12 Jun
2026
12 Jun
'26
6:01 p.m.
On 13/6/26 10:52, JC Brand wrote:
On 6/12/26 18:44, Stephen Paul Weber wrote:
Yes, that's the risk, which is why I mention it in the security
considerations.
Perhaps we should just remove it, but then clients which don't know
the URI scheme won't be able to show the amount to the user, which sucks.
Also, if we removed "display-amount", there's still a "label"
field
which could lie about the actual payment amount.
It's non-authoritative,
clients can slap a "cannot verify this value,
check the price on the next step" sticker on it as necessary.
I've
kept "display-amount" to avoid clients having to be able to
parse payment URIs, but it's non-authoritative.
I can see why you want this. But I'm also a bit concerned abmut the
security implications of having a possible "$2" label on a $2000
payment.
_______________________________________________
Standards mailing list -- standards(a)xmpp.org
To unsubscribe send an email to standards-leave(a)xmpp.org