W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: Update on Web Payments Working Group [The Web Browser API Incubation Anti-Pattern]

From: Roger Bass <roger@traxiant.com>
Date: Wed, 6 Apr 2016 23:18:26 -0700
Message-ID: <CA+nC-Xs2QyOPNKBXVVJGDk1U7tyoD8YFESRWE91Oi0W2CqhmXw@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: UniDyne <unidyne@gmail.com>, Web Payments <public-webpayments@w3.org>, Credentials CG <public-credentials@w3.org>
> Sorry: for those interested, I meant to include the link to this site
> http://rhizomik.net/html/ This was specifically in regard to their
> Semantic Web mapping of various e-Business Ontologies
> <http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDM1sVRYyfn4XXSbTVd0r_-56dVbMd4C5Ts02?t=http%3A%2F%2Frhizomik.net%2Fhtml%2Fontologies%2Fbizontos%2F&si=6060383291310080&pi=5f70e25e-6ba1-42d9-968a-ca24f362446a>. In
> particular, those mappings include one of the ebCPPA (Collaboration
> Protocol Profile and Agreement) work that was done as part of the OASIS
> ebXML initiative. This is something I see having potential relevance to B2B
> Payments scenarios.

On Wed, Apr 6, 2016 at 10:44 PM, Roger Bass <roger@traxiant.com> wrote:

> On Wed, Apr 6, 2016 at 8:14 PM, UniDyne <unidyne@gmail.com> wrote:
> A standard isn't likely to get traction until there's enough competition
> in this space to get the players to come to the table and hash something
> out. I think that move is more likely to come from payment providers than
> browser vendors. There's a cost associated with fragmentation, but it's not
> reaching a threshold where it outweighs both risk and the limits of market
> share.
> Quite.
> The browser use case for Web Payments is obviously an important one. And
> there may well be ways to incrementally move the state of the art forward,
> short of a shift to full interoperability. It seems clear enough that
> competitive conditions in the browser market, and probably even the payment
> provider market aren't yet at a point to drive that.
> However, I would suggest that if broad payments interoperability arises
> elsewhere (i.e. non-browser use cases) it's plausible that that would carry
> over to the browser use case too.
> Let me get more specific - and recall the big shift that occurred in
> telecommunications. Over a decade or two (I don't have the stats to hand),
> that world shifted from being mainly a voice network, with data running on
> top of it... to a world where the traffic was 99% data. The underlying
> infrastructure, too, shifted to being basically a data network, with voice
> just another relatively minor application running on top.
> Isn't it fairly obvious that a similar shift is underway in the Web, if
> seen as the "Interaction" layer of the Internet? Being human beings, most
> of us tend to think first about the use cases that directly involve a human
> being. But in fact, the volume of non-human interactions already dwarfs the
> human interactions, certainly for example when you look at something as
> easily quantified as payment volumes and values. Consumer Web interactions
> are frequently mediated by software (mobile/cloud apps)... but for
> payments, not yet quite to the point where significant numbers of purchase
> / payment transactions are being made by apps, rather than by a human being
> directly through a browser.
> For business-to-business (B2B) payments, however, this is not the case.
> Larger businesses' payments are by and large already automated. On the
> receiving side too, automated payment processes exist for many businesses,
> even if non-automated flows account for most of the volume. (This is an
> opportunity). The total volume of such payments globally is about 7x
> consumer payment volumes ($700 trillion vs $100 trillion, in round numbers,
> per McKinsey). There is also considerable competition and innovation in
> that space, as well as a diversity of players, such that business cases
> already exist for interoperability in various segments of the larger market.
> To flip my original assertion around: I would even say that if an
> interoperable (and global) payments model emerges for B2B payments - an
> Internet of Payments, in other words -  it's hard to imagine that NOT
> carrying over into the consumer world (including browser use cases).
> To get back to the specifics of the Web platform: it includes various
> standards conceived very much with machine-to-machine interactions in mind.
