feature(mer-49): initial commit, need to introduce issuer and merchan…#225
Open
koekiebox wants to merge 7 commits into
Open
feature(mer-49): initial commit, need to introduce issuer and merchan…#225koekiebox wants to merge 7 commits into
koekiebox wants to merge 7 commits into
Conversation
✅ Deploy Preview for interledger-org-developers ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
Please update your image with this optimised version |
Contributor
Author
Thank you, done. 👍 |
koekiebox
requested review from
DaevMithran,
beniaminmunteanu,
cozminu and
golobitch
beniaminmunteanu
approved these changes
May 12, 2026
hajjimo
reviewed
May 12, 2026
|
|
||
| ## Why Hardware Security Modules Matter in Payments and How They Relate to Rafiki | ||
|
|
||
| Card payments, digital-wallets, and modern financial APIs all depend on one thing that users rarely see: **trust**. |
Contributor
There was a problem hiding this comment.
The first mention of "digital wallet" appears without a hyphen, so we should stick to that convention throughout.
hajjimo
reviewed
May 12, 2026
| Card payments, digital-wallets, and modern financial APIs all depend on one thing that users rarely see: **trust**. | ||
| Not just trust in the institution, or the network, or the device - but trust in the cryptography that protects identities, keys, approvals, and movement of value. | ||
|
|
||
| That **trust** does not happen by accident. It is established through carefully managed cryptographic boundaries, clear ownership of keys, and systems that are designed to avoid exposing secrets where they do not belong. In payment environments especially, this becomes a foundational concern. |
Contributor
There was a problem hiding this comment.
clear key ownership, and systems designed to avoid exposing secrets
hajjimo
reviewed
May 12, 2026
| This is where Hardware Security Modules, or HSMs, come in. | ||
|
|
||
| In our earlier exploration of card payments and Rafiki, a recurring theme emerged: trust is defined as much by key management as by APIs. We looked at POS onboarding, remote key injection, device identity, and separation between payment cryptography and ILP-facing services. | ||
| HSMs sit naturally inside that discussion because they are one of the primary ways financial systems generate, protect, and use sensitive cryptographic material securely. |
Contributor
There was a problem hiding this comment.
HSMs sit naturally within that discussion because they are among the primary ways
hajjimo
reviewed
May 12, 2026
|
|
||
| ## Why Do We Need an HSM? | ||
|
|
||
| If all we needed was encryption, software libraries would often be enough. |
Contributor
There was a problem hiding this comment.
If all we needed were encryption
hajjimo
reviewed
May 12, 2026
|
|
||
| ## What Is an HSM? | ||
|
|
||
| An HSM is a specialized cryptographic device, or in some cases a tightly controlled managed service, designed to generate, store, protect, and use cryptographic keys without exposing those keys in clear form to general-purpose application environments. |
Contributor
There was a problem hiding this comment.
wihtout exposing them in clear form
hajjimo
reviewed
May 12, 2026
| ### Separating duties and trust boundaries | ||
|
|
||
| In real systems, not every service should have equal access to secrets. A payment API may need to request an operation, but it should not be free to extract every key. | ||
| An operations team may need to deploy services, but they should not automatically gain access to master key material. Security teams may need oversight without manually touching every transaction. |
Contributor
There was a problem hiding this comment.
Security teams may need oversight without having to review every transaction manually.
hajjimo
reviewed
May 12, 2026
| Card payments rely on structured key hierarchies and tightly defined cryptographic processes. | ||
| There are issuer-side keys, terminal-side keys, transport keys, PIN-related keys, transaction keys, derivation keys, and keys used for encryption, MACing, or signing. | ||
|
|
||
| These are not casual secrets. They define whether one party can trust the output of another. |
Contributor
There was a problem hiding this comment.
They determine whether one party can trust another's output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please see: https://linear.app/interledger/issue/MER-49/blog-on-payment-hsms
PR Checklist
Fixes #123)bun run formatto ensure code is properly formattedbun run lintpasses without errorsSummary