Re: Web Payments Telecon Minutes for 2014-04-09

Dear All,

Just a follow-up note per last week's teleconference (2014-04-09) that, per
item 1 (Internet Governance Forum 2014) and in advance of the  15 April
deadline<http://www.intgovforum.org/cms/component/content/article/127-workshop-proposals/1588-2014-igf-guidelines-for-workshop-proposals->,
Manu and I submitted a  222 word proposal + background paper for IGF
consideration entitled:

*'*The Payment-Privacy-Policing Paradox:
 Toward a Privacy-Conscious Internet Identity System for Web Payments'

I will circulate a link to it once it has been correctly received and
uploaded by the IGF Secretariat. The next stage in the selection process is
also outlined in the link above.

Regards,

p.



On Thu, Apr 10, 2014 at 1:55 AM, <msporny@digitalbazaar.com> wrote:

> Thanks to Dave Longley for scribing this week! The minutes
> for this week's Web Payments telecon are now available:
>
> https://web-payments.org/minutes/2014-04-09/
>
> Full text of the discussion follows for W3C archival purposes.
> Audio from the meeting is available as well (link provided below).
>
> ----------------------------------------------------------------
> Web Payments Community Group Telecon Minutes for 2014-04-09
>
> Agenda:
>   http://lists.w3.org/Archives/Public/public-webpayments/2014Apr/0018.html
> Topics:
>   1. Internet Governance Forum 2014
>   2. Getting United Nations' CITRAL Involved
>   3. Web Payments Workshop Review
>   4. Identity, Anonymity, Privacy, and Security
>   5. Current and Future Payment Systems
>   6. Initiating Payments and Digital Receipts
> Chair:
>   Manu Sporny
> Scribe:
>   Dave Longley
> Present:
>   Dave Longley, Manu Sporny, David I. Lehn, Pindar Wong, Joseph
>   Potvin, Brent Shambaugh
> Audio:
>   https://web-payments.org/minutes/2014-04-09/audio.ogg
>
> Dave Longley is scribing.
> Manu Sporny:  Additional to agenda, Joseph said he wanted to talk
>   about UNCITRAL stuff he'll be involved in during the next few
>   weeks.
> Manu Sporny:  Any other updates/changes to the agenda?
> David I. Lehn:  Nope
> No other updates noted.
>
> Topic: Internet Governance Forum 2014
>
> Manu Sporny: http://www.intgovforum.org/cms/
> Manu Sporny:  If folks will remember, last year we participated
>   in the IGF, as a result, a number of orgs from there came to the
>   web payments workshop, specifically, the british computer
>   society, they had great input on identity, the world bank came as
>   well, played a very big part talking about needs of world w/web
>   payments
> Manu Sporny:  There were a number of other orgs as well, it was a
>   very good outcome based on our participation in IGF.
> Manu Sporny:  So we should think heavily about how we should
>   participate, Pindar, any thoughts?
> Pindar Wong:  Yeah, i'd like to speak in favor of our
>   participation, if you recall last year we tried to design it so
>   there were follow-on activities, so it would be more than just
>   talking about policy issues involved, i'd like to also structure
>   it so that any output from this years IGF and any other meetings
>   can be fed into W3C this year
> Pindar Wong:  One of the things that came up from last year was
>   the tremendous interest in the web payments work and we'd like to
>   deal with the issues more than just once a year, there's an
>   interest in more than just talking about the issues, wanting to
>   move forward w/actions
> Manu Sporny:  Talking about where we should take what can be
>   standardized is what we want to do, we have to get into consumer
>   rights issues, anonimity issues things we got from talking about
>   identity at the workshop, outlining the stuff that will happen at
>   w3c on identity and getting input from IGF and talk about getting
>   them to influence the work by discussing w3c's official group
>   that will be looking at this
> Manu Sporny:  We're going to be creating technical standards, if
>   people at IGF want to get involved they can come to w3c and work
>   with the group
> Pindar Wong:  Yes, moving from the theoretical to the practical
>   is very important, the deadline is 15th of april, so if we want
>   to participate we have to get cracking
> Pindar Wong:  I'd be very happy to work with you to get something
>   put together
> Pindar Wong:  I think seeing the results from last time is a
>   positive indicator we should go, it would be worth while, i'd be
>   happy to work with you to flesh out a proposal
> Dave Longley:  I agree w/ Pindar's thoughts - getting more
>   feedback on the identity work would be helpful. [scribe assist by
>   Manu Sporny]
> Manu Sporny:  Pindar were you thinking of focusing on web
>   payments or identity+web and security implications, etc?