> The Semantic Web, in particular, is a big idea that I think most would
> agree hasn't yet taken off in any significant way. There hasn't been a
> killer app for the Semantic Web. But B2B Payments, and B2B interactions
> more generally could be it, in my view - the "tip of the spear" or catalyst
> for another big shift.
> Now, it's true that the W3C is not a venue that's particularly well-suited
> or experienced when it comes to the complex, multi-layered standardization
> of B2B interactions. Such work has, however, been going on elsewhere,
> notably OASIS with ebXML, not to exclude other standards with traction at
> different layers of the stack.
> That said, although I've not yet spent a lot of time on this question,
> others apparently have. (Notably, there's some academic work I linked in an
> earlier email. I may invite the authors to join this group). It's still
> unclear what the costs and benefits might be of mapping or migrating those
> standards, not to mention their implementations in the real world, onto a
> Semantic Web platform.
> From a W3C perspective generally, however - and in particular this Web
> Payments CG perspective - the potential benefits seem very clear. If
> efforts focused on B2B payments use cases can solve a payments interop
> problem that's big in its own right, that could potentially catalyze an
> interop shift in the otherwise-challenging consumer/browser world too...
> and perhaps even a massive, rapid Semantic Web adoption wave, comparable to
> the original Internet / Web wave... well, those all seem like pretty
> desirable outcomes, no?
> Roger
> On Wed, Apr 6, 2016 at 9:58 PM, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
>> On 2016-04-07 05:14, UniDyne wrote:
>> I've been watching this list for a long time. Just my 2 cents:
>> HTTP (the "web") is merely a transport mechanism. Web payments is merely
>> a protocol built on top of that. Do we really need an in-browser API? If
>> not, is W3C needed? I think the answers are "yes" and "yes".
>> It is a position at least :-)
>> OAuth and OpenID were simply protocol implementations that received
>> buy-in early on in the rise of social media. OAuth in particular wasn't
>> rock-solid, but it was a well-documented and easy-to-implement solution to
>> the SSO problem, so everyone started using it. We didn't need W3C for that.
>> It's essentially just a Kerberos implementation over HTTP.
>> WebID is essentially just another protocol. It's not even built on HTTP
>> but actually lives in SSL. The only thing "web" about it is that it is to
>> be used over HTTPS and includes a URI for identification. That CG's been
>> around for several years now and still isn't an official standard but if
>> you take the "web" part out of it, it could still be just as useful for
>> other transports.
>> These are both protocols that can (and do) work outside browser vendors
>> and W3C.
>> The difference is that going the protocol route with "web payments" is
>> near impossible because of the concept of "wallets" and "payment
>> providers".
>> That's indeed the biggest difference compared to the things you mention.
>> At the very least, the latter would be imperative unless we're willing to
>> allow the payee to handle that part initially. The issue is security and
>> risk.
>> Although true, the W3C Web Payment efforts have "externalized" this part
>> of the plot with hopes that the vendors will "fill in the blanks".
>> From what can see the card industry take a concrete example haven't yet
>> come up with a scheme for the Web in spite of having had 20 years or so to
>> think about it.
>> Therefore this part will also be a question for the "platform" vendors
>> (independent "browser" vendors are not really in power these days).
>> Since there are two dominating mobile platforms where one of the vendors
>> generally keeps a low profile in standardization, we (all) effectively rely
>> on a single vendor.
>> My proposal (which currently have no supporters in W3C), is forcing this
>> single vendor to offer an open interface between the Web and Wallets (and
>> more) allowing anybody to create a Web Payment system.  That may sound as
>> the opposite to standardization and that's true;  since Banks, VISA, EMVco,
>> ISO, FIDO, etc. do not operate in the open, the very foundation for
>> standards in the usual meaning is missing.  Innovation is therefore a
>> better short-term alternative IMO.  After a period of innovation,
>> consolidation will hopefully rectify the worst excesses.
