W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: Update on Web Payments Working Group [The Web Browser API Incubation Anti-Pattern]

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 7 Apr 2016 06:58:49 +0200
To: UniDyne <unidyne@gmail.com>
Cc: Web Payments <public-webpayments@w3.org>, Credentials CG <public-credentials@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <5705E909.2000306@gmail.com>
On 2016-04-07 05:14, UniDyne wrote:
> I've been watching this list for a long time. Just my 2 cents:
>
> HTTP (the "web") is merely a transport mechanism. Web payments is merely a protocol built on top of that. Do we really need an in-browser API? If not, is W3C needed? I think the answers are "yes" and "yes".
It is a position at least :-)

>
> OAuth and OpenID were simply protocol implementations that received buy-in early on in the rise of social media. OAuth in particular wasn't rock-solid, but it was a well-documented and easy-to-implement solution to the SSO problem, so everyone started using it. We didn't need W3C for that. It's essentially just a Kerberos implementation over HTTP.
>
> WebID is essentially just another protocol. It's not even built on HTTP but actually lives in SSL. The only thing "web" about it is that it is to be used over HTTPS and includes a URI for identification. That CG's been around for several years now and still isn't an official standard but if you take the "web" part out of it, it could still be just as useful for other transports.
>
> These are both protocols that can (and do) work outside browser vendors and W3C.
>
> The difference is that going the protocol route with "web payments" is near impossible because of the concept of "wallets" and "payment providers".

That's indeed the biggest difference compared to the things you mention.


> At the very least, the latter would be imperative unless we're willing to allow the payee to handle that part initially. The issue is security and risk.

Although true, the W3C Web Payment efforts have "externalized" this part of the plot with hopes that the vendors will "fill in the blanks".

 From what can see the card industry take a concrete example haven't yet come up with a scheme for the Web in spite of having had 20 years or so to think about it.

Therefore this part will also be a question for the "platform" vendors (independent "browser" vendors are not really in power these days).

Since there are two dominating mobile platforms where one of the vendors generally keeps a low profile in standardization, we (all) effectively rely on a single vendor.

My proposal (which currently have no supporters in W3C), is forcing this single vendor to offer an open interface between the Web and Wallets (and more) allowing anybody to create a Web Payment system. That may sound as the opposite to standardization and that's true; since Banks, VISA, EMVco, ISO, FIDO, etc. do not operate in the open, the very foundation for standards in the usual meaning is missing.  Innovation is therefore a better short-term alternative IMO.  After a period of innovation, consolidation will hopefully rectify the worst excesses.