> Pindar Wong:  Given response from last year, the interface
>   between identity and web payments is the crux of the issue and
>   the IGF is a really good place to have dialog about interfacing,
>   the issue of identity+identifiers with respect to payments is
>   where we ought to focus
> Pindar Wong:  Its the interface that's important, the payment is
>   the motivation. Ddealing with the interplay with identity and
>   anonymity is important and vital to address, etc.
> Pindar Wong:  Last year i made a mistake of not controlling
>   presentation time and we can correct that this year and get a lot
>   of good policy-level feedback on areas we would not normally have
>   access to
> Brent Shambaugh: +1
> Manu Sporny:  The one thing we were really missing at the web
>   payments workshop was that kind of policy input, so IGF is
>   important to get feedback from
> Manu Sporny:  So maybe Pindar and i can take this offline and
>   report back to CG later
> Pindar Wong:  I'll have some time to work on this for the next
>   few days
> Manu Sporny:  Good, let's work together on this. We'll take it
>   offline and report back to the group when we have it figured out.
>   Anything else on IGF?
> Nothing else on IGF.
>
> Topic: Getting United Nations' CITRAL Involved
>
> Joseph Potvin:  Is anyone familiar with UNCITRAL?
> Pindar Wong:  Yes, i am a bit
> Joseph Potvin:  They focus on international trade law has some
>   working groups for ecommerce and has a number of initiatives that
>   seem to me to provide the legal environment in which the whole
>   discussion w/w3c web payments seems to be situated, they way it
>   works is they have delegates from numerous countries, they've
>   been doing ecommerce since 80s, countries have their own legal
>   positions, they produce a model/template law and that is taken
>   and interpreted into the legal context of each participating
>   country, as a result each country's legal tradition comes in, but
>   across borders there are some common things that come into play
>   because of the template, etc.
> Joseph Potvin:  A fair bit of work on nitty gritty details of
>   ecommerce trying to determine the specific thing that is being
>   moved around with the various ecommerce payments alternatives,
>   whether a digital packet of money going around or is meta data
>   about money, and if meta data, what is it, is it a bill of
>   exchange a promisory note, etc. when writing software you have to
>   be really clear about classes and properties, etc.
> Pindar Wong:  The point about terminology about promissory notes
>   and negotiable instruments, and getting to know the terminology
>   in this space is really important if only to avoid potential
>   friction later on, the terminology is quite key
> Joseph Potvin:  To give an example of the degree of headache: in
>   1978 the bank in canada in montreal was shipping dollar $5 bills
>   and had an accident where the truck transporting the bills
>   burned. The legal case went to the supreme court and question was
>   whether or not bank could get money back by reprinting, split
>   decision 3-3
> Joseph Potvin:  Even at highest court there is disagreement with
>   what we're dealing with
> Joseph Potvin:  In the case of w3c potential specifications, i
>   don't think we want to have ambiguity about the classes we're
>   dealing with, so there's a legal side and a technical side to
>   this, on tech side legal stuff becomes requirements for what's
>   being coded, etc.
> Joseph Potvin:  Accounting entries that cause numbers to go
>   up/down aren't money moving around and are at a level of systems
>   architecture but it will be problematic if the community gets
>   them wrong and courts start deciding that things are invalid
> Joseph Potvin: Example link on UNCITRAL:
>   http://www.uncitral.org/pdf/english/workinggroups/wg_4/wp_120_e.pdf
> Manu Sporny:  I definitely agree that we need to get the
>   terminology right and make sure that it lines up with
>   international law, my concern is that we dont' want to create
>   some kind of blocking item that prevents tech work from happening
>   because we're waiting for legal decision to play out
> Manu Sporny:  This is the UN so it works in broad strokes, not
>   low-level technical detail
> Manu Sporny:  There may be a mismatch with high-level vs.
