[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] 01/02: rewrite claim token details per CG feedback
From: |
gnunet |
Subject: |
[taler-docs] 01/02: rewrite claim token details per CG feedback |
Date: |
Fri, 12 Mar 2021 10:11:21 +0100 |
This is an automated email from the git hooks/post-receive script.
ttn pushed a commit to branch master
in repository docs.
commit 3bb8e8c374807cb245bbbceff68cbe94e4d6528d
Author: Thien-Thi Nguyen <ttn@gnuvola.org>
AuthorDate: Fri Mar 12 02:54:30 2021 -0500
rewrite claim token details per CG feedback
---
taler-mcig.rst | 24 +++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
diff --git a/taler-mcig.rst b/taler-mcig.rst
index 5c8f918..57ca4b1 100644
--- a/taler-mcig.rst
+++ b/taler-mcig.rst
@@ -190,27 +190,17 @@ are demonstrated in the next section.
**claim token**
The claim token is a sort of handle on the order and its payment.
- With it, the customer can access the fulfillment URI from a different
- device than the one where the wallet is installed.
- FIXME: that is not the point. The point is that even if the
- $ORDER_ID can be guessed, the claim token cannot. Thus, a
- merchant can prevent a third party from claiming an order
- (by guessing the order ID). Imagine selling concert tickets,
- and your order IDs are 1,2,3,4,5,. I could try to hijack other
- visitor's orders (before they have a chance to claim them),
- using a claim token prevents this.
+ It is useful when the order ID is easily guessable
+ (e.g. incrementing serial number),
+ to prevent one customer hijacking the order of another.
+ On the other hand, even if the order ID is not easily guessable,
+ if you don't care about order theft (e.g. infinite supply, digital goods)
+ and you wish to reduce the required processing (e.g. smaller QR code),
+ you can safely disable the claim token.
By default, Taler creates a claim token for each order.
To disable this, you can specify ``create_token`` to be ``false``
in :http:post:`[/instances/$INSTANCE]/private/orders`.
- => needs guideance as to when to do this, i.e. when
- there is no worry about people 'stealing' orders
- compiled by others, either because the order ID is
- high-entropy OR [[because there is an infinite supply
- and we are not concerned about order-theft attacks
- (say by a competitor trying to prevent legitimate
- customers from claiming their orders) AND want the
- QR code to get smaller / scan more easily.]]
**refund deadline**
The refund deadline specifies the time after which you will prohibit
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.