Anders


> An e-commerce payee has to worry about PCI compliance. They currently have a slew of products and providers available and very few are going to venture outside that. Anyone who has filled out a PCI Self-Compliance Survey knows that having something new or different requires an explanation and "mitigating controls." Writing a vendor name is much easier. A payment provider worries about their exposure when using an ("untested") open standard they didn't develop. That's probably the reason why every payment provider is coming up with their own solution or rolling with someone else that has a big name and deep pockets.
>
> An in-browser API implementation is needed to ensure that everyone is correctly implementing the same baseline standard with the same security practices. It's also required for wallets and the hardware things that might secure them (biometrics, keys, TPMS, etc). Achieving this outside W3C would be very difficult. It would need buy-in from one of the major browsers and prove successful (or at least make a lot of noise) in order to coerce the others to follow.
>
> I agree with Anders. A standard isn't likely to get traction until there's enough competition in this space to get the players to come to the table and hash something out. I think that move is more likely to come from payment providers than browser vendors. There's a cost associated with fragmentation, but it's not reaching a threshold where it outweighs both risk and the limits of market share.
>
>
>
> On Wed, Apr 6, 2016 at 1:33 PM, Steven Rowat <steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>> wrote:
>
>     On 4/6/16 7:26 AM, Fabio Barone wrote:
>
>         I believe one scenario to achieve some of the ideals behind this group:
>         - A decentralized evolution of the blockchain/bitcoin protocol
>         (features: fast and easy confirmation of TX, no need to download 60GB
>         of data in order to participate, and more)
>         - Results in obliterating current financial powers and promises more
>         open interactions
>         - A strong interledger protocol, as THE blockchain should not exist
>         IMHO, or we have a decentralized central single point of failure
>         - Money NOT designed for scarcity, with built-in rules to shrink/grow
>         the money supply according to REAL (and real-time) economic data
>         - With reference to a tangible value for value accounting (how much is
>         a bitcoin? It only holds value in reference to something else, and it
>         fluctuates too much. Could be kWh)
>         - Bake these underlying protocols into the web (via browsers or the
>         evolution thereof).
>
>
>     +1
>
>     And add these thoughts:
>
>     The way this CG group is headed, of accommodating the current financial/identity regimes, is in fact being developed in parallel by so many (dozens) of legal, political, and private corporation bodies in the world [see below], that I've come to the tentative conclusion that this CG has little or no chance of contributing much more to that form of the solution. Which, as you point out Fabio, may never work anyway for anyone: the world may be headed for a revolutionary shift to interledger and blockchains that achieves this, eventually.
>
>     My strong statement in the preceding paragraph is based on this: I followed the link Joseph Potvin provided (in the web-payments list version of this thread) to UNCITRAL:
>
>         See: "UNCITRAL Colloquium on Identity Management and Trust Services" 21-22 April 2016, Vienna
>         http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html
>
>
>     >From that page I followed each of three links that give comprehensive background papers in Identity Management, and which are required reading for the upcoming UNCITRAL conference. All three are PDFs. [1,2,3]. All interesting, but only the first two are parallel to the work of this CG -- but they are stunning in their comprehensiveness. Not only is much of what's being discussed here every day being explained in detail, but there is much beyond what's being discussed here. And the huge number of bodies working on the problem is laid out.
>
>     Here are two quotes from [2], (American Bar Association "Overview of identity management..."'). The Introduction opens with point #1, which is of clear relevance to the question raised in this CG of the need for an identity solution before payments can be solidified:
>
>         1. In 2011, an OECD report noted that “digital identity management is
>         fundamental to the further development of the Internet economy.”1 It is a
>         foundational requirement for all substantive forms of e-commerce.
>
>
>     Then in point #5 of the Introduction, which is long, and which I'm going to paste here in its entirety because that's my whole point (how big it is), there's the huge number of groups working in parallel on an identity solution, worldwide:
>
>         5. The critical importance of identity management in facilitating trustworthy
>         e-commerce is well-recognized. Numerous intergovernmental groups, states, private
>         international groups, and commercial entities are actively exploring identity
>         management issues and opportunities, developing technical standards and business
>         processes, and seeking ways to implement viable identity systems. For example:
>
>
>         (a) Inter-governmental groups actively working on identity management
>         issues and standards include the Organization for Economic Cooperation and
>         Development (OECD),8 the International Organization for Standardization (ISO)9
>         and the International Telecommunications Union (ITU);10
>
>
>         (b) A survey undertaken by the OECD11 identified 18 OECD countries
>         actively pursuing national strategies for identity management (Australia, Austria,
>         Canada, Chile, Denmark, Germany, Italy, Japan, Luxembourg, Netherlands, New
>         Zealand, Portugal, Republic of Korea, Slovenia, Spain, Sweden, Turkey, and United
>         States of America).12 Several other countries, such as Estonia, India, and Nigeria are
>         also actively pursuing such strategies;
>
>
>         (c) Several regional identity projects are underway in the European Union,
>         including PrimeLife (a project of the European Commission’s Seventh Framework
>         Programme),13 the Global Identity Networking of Individuals — Support Action
>         (GINI-SA),14 STORK (to establish a European eID Interoperability Platform),15 and
>         the European Network and Information Security Agency (ENISA);16
>
>
>         (d) Private organizations working on identity standards and policy at an
>         international level include the Organization for the Advancement of Structured
>         Information Standards (OASIS),17 the Open Identity Exchange (OIX),18 the Kantara
>         Initiative,19 the Open ID Foundation,20 tScheme,21 and The Internet Society;22
>
>
>         (e) Some commercial identity systems have been established and operate on
>         a global scale in limited areas. These include those operated by the Transglobal
>         Secure Collaboration Program (TSCP)23 and CertiPath24 for the aerospace and
>         defence industries, the SAFE-BioPharma Association25 for the biopharmaceutical
>         industry, IdenTrust26 for the financial sector, the CA/Browser Forum27 for website
>         EV-SSL certificates, and FiXs — Federation for Identity and Cross-Credentialing
>         Systems (FiXs).28 The work of these groups is focused primarily on technical
>         standards and business process issues, rather than legal issues.
>
>
>
>     There is much more of interest in both [1] and [2], both as regards payments/commerce and identity/credentials (including already-in-use legal terminology like "relying party" for the person or body that consumes/uses/examines a credential) and I encourage any members of this list to read [1] and [2] in full.
>
>     I don't mean to imply that this CG has accomplished nothing; on the contrary, I think there's a good chance that the gradual rise of all these bodies' attempts to solve identity has been driven by groups such as this CG which have been raising the hue and cry about the need for a solution. Perhaps that rise in awareness of the need will  be all that is accomplished here. And perhaps it's enough.
>
>     Steven Rowat
>
>
>
>     [1] A/CN.9/854 - Possible future work in the area of electronic commerce - legal issues related to identity management and trust services
>     http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/854&Lang=E
>
>     [2] A/CN.9/WG.IV/WP.120 - Overview of identity management - Background paper submitted by the Identity Management Legal Task Force of the American Bar Association
>     http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.120&Lang=E
>
>     [3] A/CN.9/WG.III/WP.136 - Online dispute resolution for cross-border electronic commerce transactions: Submission by the Russian Federation
>     http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/Cn.9/Wg.iii/wp.136&Lang=E
>
>
>
>
Received on Thursday, 7 April 2016 04:59:23 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:28 UTC