI to determine a processing method seems rather strange to me (and, though here I must defer to other experts, I'm not sure that browsers would be able to respond appropriately to this: I understand that the URI scheme itself is more commonly used for selecting separate applications to be launched). The security considerations seem a bit thin to me, for something as security critical as making payments. So here is a thought: why is this URI scheme specific to making payments? Why not a generic scheme for invoking a local application, with parameters, which might happen to be a payment app? The question here is mainly rhetorical, underscoring a dissonance with the web architecture principle that a URI should be opaque with respect to the type of resource that it references (cf. http://www.w3.org/TR/webarch/#uri-opacity). A URI scheme specifically to identify payment-related resources seems at odds with this principle (as opposed to a scheme that indicates how to obtain access to a resource representation). #g -- On 10/04/2018 23:44, Florian Dold wrote: > Dear all, > > I've submitted a new version of the payto URI scheme draft. > > https://datatracker.ietf.org/doc/draft-dold-payto/ > > The goal of payto:// is to designate payment methods, similar in spirit > to how one would designate electronic mail addresses with the mailto URI > scheme. > > Here are the responses and major changes from feedback to the previous > draft that was posted here for review quite some time ago: > > Thanks to a suggestion from Eric Wilde, payment methods are now to be > managed in an IANA registry instead of a fixed list within the > specification. > > I do not think that currency and amount should be specified in a > separate option. Separating them would make it look like a payto URI > which only specifies the "amount" option but not the "currency" option > is meaningful. Since many payment systems support multiple currencies, > the notion of wanting to pay "100" without a currency to some account > creates ambiguity and can be confusing. One might argue though that > it's possible to require a "currency" option to be present if an > "amount" is specified, which simplifies parsing for consumers of these > URIs, but this also makes them longer and arguably less readable. I'd > appreciate more feedback here. > > David Nicol asked a while back on this list whether we should support > multiple currencies or even a notion of shopping carts. Since payto:// > is intended to address existing payment methods, it is unlikely that > these concepts translate well to them. Thus I think that the > specification should address the lowest common denominator of payment > systems. That is also the reason for having a free form "message" field > (intended to be read by humans) that might be changed (encoding / letter > substitution, upper/lower case) and a more limited "instruction" field > that must be preserved verbatim. These kinds of limitations are common. > > These higher level aspects of payments (related to cart management, > shipping addresses, payment method selection and so on) are also already > being addressed by other standards, such as the W3C's Web Payment > Working group. > > Best regards, > Florian > > _______________________________________________ > Uri-review mailing list > Uri-review@ietf.org > https://www.ietf.org/mailman/listinfo/uri-review >
- [Uri-review] Review request for payto URI scheme,… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Graham Klyne
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Adrian Hope-Bailie
- Re: [Uri-review] Review request for payto URI sch… Larry Masinter
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Graham Klyne
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Larry Masinter
- Re: [Uri-review] Review request for payto URI sch… Larry Masinter
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Larry Masinter
- Re: [Uri-review] Review request for payto URI sch… Florian Dold
- Re: [Uri-review] Review request for payto URI sch… Larry Masinter
- Re: [Uri-review] Review request for payto URI sch… Florian Dold