IETF Logo Mail Archive

Re: [Uri-review] Review request for payto URI scheme, draft 01

Graham Klyne <gk@ninebynine.org> Wed, 11 April 2018 07:45 UTC

Return-Path: <gk@ninebynine.org>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886071270FC for <uri-review@ietfa.amsl.com>; Wed, 11 Apr 2018 00:45:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi8OTmEfegCV for <uri-review@ietfa.amsl.com>; Wed, 11 Apr 2018 00:45:07 -0700 (PDT)
Received: from relay11.mail.ox.ac.uk (relay11.mail.ox.ac.uk [129.67.1.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723E6124235 for <uri-review@ietf.org>; Wed, 11 Apr 2018 00:45:07 -0700 (PDT)
Received: from smtp5.mail.ox.ac.uk ([163.1.2.207]) by relay11.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <gk@ninebynine.org>) id 1f6ARF-0002YN-bB for uri-review@ietf.org; Wed, 11 Apr 2018 08:45:05 +0100
Received: from gklyne38.plus.com ([81.174.129.24] helo=conina.atuin.ninebynine.org) by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <gk@ninebynine.org>) id 1f6ARF-0000i4-Gx for uri-review@ietf.org; Wed, 11 Apr 2018 08:45:05 +0100
Message-ID: <5ACDBCFE.4030706@ninebynine.org>
Date: Wed, 11 Apr 2018 08:45:02 +0100
From: Graham Klyne <gk@ninebynine.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: uri-review@ietf.org
References: <496f8300-4df8-2ca9-751b-e7b481203175@inria.fr>
In-Reply-To: <496f8300-4df8-2ca9-751b-e7b481203175@inria.fr>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: zool0635
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/ykQ3FHvaPfVZmDFRRYqluxdVQAk>
Subject: Re: [Uri-review] Review request for payto URI scheme, draft 01
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 07:45:09 -0000

I'm struggling to understand what this idea gains from being a URI (as opposed 
to a string that happens to conform to URI syntax).

Specifically, what resource is a payto: URI actually intended to *identify*?

And what protocol, if any, is it associated with?

(Concerning the comparison with mailto: I have similar concerns with mailto:, 
but history.  But at least it's generally clear how a mailto: URI should be 
processed when dereferenced (e.g, clicked on in a browser); I can rationalize 
mailto: to myself by considering that it identifies an Internet email 
composition resource, in a similar way that http: URIs can be used to represent 
web forms.)

The idea of using the authority component of a URI to determine a processing 
method seems rather strange to me (and, though here I must defer to other 
experts, I'm not sure that browsers would be able to respond appropriately to 
this:  I understand that the URI scheme itself is more commonly used for 
selecting separate applications to be launched).

The security considerations seem a bit thin to me, for something as security 
critical as making payments.

So here is a thought:  why is this URI scheme specific to making payments?  Why 
not a generic scheme for invoking a local application, with parameters, which 
might happen to be a payment app?  The question here is mainly rhetorical, 
underscoring a dissonance with the web architecture principle that a URI should 
be opaque with respect to the type of resource that it references (cf. 
http://www.w3.org/TR/webarch/#uri-opacity).  A URI scheme specifically to 
identify payment-related resources seems at odds with this principle (as opposed 
to a scheme that indicates how to obtain access to a resource representation).

#g
--


On 10/04/2018 23:44, Florian Dold wrote:
> Dear all,
>
> I've submitted a new version of the payto URI scheme draft.
>
> https://datatracker.ietf.org/doc/draft-dold-payto/
>
> The goal of payto:// is to designate payment methods, similar in spirit
> to how one would designate electronic mail addresses with the mailto URI
> scheme.
>
> Here are the responses and major changes from feedback to the previous
> draft that was posted here for review quite some time ago:
>
> Thanks to a suggestion from Eric Wilde, payment methods are now to be
> managed in an IANA registry instead of a fixed list within the
> specification.
>
> I do not think that currency and amount should be specified in a
> separate option.  Separating them would make it look like a payto URI
> which only specifies the "amount" option but not the "currency" option
> is meaningful.  Since many payment systems support multiple currencies,
> the notion of wanting to pay "100" without a currency to some account
> creates ambiguity and can be confusing.  One might argue though that
> it's possible to require a "currency" option to be present if an
> "amount" is specified, which simplifies parsing for consumers of these
> URIs, but this also makes them longer and arguably less readable.  I'd
> appreciate more feedback here.
>
> David Nicol asked a while back on this list whether we should support
> multiple currencies or even a notion of shopping carts.  Since payto://
> is intended to address existing payment methods, it is unlikely that
> these concepts translate well to them.  Thus I think that the
> specification should address the lowest common denominator of payment
> systems.  That is also the reason for having a free form "message" field
> (intended to be read by humans) that might be changed (encoding / letter
> substitution, upper/lower case) and a more limited "instruction" field
> that must be preserved verbatim.  These kinds of limitations are common.
>
> These higher level aspects of payments (related to cart management,
> shipping addresses, payment method selection and so on) are also already
> being addressed by other standards, such as the W3C's Web Payment
> Working group.
>
> Best regards,
> Florian
>
> _______________________________________________
> Uri-review mailing list
> Uri-review@ietf.org
> https://www.ietf.org/mailman/listinfo/uri-review
>

v2.23.0 | Report a Bug | By Email