W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: Update on Web Payments Working Group [The Web Browser API Incubation Anti-Pattern]

From: Roger Bass <roger@traxiant.com>
Date: Wed, 6 Apr 2016 22:44:22 -0700
Message-ID: <CA+nC-XtP_0yAMoa8KtSPGATdbMBZ8928N=m9uWyezNk9xB_JKQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: UniDyne <unidyne@gmail.com>, Web Payments <public-webpayments@w3.org>, Credentials CG <public-credentials@w3.org>
On Wed, Apr 6, 2016 at 8:14 PM, UniDyne <unidyne@gmail.com> wrote:
A standard isn't likely to get traction until there's enough competition in
this space to get the players to come to the table and hash something out.
I think that move is more likely to come from payment providers than
browser vendors. There's a cost associated with fragmentation, but it's not
reaching a threshold where it outweighs both risk and the limits of market
share.

Quite.

The browser use case for Web Payments is obviously an important one. And
there may well be ways to incrementally move the state of the art forward,
short of a shift to full interoperability. It seems clear enough that
competitive conditions in the browser market, and probably even the payment
provider market aren't yet at a point to drive that.

However, I would suggest that if broad payments interoperability arises
elsewhere (i.e. non-browser use cases) it's plausible that that would carry
over to the browser use case too.

Let me get more specific - and recall the big shift that occurred in
telecommunications. Over a decade or two (I don't have the stats to hand),
that world shifted from being mainly a voice network, with data running on
top of it... to a world where the traffic was 99% data. The underlying
infrastructure, too, shifted to being basically a data network, with voice
just another relatively minor application running on top.

Isn't it fairly obvious that a similar shift is underway in the Web, if
seen as the "Interaction" layer of the Internet? Being human beings, most
of us tend to think first about the use cases that directly involve a human
being. But in fact, the volume of non-human interactions already dwarfs the
human interactions, certainly for example when you look at something as
easily quantified as payment volumes and values. Consumer Web interactions
are frequently mediated by software (mobile/cloud apps)... but for
payments, not yet quite to the point where significant numbers of purchase
/ payment transactions are being made by apps, rather than by a human being
directly through a browser.

For business-to-business (B2B) payments, however, this is not the case.
Larger businesses' payments are by and large already automated. On the
receiving side too, automated payment processes exist for many businesses,
even if non-automated flows account for most of the volume. (This is an
opportunity). The total volume of such payments globally is about 7x
consumer payment volumes ($700 trillion vs $100 trillion, in round numbers,
per McKinsey). There is also considerable competition and innovation in
that space, as well as a diversity of players, such that business cases
already exist for interoperability in various segments of the larger market.

To flip my original assertion around: I would even say that if an
interoperable (and global) payments model emerges for B2B payments - an
Internet of Payments, in other words -  it's hard to imagine that NOT
carrying over into the consumer world (including browser use cases).

To get back to the specifics of the Web platform: it includes various
standards conceived very much with machine-to-machine interactions in mind.
The Semantic Web, in particular, is a big idea that I think most would
agree hasn't yet taken off in any significant way. There hasn't been a
killer app for the Semantic Web. But B2B Payments, and B2B interactions
more generally could be it, in my view - the "tip of the spear" or catalyst
for another big shift.

Now, it's true that the W3C is not a venue that's particularly well-suited
or experienced when it comes to the complex, multi-layered standardization
of B2B interactions. Such work has, however, been going on elsewhere,
notably OASIS with ebXML, not to exclude other standards with traction at
different layers of the stack.

That said, although I've not yet spent a lot of time on this question,
others apparently have. (Notably, there's some academic work I linked in an
earlier email. I may invite the authors to join this group). It's still
unclear what the costs and benefits might be of mapping or migrating those
standards, not to mention their implementations in the real world, onto a
Semantic Web platform.

>From a W3C perspective generally, however - and in particular this Web
Payments CG perspective - the potential benefits seem very clear. If
efforts focused on B2B payments use cases can solve a payments interop
problem that's big in its own right, that could potentially catalyze an
interop shift in the otherwise-challenging consumer/browser world too...
and perhaps even a massive, rapid Semantic Web adoption wave, comparable to
the original Internet / Web wave... well, those all seem like pretty
desirable outcomes, no?