>   low-level language and a speed mismatch with how quickly w3c can
>   work vs. UN
> Pindar Wong:  The phasing and expectations of when useful output
>   from this group might interface is quite an important one, i
>   think there is a phasing issue where these processes are
>   deliberate and slow moving but i wouldn't actually say them
>   informing our process is the right perspective, i'd look at it
>   the other way around, getting them to shape their processes as
>   ours evolve, the flow of the direction is a little bit back to
>   front
> Manu Sporny:  I think that since Joseph is volunteering to
>   participate in that work and is very motivated to do so, we
>   should have him  reach out to that group and be the liason.
> Pindar Wong:  Absolutely, i'm in full  support, nothing i've said
>   should imply otherwise
> Manu Sporny:  I agree, joseph should reach out and liaise with
>   them
> Manu Sporny:  But i agree with you pindar that the faster moving
>   w3c process should inform the slower moving UN proecss
> Pindar Wong:  After first year they should be very aware of this
>   group's existence
> Manu Sporny:  So in general, if Joseph wants to interface with
>   that group, we should make first contact with them, make them
>   aware of the work at W3C CG and the potential upcoming IG, and we
>   want faster moving group to provide input to the slower moving
>   group (faster=w3c cg, slower=UN)
> Manu Sporny:  And then there's a feedback loop where we get input
>   from UN and put back into w3c cg
> Joseph Potvin:  I was just talking to someone on phone about w3c
>   having observer status with that working group and i will follow
>   up
> Manu Sporny:  It would be Wendy or Rigo. I'd be surprised if any
>   one of them can make it, but they'd be the contact at w3c
> Joseph Potvin:  I'll try and arrange for w3c to have observer
>   status and see if i can be the observer
> Manu Sporny:  Definitely clear that with w3c first, do not say
>   that you're representing them.
> Manu Sporny:  You can't use their name without their permission
> Joseph Potvin:  Of course, I was going to clear it with them
>   first.
> Manu Sporny:  It sounds like there's al ot of positive upside as
>   long as we don't tie two groups together too tightly
> Joseph Potvin:  Bitcoin a good example of not getting legal stuff
>   working early on then with a stroke of a pen all the tech work
>   becomes bogged down by the legal ramifications.
> Joseph Potvin:  My experience over past 15 years working on this
>   kind of thing ... as long as lawyers are comfortable with
>   concepts being straightened out then they can move pretty quickly
> Manu Sporny:  Let us know if you need anything from us, otherwise
>   ball is in your court, go ahead and make first contact, let us
>   know how things go
> Joseph Potvin: :-)  I'll leave it at that.  I'll follow up with
>   Wendy Selzer and keep you al l informed
>
> Topic: Web Payments Workshop Review
>
> Manu Sporny: http://www.w3.org/2013/10/payments/minutes/
> Manu Sporny:  Web payments workshop very successful, more so than
>   we thought there would be, lots of problems brought up (identity,
>   payments) and general feeling that w3c should do something about
>   them
> Manu Sporny:  We could have found out that there was no desire
>   for w3c to address these problems, instead orgs thought there
>   were lots of problems and w3c could and should solve them with
>   relatively narrowly scoped work.
> Manu Sporny:  Minutes were cleaned up by web payments cg, we've
>   gotten compliments about how nice they are, etc. there are 14
>   hours of minutes there so we can't go through all of them of
>   course
> Manu Sporny:  We can hit 3 highlights on the call today, spending
>   about 10 minutes per highlight ... any questions in general about
>   workshop?
> Pindar Wong:  Slides were excellent and thanks for taking such
>   outstanding notes
> Brent Shambaugh: +1
> Manu Sporny:  W3c has a great history of being very open and
>   transparent for these events and running them, etc.
> Manu Sporny:  Half of the people coming to the workshop were new
>   to w3c and chatter afterwards was that attendees were very
>   impressed with the community and people were trying to solve
>   problems of a technical nature and not getting stuck on policy,
>   etc. and most felt that everyone was really on point for most of
>   the time there
>
> Topic: Identity, Anonymity, Privacy, and Security
>
> Manu Sporny:  We're kind of going out of order ... it's ordered
>   by items with most about interest at workshop
> Manu Sporny:  First item was somewhat tangential to payments,
>   there was a big push at the workshop to try and address the
>   identity problem on the web
> Manu Sporny:
>   http://www.w3.org/2013/10/payments/minutes/2014-03-25-s6/
> Manu Sporny:  In order to do a payment of any sizeable amount you
>   have to sort out the identities involved in the transaction, to
>   establish trust and sort out know-your-customer and anti money
>   laundering issues, etc.
