W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: Update on Web Payments Working Group [The Web Browser API Incubation Anti-Pattern]

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 07 Apr 2016 11:41:30 +0000
Message-ID: <CAM1Sok0sPhTORNLq6zT7T5Nva7YJQbv-pRSR21XLEg=fSOxCRQ@mail.gmail.com>
To: UniDyne <unidyne@gmail.com>, Steven Rowat <steven_rowat@sunshine.net>
Cc: Fabio Barone <holon.earth@gmail.com>, Web Payments <public-webpayments@w3.org>, Credentials CG <public-credentials@w3.org>
On Thu, 7 Apr 2016 at 13:15 UniDyne <unidyne@gmail.com> wrote:

> I've been watching this list for a long time. Just my 2 cents:
>
> HTTP (the "web") is merely a transport mechanism. Web payments is merely a
> protocol built on top of that. Do we really need an in-browser API? If not,
> is W3C needed? I think the answers are "yes" and "yes".
>
> OAuth and OpenID were simply protocol implementations that received buy-in
> early on in the rise of social media. OAuth in particular wasn't
> rock-solid, but it was a well-documented and easy-to-implement solution to
> the SSO problem, so everyone started using it. We didn't need W3C for that.
> It's essentially just a Kerberos implementation over HTTP.
>
> WebID is essentially just another protocol. It's not even built on HTTP
> but actually lives in SSL. The only thing "web" about it is that it is to
> be used over HTTPS and includes a URI for identification. That CG's been
> around for several years now and still isn't an official standard but if
> you take the "web" part out of it, it could still be just as useful for
> other transports.
>
> These are both protocols that can (and do) work outside browser vendors
> and W3C.
>
> The difference is that going the protocol route with "web payments" is
> near impossible because of the concept of "wallets" and "payment
> providers". At the very least, the latter would be imperative unless we're
> willing to allow the payee to handle that part initially. The issue is
> security and risk. An e-commerce payee has to worry about PCI compliance.
> They currently have a slew of products and providers available and very few
> are going to venture outside that. Anyone who has filled out a PCI
> Self-Compliance Survey knows that having something new or different
> requires an explanation and "mitigating controls." Writing a vendor name is
> much easier. A payment provider worries about their exposure when using an
> ("untested") open standard they didn't develop. That's probably the reason
> why every payment provider is coming up with their own solution or rolling
> with someone else that has a big name and deep pockets.
>
> An in-browser API implementation is needed to ensure that everyone is
> correctly implementing the same baseline standard with the same security
> practices. It's also required for wallets and the hardware things that
> might secure them (biometrics, keys, TPMS, etc). Achieving this outside W3C
> would be very difficult. It would need buy-in from one of the major
> browsers and prove successful (or at least make a lot of noise) in order to
> coerce the others to follow.
>
> I agree with Anders. A standard isn't likely to get traction until there's
> enough competition in this space to get the players to come to the table
> and hash something out. I think that move is more likely to come from
> payment providers than browser vendors. There's a cost associated with
> fragmentation, but it's not reaching a threshold where it outweighs both
> risk and the limits of market share.
>
> In the 90's we bought magazines that had CD's attached to the cover that
had a bunch of shareware on it.  I think that's how i first got some BBS
software running.

Nowadays it's easier to distribute a virtualbox image...

Tim.H.

