[taler-docs] 01/02: rewrite claim token details per CG feedback

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-docs] 01/02: rewrite claim token details per CG feedback

From:	gnunet
Subject:	[taler-docs] 01/02: rewrite claim token details per CG feedback
Date:	Fri, 12 Mar 2021 10:11:21 +0100

This is an automated email from the git hooks/post-receive script.

ttn pushed a commit to branch master
in repository docs.

commit 3bb8e8c374807cb245bbbceff68cbe94e4d6528d
Author: Thien-Thi Nguyen <ttn@gnuvola.org>
AuthorDate: Fri Mar 12 02:54:30 2021 -0500

    rewrite claim token details per CG feedback
---
 taler-mcig.rst | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/taler-mcig.rst b/taler-mcig.rst
index 5c8f918..57ca4b1 100644
--- a/taler-mcig.rst
+++ b/taler-mcig.rst
@@ -190,27 +190,17 @@ are demonstrated in the next section.
 
 **claim token**
   The claim token is a sort of handle on the order and its payment.
-  With it, the customer can access the fulfillment URI from a different
-  device than the one where the wallet is installed.
-  FIXME: that is not the point. The point is that even if the
-  $ORDER_ID can be guessed, the claim token cannot. Thus, a
-  merchant can prevent a third party from claiming an order
-  (by guessing the order ID). Imagine selling concert tickets,
-  and your order IDs are 1,2,3,4,5,. I could try to hijack other
-  visitor's orders (before they have a chance to claim them),
-  using a claim token prevents this.
+  It is useful when the order ID is easily guessable
+  (e.g. incrementing serial number),
+  to prevent one customer hijacking the order of another.
+  On the other hand, even if the order ID is not easily guessable,
+  if you don't care about order theft (e.g. infinite supply, digital goods)
+  and you wish to reduce the required processing (e.g. smaller QR code),
+  you can safely disable the claim token.
 
   By default, Taler creates a claim token for each order.
   To disable this, you can specify ``create_token`` to be ``false``
   in :http:post:`[/instances/$INSTANCE]/private/orders`.
-  => needs guideance as to when to do this, i.e. when
-     there is no worry about people 'stealing' orders
-     compiled by others, either because the order ID is
-     high-entropy OR [[because there is an infinite supply
-     and we are not concerned about order-theft attacks
-     (say by a competitor trying to prevent legitimate
-      customers from claiming their orders) AND want the
-     QR code to get smaller / scan more easily.]]
 
 **refund deadline**
   The refund deadline specifies the time after which you will prohibit

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-docs] branch master updated (f8fbc74 -> 5d64658), gnunet, 2021/03/12
- [taler-docs] 01/02: rewrite claim token details per CG feedback, gnunet <=
- [taler-docs] 02/02: rewrite "auto-refund period" details per CG feedback, gnunet, 2021/03/12

Prev by Date: [taler-www] branch master updated (6485931 -> a419d5d)
Next by Date: [taler-docs] 02/02: rewrite "auto-refund period" details per CG feedback
Previous by thread: [taler-docs] branch master updated (f8fbc74 -> 5d64658)
Next by thread: [taler-docs] 02/02: rewrite "auto-refund period" details per CG feedback
Index(es):
- Date
- Thread