> Manu Sporny:  Identity was a huge topic at the workshop, 70% of
>   the papers submitted stated that identity was a serious issue on
>   the web, that we needed to figure out at a way to transmit
>   personal credentials without violating privacy, even for
>   incredibly low-value transactions you currently have to give otu
>   too much personal data
> Manu Sporny:  There was a debate, one group saying eradicating
>   anonymity, another one saying eradicating that would be like 1984
>   future, etc. good debate
> Manu Sporny:  Folks involved in the discussion were IETF,
>   qualcomm, microsoft, w3c talking about webcrypto API and role
>   played in identity space, Louise Bennett  from the Chartered
>   Institute for IT (British Computer Society) did a phenomenal job
>   talking about balance between anonymity and privacy and security
>   and balancing with the law, etc.
> Manu Sporny:  End result, personal opinion here, it would be very
>   difficult for w3c to ignore identity problem for much longer
> Manu Sporny:  Big swell of w3c companies wanting to address the
>   identity problem, 1. by itself it's a problem on the internet, 2.
>   for payments use cases we have to figure identity problem out
> Manu Sporny:  Any thoughts so far?
> Pindar Wong:  Do you recall any specific comments bout Lucy Lynch
>   from ISOC?
> Manu Sporny:  She wasn't there, Karen O'Donahue was (from IETF /
>   ISOC). I emailed Lucy and she said she couldn't make it ... sent
>   karen on her behalf
> Manu Sporny:  Karen did digital signature stuff at IETF, she
>   co-chairs the JOSE working group.
> Manu Sporny:  Hannes Tschofenig in charge of OAuth work at IETF
>   and strong proponent for getting anonymity and privacy right, was
>   speaking on behalf of privacy and identity, and wendy seltzer
>   from w3c were some of the strongest voices for supporting
>   anonymity and privacy from day 1
> Pindar Wong:  I value Lucy's opinion/views deeply, she's a great
>   star in this area, so was curious
> Manu Sporny:  She did help shape agenda for workshop, but was
>   unfortunate she had a conflict and couldn't make it
> Manu Sporny:  It was interesting because at w3c ... i spoke with
>   some w3c staff ... and my general input was you're going to have
>   to do something about identity it's clear, and w3c said they
>   tried to do something about this 3 years ago, we had a workshop
>   and it wasn't clear what identity was, the problem wasn't clearly
>   defined, and w3c is wary about picking it up again because it
>   wasn't clear what identity is on the web, and it means a wh ole
>   bunch of different things to different people, but now there are
>   w3c orgs that want to solve very specific identity issues, like
>   transmitting credentials across the web ins a secure, private
>   way, passport, license ID, citizen of a particular
>   state/province, whether you have a degree from a university, an
>   email address is another type of verifiable credential, etc.
> Manu Sporny:  We have put out the "Identity Credentials"
>   specification via the Web Payments CG, OpenID Connect also
>   exists, as do things like LTI - so we're not starting from
>   scratch:
> Manu Sporny: http://manu.sporny.org/2014/credential-based-login/
> Manu Sporny:  There's a blog post out there about this, it's a
>   call for a credential-based login, there's a spec built someway
>   off of persona, reuses best bits of web payments work, puts a
>   stake in the ground to build off of, etc.
> Manu Sporny:  Pindar, if you could make her aware of the Identity
>   Credentials spec work in the CG that would be great
> Manu Sporny:  I'll be pushing this myself in various places,
>   we'll also be having a w3c plenary later where this proposal will
>   be on the table in october, so this is something concrete to look
>   at
> Pindar Wong:  Since we have IGF 2014 in september, plenary in
>   october, maybe focusing on the identity issue would be best
> Joseph Potvin:  I provided a link on identity management in IRC,
>   which connects in because it provides the pathway to communicate
>   on all of this stuff with the ministries and departments of
>   justice in these countries where this will matter where these
>   things must be permitted within these jurisdictions, so once
>   again it goes beyond the technical ability to resolve these
>   issues, it also has to do with linkage w/justice departments,
>   etc.