Roger


On Wed, Apr 6, 2016 at 9:58 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2016-04-07 05:14, UniDyne wrote:
>
> I've been watching this list for a long time. Just my 2 cents:
>
> HTTP (the "web") is merely a transport mechanism. Web payments is merely a
> protocol built on top of that. Do we really need an in-browser API? If not,
> is W3C needed? I think the answers are "yes" and "yes".
>
> It is a position at least :-)
>
>
> OAuth and OpenID were simply protocol implementations that received buy-in
> early on in the rise of social media. OAuth in particular wasn't
> rock-solid, but it was a well-documented and easy-to-implement solution to
> the SSO problem, so everyone started using it. We didn't need W3C for that.
> It's essentially just a Kerberos implementation over HTTP.
>
> WebID is essentially just another protocol. It's not even built on HTTP
> but actually lives in SSL. The only thing "web" about it is that it is to
> be used over HTTPS and includes a URI for identification. That CG's been
> around for several years now and still isn't an official standard but if
> you take the "web" part out of it, it could still be just as useful for
> other transports.
>
> These are both protocols that can (and do) work outside browser vendors
> and W3C.
>
> The difference is that going the protocol route with "web payments" is
> near impossible because of the concept of "wallets" and "payment
> providers".
>
>
> That's indeed the biggest difference compared to the things you mention.
>
>
> At the very least, the latter would be imperative unless we're willing to
> allow the payee to handle that part initially. The issue is security and
> risk.
>
>
> Although true, the W3C Web Payment efforts have "externalized" this part
> of the plot with hopes that the vendors will "fill in the blanks".
>
> From what can see the card industry take a concrete example haven't yet
> come up with a scheme for the Web in spite of having had 20 years or so to
> think about it.
>
> Therefore this part will also be a question for the "platform" vendors
> (independent "browser" vendors are not really in power these days).
>
> Since there are two dominating mobile platforms where one of the vendors
> generally keeps a low profile in standardization, we (all) effectively rely
> on a single vendor.
>
> My proposal (which currently have no supporters in W3C), is forcing this
> single vendor to offer an open interface between the Web and Wallets (and
> more) allowing anybody to create a Web Payment system.  That may sound as
> the opposite to standardization and that's true;  since Banks, VISA, EMVco,
> ISO, FIDO, etc. do not operate in the open, the very foundation for
> standards in the usual meaning is missing.  Innovation is therefore a
> better short-term alternative IMO.  After a period of innovation,
> consolidation will hopefully rectify the worst excesses.
>
> Anders
>
>
>
> An e-commerce payee has to worry about PCI compliance. They currently have
> a slew of products and providers available and very few are going to
> venture outside that. Anyone who has filled out a PCI Self-Compliance
> Survey knows that having something new or different requires an explanation
> and "mitigating controls." Writing a vendor name is much easier. A payment
> provider worries about their exposure when using an ("untested") open
> standard they didn't develop. That's probably the reason why every payment
> provider is coming up with their own solution or rolling with someone else
> that has a big name and deep pockets.
>
> An in-browser API implementation is needed to ensure that everyone is
> correctly implementing the same baseline standard with the same security
> practices. It's also required for wallets and the hardware things that
> might secure them (biometrics, keys, TPMS, etc). Achieving this outside W3C
> would be very difficult. It would need buy-in from one of the major
> browsers and prove successful (or at least make a lot of noise) in order to
> coerce the others to follow.
>
> I agree with Anders. A standard isn't likely to get traction until there's
> enough competition in this space to get the players to come to the table
> and hash something out. I think that move is more likely to come from
> payment providers than browser vendors. There's a cost associated with
> fragmentation, but it's not reaching a threshold where it outweighs both
> risk and the limits of market share.
>
>
>
> On Wed, Apr 6, 2016 at 1:33 PM, Steven Rowat <steven_rowat@sunshine.net>
> wrote:
>
>> On 4/6/16 7:26 AM, Fabio Barone wrote:
>>
>>> I believe one scenario to achieve some of the ideals behind this group:
>>> - A decentralized evolution of the blockchain/bitcoin protocol
>>> (features: fast and easy confirmation of TX, no need to download 60GB
>>> of data in order to participate, and more)
>>> - Results in obliterating current financial powers and promises more
>>> open interactions
>>> - A strong interledger protocol, as THE blockchain should not exist
>>> IMHO, or we have a decentralized central single point of failure
>>> - Money NOT designed for scarcity, with built-in rules to shrink/grow
>>> the money supply according to REAL (and real-time) economic data
>>> - With reference to a tangible value for value accounting (how much is
>>> a bitcoin? It only holds value in reference to something else, and it
>>> fluctuates too much. Could be kWh)
>>> - Bake these underlying protocols into the web (via browsers or the
>>> evolution thereof).
>>>
>>
>> +1
>>
>> And add these thoughts:
>>
>> The way this CG group is headed, of accommodating the current
>> financial/identity regimes, is in fact being developed in parallel by so
>> many (dozens) of legal, political, and private corporation bodies in the
>> world [see below], that I've come to the tentative conclusion that this CG
>> has little or no chance of contributing much more to that form of the
>> solution. Which, as you point out Fabio, may never work anyway for anyone:
