W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: Update on Web Payments Working Group [The Web Browser API Incubation Anti-Pattern]

From: UniDyne <unidyne@gmail.com>
Date: Wed, 6 Apr 2016 23:14:08 -0400
Message-ID: <CAE3_McgZnDWWTwQqVXtDresMd3FUOcB2go_QZ=ob69=nMSGPGw@mail.gmail.com>
To: Steven Rowat <steven_rowat@sunshine.net>
Cc: Fabio Barone <holon.earth@gmail.com>, Web Payments <public-webpayments@w3.org>, Credentials CG <public-credentials@w3.org>
I've been watching this list for a long time. Just my 2 cents:

HTTP (the "web") is merely a transport mechanism. Web payments is merely a
protocol built on top of that. Do we really need an in-browser API? If not,
is W3C needed? I think the answers are "yes" and "yes".

OAuth and OpenID were simply protocol implementations that received buy-in
early on in the rise of social media. OAuth in particular wasn't
rock-solid, but it was a well-documented and easy-to-implement solution to
the SSO problem, so everyone started using it. We didn't need W3C for that.
It's essentially just a Kerberos implementation over HTTP.

WebID is essentially just another protocol. It's not even built on HTTP but
actually lives in SSL. The only thing "web" about it is that it is to be
used over HTTPS and includes a URI for identification. That CG's been
around for several years now and still isn't an official standard but if
you take the "web" part out of it, it could still be just as useful for
other transports.

These are both protocols that can (and do) work outside browser vendors and

The difference is that going the protocol route with "web payments" is near
impossible because of the concept of "wallets" and "payment providers". At
the very least, the latter would be imperative unless we're willing to
allow the payee to handle that part initially. The issue is security and
risk. An e-commerce payee has to worry about PCI compliance. They currently
have a slew of products and providers available and very few are going to
venture outside that. Anyone who has filled out a PCI Self-Compliance
Survey knows that having something new or different requires an explanation
and "mitigating controls." Writing a vendor name is much easier. A payment
provider worries about their exposure when using an ("untested") open
standard they didn't develop. That's probably the reason why every payment
provider is coming up with their own solution or rolling with someone else
that has a big name and deep pockets.

An in-browser API implementation is needed to ensure that everyone is
correctly implementing the same baseline standard with the same security
practices. It's also required for wallets and the hardware things that
might secure them (biometrics, keys, TPMS, etc). Achieving this outside W3C
would be very difficult. It would need buy-in from one of the major
browsers and prove successful (or at least make a lot of noise) in order to
coerce the others to follow.

I agree with Anders. A standard isn't likely to get traction until there's
enough competition in this space to get the players to come to the table
and hash something out. I think that move is more likely to come from
payment providers than browser vendors. There's a cost associated with
fragmentation, but it's not reaching a threshold where it outweighs both
risk and the limits of market share.