> Brent Shambaugh: For security, I was trying to reach out to
>   OWASP. Could I drop a link?
> Manu Sporny:  I agree, please get them involved and aware that
>   this is going on.
> Brent Shambaugh:
>
> https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risk
> Manu Sporny:  Security was also a big thing that went along with
>   identity, just like security+payments, brent added link about
>   OWASP, can you give a background?
> Brent Shambaugh:  It's an open source security group that deals
>   with mobile security.
> Brent Shambaugh:  They have a top 10 mobile problems list -
>   password, identity, securing sensitive data, things like that.
> Brent Shambaugh:  I was really impressed with what they had put
>   together, check out the Top Ten Mobile Risks list they have
>   above.
> Manu Sporny:  Maybe one of the things we could do is just invite
>   some of the OWASP people onto the call and chat with them, talk
>   about there's work at w3c that might start in the next year, we'd
>   like their input on it, etc.
> Manu Sporny:  Maybe also contact Natasha Rooney at GSMA as she
>   may be in contact w/them as well.
>
> Topic: Current and Future Payment Systems
>
> Manu Sporny:
>   http://www.w3.org/2013/10/payments/minutes/2014-03-24-s3/
> Manu Sporny:  This had to do with ... they got all of the big
>   providers, big payment companies on stage to talk about where we
>   are currently and where we need to go, there was a pretty big gap
>   between what the current banks and payments companies were
>   talking about and what folks like ripple labs and bitcoin
>   companies and to some degree w3c were talking about
> Manu Sporny:  The groups were Worldline, The World Bank, Ripple
>   Labs, The US Federal Reserve, CoinApex, and many others.
> Manu Sporny:  We didn't have a lot of feedback from the banks ...
>   their position was mostly that nothing was so wrong that we
>   couldn't make minor changes to make progress, etc. the input from
>   the cryptocurrency providers was that there were fairly big
>   problems that need to be addressed, international remittances,
>   for example are absolutely awful, there was a lot of back and
>   forth for where this w3c standard would go, the clear outcome
>   from that was that there was nothing w3c could do to really
>   modify current payment systems in the world, the w3c standards
>   will have to apply to emerging nations w/no real banking
>   infrastructure, or they will have to layer on top of existing
>   payment systems today, the top layer will have to simulate the
>   complex underwriting below
> Manu Sporny:  So payments will look faster to the customer but
>   will still use old infrastructure underneath, which we expected
> Manu Sporny:  In the CG, we just need to build a shim that would
>   hide complexities of the old system
> Manu Sporny:  The other thing is we can't create anything that
>   changes the fundamental movement of money in the first iteration
>   of this technology
> Manu Sporny:  So the thing we need to focus on has more to do
>   with consumer facing tech ... than with back end banking systems.
> Joseph Potvin:  Connie, from the US Federal Reserve, indicated
>   that there were technologies in Bitcoin that could improve
>   payments  for ACH-based systems.
> Joseph Potvin:  GIRO (spanish word, pronounced "Hero") banking is
>   about moving money around but doesn't actually move money around,
>   it's just a distributed accounting system
> Joseph Potvin: Here is a nice summary of how GIRO works -- see
>   the diagram on pg 2
>   http://www.abs.org.sg/pdfs/Financial/GIRO/IBG_Procedures.pdf
> Joseph Potvin:  One account goes up the other goes down
> Joseph Potvin:  And it can handle conversions as well, ACH is
>   like this system
> Joseph Potvin:  The reserve bank of india is in the process of
>   setting one up as well, these are different from other currency
>   systems because the other ones move digital packets around
> Joseph Potvin:  And this is just accounting
> Joseph Potvin:  I'd like to reinforce what she said about that
> Joseph Potvin:  More attention should be paid to GIRO banking as
>   well
> Manu Sporny:  What i'm trying to get across is that our ability
>   to change ACH with a W3C spec is almost non-existent. That's
>   something that the banks have control over and are probably not
>   willing to change in any large way.
> Joseph Potvin:  There are many GIRO banking systems
> Joseph Potvin: My recommendation is for the community to
>   understand GIRO banking, and how it differs from conventional
>   banking. GIRO is a business model for banking, not a brand.