>
>
> On Wed, Apr 6, 2016 at 1:33 PM, Steven Rowat <steven_rowat@sunshine.net>
> wrote:
>
>> On 4/6/16 7:26 AM, Fabio Barone wrote:
>>
>>> I believe one scenario to achieve some of the ideals behind this group:
>>> - A decentralized evolution of the blockchain/bitcoin protocol
>>> (features: fast and easy confirmation of TX, no need to download 60GB
>>> of data in order to participate, and more)
>>> - Results in obliterating current financial powers and promises more
>>> open interactions
>>> - A strong interledger protocol, as THE blockchain should not exist
>>> IMHO, or we have a decentralized central single point of failure
>>> - Money NOT designed for scarcity, with built-in rules to shrink/grow
>>> the money supply according to REAL (and real-time) economic data
>>> - With reference to a tangible value for value accounting (how much is
>>> a bitcoin? It only holds value in reference to something else, and it
>>> fluctuates too much. Could be kWh)
>>> - Bake these underlying protocols into the web (via browsers or the
>>> evolution thereof).
>>>
>>
>> +1
>>
>> And add these thoughts:
>>
>> The way this CG group is headed, of accommodating the current
>> financial/identity regimes, is in fact being developed in parallel by so
>> many (dozens) of legal, political, and private corporation bodies in the
>> world [see below], that I've come to the tentative conclusion that this CG
>> has little or no chance of contributing much more to that form of the
>> solution. Which, as you point out Fabio, may never work anyway for anyone:
>> the world may be headed for a revolutionary shift to interledger and
>> blockchains that achieves this, eventually.
>>
>> My strong statement in the preceding paragraph is based on this: I
>> followed the link Joseph Potvin provided (in the web-payments list version
>> of this thread) to UNCITRAL:
>>
>> See: "UNCITRAL Colloquium on Identity Management and Trust Services"
>>> 21-22 April 2016, Vienna
>>>
>>> http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html
>>>
>>
>> >From that page I followed each of three links that give comprehensive
>> background papers in Identity Management, and which are required reading
>> for the upcoming UNCITRAL conference. All three are PDFs. [1,2,3]. All
>> interesting, but only the first two are parallel to the work of this CG --
>> but they are stunning in their comprehensiveness. Not only is much of
>> what's being discussed here every day being explained in detail, but there
>> is much beyond what's being discussed here. And the huge number of bodies
>> working on the problem is laid out.
>>
>> Here are two quotes from [2], (American Bar Association "Overview of
>> identity management..."'). The Introduction opens with point #1, which is
>> of clear relevance to the question raised in this CG of the need for an
>> identity solution before payments can be solidified:
>>
>> 1. In 2011, an OECD report noted that “digital identity management is
>>> fundamental to the further development of the Internet economy.”1 It is a
>>> foundational requirement for all substantive forms of e-commerce.
>>>
>>
>> Then in point #5 of the Introduction, which is long, and which I'm going
>> to paste here in its entirety because that's my whole point (how big it
>> is), there's the huge number of groups working in parallel on an identity
>> solution, worldwide:
>>
>> 5. The critical importance of identity management in facilitating
>>> trustworthy
>>> e-commerce is well-recognized. Numerous intergovernmental groups,
>>> states, private
>>> international groups, and commercial entities are actively exploring
>>> identity
>>> management issues and opportunities, developing technical standards and
>>> business
>>> processes, and seeking ways to implement viable identity systems. For
>>> example:
>>>
>>
>> (a) Inter-governmental groups actively working on identity management
>>> issues and standards include the Organization for Economic Cooperation
>>> and
>>> Development (OECD),8 the International Organization for Standardization
>>> (ISO)9
>>> and the International Telecommunications Union (ITU);10
>>>
>>
>> (b) A survey undertaken by the OECD11 identified 18 OECD countries
>>> actively pursuing national strategies for identity management
>>> (Australia, Austria,
>>> Canada, Chile, Denmark, Germany, Italy, Japan, Luxembourg, Netherlands,
>>> New
>>> Zealand, Portugal, Republic of Korea, Slovenia, Spain, Sweden, Turkey,
>>> and United
>>> States of America).12 Several other countries, such as Estonia, India,
>>> and Nigeria are
>>> also actively pursuing such strategies;
>>>
>>
>> (c) Several regional identity projects are underway in the European Union,
>>> including PrimeLife (a project of the European Commission’s Seventh
>>> Framework
>>> Programme),13 the Global Identity Networking of Individuals — Support
>>> Action
>>> (GINI-SA),14 STORK (to establish a European eID Interoperability
>>> Platform),15 and
>>> the European Network and Information Security Agency (ENISA);16
>>>
>>
>> (d) Private organizations working on identity standards and policy at an
>>> international level include the Organization for the Advancement of
>>> Structured
>>> Information Standards (OASIS),17 the Open Identity Exchange (OIX),18 the
>>> Kantara
>>> Initiative,19 the Open ID Foundation,20 tScheme,21 and The Internet
>>> Society;22
>>>
>>
>> (e) Some commercial identity systems have been established and operate on
>>> a global scale in limited areas. These include those operated by the
>>> Transglobal
>>> Secure Collaboration Program (TSCP)23 and CertiPath24 for the aerospace
>>> and
>>> defence industries, the SAFE-BioPharma Association25 for the
>>> biopharmaceutical
>>> industry, IdenTrust26 for the financial sector, the CA/Browser Forum27
>>> for website
>>> EV-SSL certificates, and FiXs — Federation for Identity and
>>> Cross-Credentialing
>>> Systems (FiXs).28 The work of these groups is focused primarily on
>>> technical
>>> standards and business process issues, rather than legal issues.
>>>
>>
>>
>> There is much more of interest in both [1] and [2], both as regards
>> payments/commerce and identity/credentials (including already-in-use legal
>> terminology like "relying party" for the person or body that
>> consumes/uses/examines a credential) and I encourage any members of this
>> list to read [1] and [2] in full.
>>
>> I don't mean to imply that this CG has accomplished nothing; on the
>> contrary, I think there's a good chance that the gradual rise of all these
>> bodies' attempts to solve identity has been driven by groups such as this
>> CG which have been raising the hue and cry about the need for a solution.
>> Perhaps that rise in awareness of the need will  be all that is
>> accomplished here. And perhaps it's enough.
>>
>> Steven Rowat
>>
>>
>>
>> [1] A/CN.9/854 - Possible future work in the area of electronic commerce
>> - legal issues related to identity management and trust services
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/854&Lang=E
>>
>> [2] A/CN.9/WG.IV/WP.120 - Overview of identity management - Background
>> paper submitted by the Identity Management Legal Task Force of the American
>> Bar Association
>>
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.120&Lang=E
>>
>> [3] A/CN.9/WG.III/WP.136 - Online dispute resolution for cross-border
>> electronic commerce transactions: Submission by the Russian Federation
>>
>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/Cn.9/Wg.iii/wp.136&Lang=E
>>
>>
>>
>>
>
Received on Thursday, 7 April 2016 11:42:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:28 UTC