On Wed, Apr 6, 2016 at 1:33 PM, Steven Rowat <steven_rowat@sunshine.net>

> On 4/6/16 7:26 AM, Fabio Barone wrote:
>> I believe one scenario to achieve some of the ideals behind this group:
>> - A decentralized evolution of the blockchain/bitcoin protocol
>> (features: fast and easy confirmation of TX, no need to download 60GB
>> of data in order to participate, and more)
>> - Results in obliterating current financial powers and promises more
>> open interactions
>> - A strong interledger protocol, as THE blockchain should not exist
>> IMHO, or we have a decentralized central single point of failure
>> - Money NOT designed for scarcity, with built-in rules to shrink/grow
>> the money supply according to REAL (and real-time) economic data
>> - With reference to a tangible value for value accounting (how much is
>> a bitcoin? It only holds value in reference to something else, and it
>> fluctuates too much. Could be kWh)
>> - Bake these underlying protocols into the web (via browsers or the
>> evolution thereof).
> +1
> And add these thoughts:
> The way this CG group is headed, of accommodating the current
> financial/identity regimes, is in fact being developed in parallel by so
> many (dozens) of legal, political, and private corporation bodies in the
> world [see below], that I've come to the tentative conclusion that this CG
> has little or no chance of contributing much more to that form of the
> solution. Which, as you point out Fabio, may never work anyway for anyone:
> the world may be headed for a revolutionary shift to interledger and
> blockchains that achieves this, eventually.
> My strong statement in the preceding paragraph is based on this: I
> followed the link Joseph Potvin provided (in the web-payments list version
> of this thread) to UNCITRAL:
> See: "UNCITRAL Colloquium on Identity Management and Trust Services" 21-22
>> April 2016, Vienna
>> http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html
> From that page I followed each of three links that give comprehensive
> background papers in Identity Management, and which are required reading
> for the upcoming UNCITRAL conference. All three are PDFs. [1,2,3]. All
> interesting, but only the first two are parallel to the work of this CG --
> but they are stunning in their comprehensiveness. Not only is much of
> what's being discussed here every day being explained in detail, but there
> is much beyond what's being discussed here. And the huge number of bodies
> working on the problem is laid out.
> Here are two quotes from [2], (American Bar Association "Overview of
> identity management..."'). The Introduction opens with point #1, which is
> of clear relevance to the question raised in this CG of the need for an
> identity solution before payments can be solidified:
> 1. In 2011, an OECD report noted that “digital identity management is
>> fundamental to the further development of the Internet economy.”1 It is a
>> foundational requirement for all substantive forms of e-commerce.
> Then in point #5 of the Introduction, which is long, and which I'm going
> to paste here in its entirety because that's my whole point (how big it
> is), there's the huge number of groups working in parallel on an identity
> solution, worldwide:
> 5. The critical importance of identity management in facilitating
>> trustworthy
>> e-commerce is well-recognized. Numerous intergovernmental groups, states,
>> private
>> international groups, and commercial entities are actively exploring
>> identity
>> management issues and opportunities, developing technical standards and
>> business
>> processes, and seeking ways to implement viable identity systems. For
>> example:
> (a) Inter-governmental groups actively working on identity management
>> issues and standards include the Organization for Economic Cooperation and
>> Development (OECD),8 the International Organization for Standardization
>> (ISO)9
>> and the International Telecommunications Union (ITU);10
> (b) A survey undertaken by the OECD11 identified 18 OECD countries
>> actively pursuing national strategies for identity management (Australia,
>> Austria,
>> Canada, Chile, Denmark, Germany, Italy, Japan, Luxembourg, Netherlands,
>> New
>> Zealand, Portugal, Republic of Korea, Slovenia, Spain, Sweden, Turkey,
>> and United
>> States of America).12 Several other countries, such as Estonia, India,
>> and Nigeria are
>> also actively pursuing such strategies;
> (c) Several regional identity projects are underway in the European Union,
>> including PrimeLife (a project of the European Commission’s Seventh
>> Framework
>> Programme),13 the Global Identity Networking of Individuals — Support
>> Action
>> (GINI-SA),14 STORK (to establish a European eID Interoperability
>> Platform),15 and
>> the European Network and Information Security Agency (ENISA);16
> (d) Private organizations working on identity standards and policy at an
>> international level include the Organization for the Advancement of
>> Structured
>> Information Standards (OASIS),17 the Open Identity Exchange (OIX),18 the
>> Kantara
>> Initiative,19 the Open ID Foundation,20 tScheme,21 and The Internet
>> Society;22
> (e) Some commercial identity systems have been established and operate on
>> a global scale in limited areas. These include those operated by the
>> Transglobal
>> Secure Collaboration Program (TSCP)23 and CertiPath24 for the aerospace
>> and
>> defence industries, the SAFE-BioPharma Association25 for the
>> biopharmaceutical
>> industry, IdenTrust26 for the financial sector, the CA/Browser Forum27
>> for website
>> EV-SSL certificates, and FiXs — Federation for Identity and
>> Cross-Credentialing
>> Systems (FiXs).28 The work of these groups is focused primarily on
>> technical
>> standards and business process issues, rather than legal issues.
> There is much more of interest in both [1] and [2], both as regards
> payments/commerce and identity/credentials (including already-in-use legal
> terminology like "relying party" for the person or body that
> consumes/uses/examines a credential) and I encourage any members of this
> list to read [1] and [2] in full.
> I don't mean to imply that this CG has accomplished nothing; on the
> contrary, I think there's a good chance that the gradual rise of all these
> bodies' attempts to solve identity has been driven by groups such as this
> CG which have been raising the hue and cry about the need for a solution.
> Perhaps that rise in awareness of the need will  be all that is
> accomplished here. And perhaps it's enough.
> Steven Rowat
> [1] A/CN.9/854 - Possible future work in the area of electronic commerce -
> legal issues related to identity management and trust services
> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/854&Lang=E
> [2] A/CN.9/WG.IV/WP.120 - Overview of identity management - Background
> paper submitted by the Identity Management Legal Task Force of the American
> Bar Association
> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.120&Lang=E
> [3] A/CN.9/WG.III/WP.136 - Online dispute resolution for cross-border
> electronic commerce transactions: Submission by the Russian Federation
> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/Cn.9/Wg.iii/wp.136&Lang=E
Received on Thursday, 7 April 2016 03:14:37 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:41 UTC