>> Anders
>> An e-commerce payee has to worry about PCI compliance. They currently
>> have a slew of products and providers available and very few are going to
>> venture outside that. Anyone who has filled out a PCI Self-Compliance
>> Survey knows that having something new or different requires an explanation
>> and "mitigating controls." Writing a vendor name is much easier. A payment
>> provider worries about their exposure when using an ("untested") open
>> standard they didn't develop. That's probably the reason why every payment
>> provider is coming up with their own solution or rolling with someone else
>> that has a big name and deep pockets.
>> An in-browser API implementation is needed to ensure that everyone is
>> correctly implementing the same baseline standard with the same security
>> practices. It's also required for wallets and the hardware things that
>> might secure them (biometrics, keys, TPMS, etc). Achieving this outside W3C
>> would be very difficult. It would need buy-in from one of the major
>> browsers and prove successful (or at least make a lot of noise) in order to
>> coerce the others to follow.
>> I agree with Anders. A standard isn't likely to get traction until
>> there's enough competition in this space to get the players to come to the
>> table and hash something out. I think that move is more likely to come from
>> payment providers than browser vendors. There's a cost associated with
>> fragmentation, but it's not reaching a threshold where it outweighs both
>> risk and the limits of market share.
>> On Wed, Apr 6, 2016 at 1:33 PM, Steven Rowat <steven_rowat@sunshine.net>
>> wrote:
>>> On 4/6/16 7:26 AM, Fabio Barone wrote:
>>>> I believe one scenario to achieve some of the ideals behind this group:
>>>> - A decentralized evolution of the blockchain/bitcoin protocol
>>>> (features: fast and easy confirmation of TX, no need to download 60GB
>>>> of data in order to participate, and more)
>>>> - Results in obliterating current financial powers and promises more
>>>> open interactions
>>>> - A strong interledger protocol, as THE blockchain should not exist
>>>> IMHO, or we have a decentralized central single point of failure
>>>> - Money NOT designed for scarcity, with built-in rules to shrink/grow
>>>> the money supply according to REAL (and real-time) economic data
>>>> - With reference to a tangible value for value accounting (how much is
>>>> a bitcoin? It only holds value in reference to something else, and it
>>>> fluctuates too much. Could be kWh)
>>>> - Bake these underlying protocols into the web (via browsers or the
>>>> evolution thereof).
>>> +1
>>> And add these thoughts:
>>> The way this CG group is headed, of accommodating the current
>>> financial/identity regimes, is in fact being developed in parallel by so
>>> many (dozens) of legal, political, and private corporation bodies in the
>>> world [see below], that I've come to the tentative conclusion that this CG
>>> has little or no chance of contributing much more to that form of the
>>> solution. Which, as you point out Fabio, may never work anyway for anyone:
>>> the world may be headed for a revolutionary shift to interledger and
>>> blockchains that achieves this, eventually.
>>> My strong statement in the preceding paragraph is based on this: I
>>> followed the link Joseph Potvin provided (in the web-payments list version
>>> of this thread) to UNCITRAL:
>>> See: "UNCITRAL Colloquium on Identity Management and Trust Services"
>>>> 21-22 April 2016, Vienna
>>>> http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html
>>> >From that page I followed each of three links that give comprehensive
>>> background papers in Identity Management, and which are required reading
>>> for the upcoming UNCITRAL conference. All three are PDFs. [1,2,3]. All
>>> interesting, but only the first two are parallel to the work of this CG --
>>> but they are stunning in their comprehensiveness. Not only is much of
>>> what's being discussed here every day being explained in detail, but there
>>> is much beyond what's being discussed here. And the huge number of bodies
>>> working on the problem is laid out.
>>> Here are two quotes from [2], (American Bar Association "Overview of
>>> identity management..."'). The Introduction opens with point #1, which is
>>> of clear relevance to the question raised in this CG of the need for an
>>> identity solution before payments can be solidified:
>>> 1. In 2011, an OECD report noted that “digital identity management is
>>>> fundamental to the further development of the Internet economy.”1 It is
>>>> a
>>>> foundational requirement for all substantive forms of e-commerce.