> Joseph Potvin:  About what would would a w3c spec be about? and
>   it seems it should be able a generic GIRO spec ... and i don't
>   think it would be about the kind of thing that ripple is, a GIRO
>   wouldn't require anything like an XRP to (Joseph's audio becomes
>   garbled and disconnects).
> Manu Sporny:  I think what we was going to say was that you
>   wouldn't need XRP to do transactions, it's merely based on the
>   trust of the banks in the network and w3c could try and
>   standardize that. We'll have to have a whole conference call to
>   talk about that, the feedback I got from banks is that they
>   wouldn't be all that interested in making that big of a change to
>   their systems.
> Manu Sporny:  It's too expensive for them, to the tune of tens of
>   millions of dollars, unless it's fairly easy to make a technical
>   change there, i'm a bit dubious whether w3c could accomplish
>   that.
>
> Topic: Initiating Payments and Digital Receipts
>
> Manu Sporny:  The key takeaway there is that we had agreement ...
>   we heard that banks wouldn't be willing to do that, we heard
>   instead that various people would be willing to standardize
>   payments and a mechanism that's universal on all websites for
>   intiating payments and a digital receipt and that dovetails into
>   the discussion here ... i'm not disagreeing with Joseph just
>   saying w3c may fail if we try to take a problem of that scope on.
> Manu Sporny:  Definite agreement around initiating payments and
>   digital receipts at the workshop.
> Joseph Potvin: There's no need to try to change or influence the
>   incumbent banking solutions, but GIRO banking seems to me to be
>   the model most suited to any eventual W3C spec on payments
> Manu Sporny:  Standardizing initiating a payment ... and then
>   once initiated, regardless of which payment system you're using
>   then is up to the payment provider and what they do is generate a
>   standard digital receipt (standard across the web) so that the
>   merchant can verify that digital receipt, so the only three
>   things are really required to standardize. A basic
>   identity/credential protocol, a simple protocol to initiate
>   payments, and merchant-verifiable digital receipts.
> Manu Sporny:  That would open up the entire market to far more
>   competition, it would mean you could plug and play payment
>   providers, etc.
> Manu Sporny:  Visa mastercard, paypal would all still exist, but
>   banks could participate as well, they'd just run extra software
>   on top of their systems, and also new payment providers could pop
>   up and could operate int his space
> Manu Sporny:  All using these standards
> Manu Sporny:  So the first cut of the web paymetns work would
>   have fairly narrow scope, measurable goals, we have use cases
>   from CG, etc. it would be best way to proceed
> Pindar Wong:  On the issue w/payments and digital receipts,
>   that's where i thought the CG was before Paris ... and afterwards
>   we're at the same place, and that sounds like a huge win for the
>   CG
> Manu Sporny:  Yup, people at the workshop were essentially
>   playing catchup with the CG and it's great that we were in the
>   right place
> Manu Sporny:  There was some gnashing of teeth by fairly large
>   payments players about the CG predicting this
> Manu Sporny:  They wanted to say that for the first time a bunch
>   of people came together and decided initiating payments and
>   digital receipts was the way to go, but in reality the CG was
>   there years ago.
> Manu Sporny:  But we don't need to hammer that home, it's more
>   important that two fairly diverse/different groups/events came
>   together and both agreed on the direction, etc.
> Pindar Wong:  Yup, no interest in bragging rights, just think
>   it's huge win CG is in the right place
> Pindar Wong:  Identity in payments is going to be a big one, good
>   to get more important from outside this field from IGF, etc.
> Pindar Wong:  For initiation of payments, digital receipts, this
>   is a great outcome, great achievement
> Manu Sporny:  To be clear, everyone thought identity was a big
>   problem and is important but not a clear path forward, just that
>   it needs to be addressed
> Manu Sporny:  We're out of time for today
> Manu Sporny:  We will probably have a follow up conversation next
>   week, tons of use cases to discuss, progress on specs that have
>   been happening in parallel to discuss, etc.
> Manu Sporny:  I will be out in the bay area, silicon valley, next
>   week April 16th-18th,  in case any other Web Payments CG members
>   want to meet up.
>
>
>
>
>

Received on Monday, 14 April 2014 12:01:47 UTC