>> the world may be headed for a revolutionary shift to interledger and
>> blockchains that achieves this, eventually.
>>
>> My strong statement in the preceding paragraph is based on this: I
>> followed the link Joseph Potvin provided (in the web-payments list version
>> of this thread) to UNCITRAL:
>>
>> See: "UNCITRAL Colloquium on Identity Management and Trust Services"
>>> 21-22 April 2016, Vienna
>>>
>>> http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html
>>>
>>
>> >From that page I followed each of three links that give comprehensive
>> background papers in Identity Management, and which are required reading
>> for the upcoming UNCITRAL conference. All three are PDFs. [1,2,3]. All
>> interesting, but only the first two are parallel to the work of this CG --
>> but they are stunning in their comprehensiveness. Not only is much of
>> what's being discussed here every day being explained in detail, but there
>> is much beyond what's being discussed here. And the huge number of bodies
>> working on the problem is laid out.
>>
>> Here are two quotes from [2], (American Bar Association "Overview of
>> identity management..."'). The Introduction opens with point #1, which is
>> of clear relevance to the question raised in this CG of the need for an
>> identity solution before payments can be solidified:
>>
>> 1. In 2011, an OECD report noted that “digital identity management is
>>> fundamental to the further development of the Internet economy.”1 It is a
>>> foundational requirement for all substantive forms of e-commerce.
>>>
>>
>> Then in point #5 of the Introduction, which is long, and which I'm going
>> to paste here in its entirety because that's my whole point (how big it
>> is), there's the huge number of groups working in parallel on an identity
>> solution, worldwide:
>>
>> 5. The critical importance of identity management in facilitating
>>> trustworthy
>>> e-commerce is well-recognized. Numerous intergovernmental groups,
>>> states, private
>>> international groups, and commercial entities are actively exploring
>>> identity
>>> management issues and opportunities, developing technical standards and
>>> business
>>> processes, and seeking ways to implement viable identity systems. For
>>> example:
>>>
>>
>> (a) Inter-governmental groups actively working on identity management
>>> issues and standards include the Organization for Economic Cooperation
>>> and
>>> Development (OECD),8 the International Organization for Standardization
>>> (ISO)9
>>> and the International Telecommunications Union (ITU);10
>>>
>>
>> (b) A survey undertaken by the OECD11 identified 18 OECD countries
>>> actively pursuing national strategies for identity management
>>> (Australia, Austria,
>>> Canada, Chile, Denmark, Germany, Italy, Japan, Luxembourg, Netherlands,
>>> New
>>> Zealand, Portugal, Republic of Korea, Slovenia, Spain, Sweden, Turkey,
>>> and United
>>> States of America).12 Several other countries, such as Estonia, India,
>>> and Nigeria are
>>> also actively pursuing such strategies;
>>>
>>
>> (c) Several regional identity projects are underway in the European Union,
>>> including PrimeLife (a project of the European Commission’s Seventh
>>> Framework
>>> Programme),13 the Global Identity Networking of Individuals — Support
>>> Action
>>> (GINI-SA),14 STORK (to establish a European eID Interoperability
>>> Platform),15 and
>>> the European Network and Information Security Agency (ENISA);16
>>>
>>
>> (d) Private organizations working on identity standards and policy at an
>>> international level include the Organization for the Advancement of
>>> Structured
>>> Information Standards (OASIS),17 the Open Identity Exchange (OIX),18 the
>>> Kantara
>>> Initiative,19 the Open ID Foundation,20 tScheme,21 and The Internet
>>> Society;22
>>>
>>
>> (e) Some commercial identity systems have been established and operate on
>>> a global scale in limited areas. These include those operated by the
>>> Transglobal
>>> Secure Collaboration Program (TSCP)23 and CertiPath24 for the aerospace
>>> and
>>> defence industries, the SAFE-BioPharma Association25 for the
>>> biopharmaceutical
>>> industry, IdenTrust26 for the financial sector, the CA/Browser Forum27
>>> for website
>>> EV-SSL certificates, and FiXs — Federation for Identity and
>>> Cross-Credentialing
>>> Systems (FiXs).28 The work of these groups is focused primarily on
>>> technical
>>> standards and business process issues, rather than legal issues.
>>>
>>
>>
>> There is much more of interest in both [1] and [2], both as regards
>> payments/commerce and identity/credentials (including already-in-use legal
>> terminology like "relying party" for the person or body that
>> consumes/uses/examines a credential) and I encourage any members of this
>> list to read [1] and [2] in full.
>>
>> I don't mean to imply that this CG has accomplished nothing; on the
>> contrary, I think there's a good chance that the gradual rise of all these
>> bodies' attempts to solve identity has been driven by groups such as this
>> CG which have been raising the hue and cry about the need for a solution.
>> Perhaps that rise in awareness of the need will  be all that is
>> accomplished here. And perhaps it's enough.
>>
>> Steven Rowat
>>
>>
>>
>> [1] A/CN.9/854 - Possible future work in the area of electronic commerce
>> - legal issues related to identity management and trust services
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/854&Lang=E
>>
>> [2] A/CN.9/WG.IV/WP.120 - Overview of identity management - Background
>> paper submitted by the Identity Management Legal Task Force of the American
>> Bar Association
>>
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.120&Lang=E
>>
>> [3] A/CN.9/WG.III/WP.136 - Online dispute resolution for cross-border
>> electronic commerce transactions: Submission by the Russian Federation
>>
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/Cn.9/Wg.iii/wp.136&Lang=E
>>
>>
>>
>>
>
>
Received on Thursday, 7 April 2016 05:45:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:28 UTC