>>> Then in point #5 of the Introduction, which is long, and which I'm going
>>> to paste here in its entirety because that's my whole point (how big it
>>> is), there's the huge number of groups working in parallel on an identity
>>> solution, worldwide:
>>> 5. The critical importance of identity management in facilitating
>>>> trustworthy
>>>> e-commerce is well-recognized. Numerous intergovernmental groups,
>>>> states, private
>>>> international groups, and commercial entities are actively exploring
>>>> identity
>>>> management issues and opportunities, developing technical standards and
>>>> business
>>>> processes, and seeking ways to implement viable identity systems. For
>>>> example:
>>> (a) Inter-governmental groups actively working on identity management
>>>> issues and standards include the Organization for Economic Cooperation
>>>> and
>>>> Development (OECD),8 the International Organization for Standardization
>>>> (ISO)9
>>>> and the International Telecommunications Union (ITU);10
>>> (b) A survey undertaken by the OECD11 identified 18 OECD countries
>>>> actively pursuing national strategies for identity management
>>>> (Australia, Austria,
>>>> Canada, Chile, Denmark, Germany, Italy, Japan, Luxembourg, Netherlands,
>>>> New
>>>> Zealand, Portugal, Republic of Korea, Slovenia, Spain, Sweden, Turkey,
>>>> and United
>>>> States of America).12 Several other countries, such as Estonia, India,
>>>> and Nigeria are
>>>> also actively pursuing such strategies;
>>> (c) Several regional identity projects are underway in the European
>>>> Union,
>>>> including PrimeLife (a project of the European Commission’s Seventh
>>>> Framework
>>>> Programme),13 the Global Identity Networking of Individuals — Support
>>>> Action
>>>> (GINI-SA),14 STORK (to establish a European eID Interoperability
>>>> Platform),15 and
>>>> the European Network and Information Security Agency (ENISA);16
>>> (d) Private organizations working on identity standards and policy at an
>>>> international level include the Organization for the Advancement of
>>>> Structured
>>>> Information Standards (OASIS),17 the Open Identity Exchange (OIX),18
>>>> the Kantara
>>>> Initiative,19 the Open ID Foundation,20 tScheme,21 and The Internet
>>>> Society;22
>>> (e) Some commercial identity systems have been established and operate on
>>>> a global scale in limited areas. These include those operated by the
>>>> Transglobal
>>>> Secure Collaboration Program (TSCP)23 and CertiPath24 for the aerospace
>>>> and
>>>> defence industries, the SAFE-BioPharma Association25 for the
>>>> biopharmaceutical
>>>> industry, IdenTrust26 for the financial sector, the CA/Browser Forum27
>>>> for website
>>>> EV-SSL certificates, and FiXs — Federation for Identity and
>>>> Cross-Credentialing
>>>> Systems (FiXs).28 The work of these groups is focused primarily on
>>>> technical
>>>> standards and business process issues, rather than legal issues.
>>> There is much more of interest in both [1] and [2], both as regards
>>> payments/commerce and identity/credentials (including already-in-use legal
>>> terminology like "relying party" for the person or body that
>>> consumes/uses/examines a credential) and I encourage any members of this
>>> list to read [1] and [2] in full.
>>> I don't mean to imply that this CG has accomplished nothing; on the
>>> contrary, I think there's a good chance that the gradual rise of all these
>>> bodies' attempts to solve identity has been driven by groups such as this
>>> CG which have been raising the hue and cry about the need for a solution.
>>> Perhaps that rise in awareness of the need will  be all that is
>>> accomplished here. And perhaps it's enough.
>>> Steven Rowat
>>> [1] A/CN.9/854 - Possible future work in the area of electronic commerce
>>> - legal issues related to identity management and trust services
>>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/854&Lang=E
>>> [2] A/CN.9/WG.IV/WP.120 - Overview of identity management - Background
>>> paper submitted by the Identity Management Legal Task Force of the American
>>> Bar Association
>>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.120&Lang=E
>>> [3] A/CN.9/WG.III/WP.136 - Online dispute resolution for cross-border
>>> electronic commerce transactions: Submission by the Russian Federation
>>> http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/Cn.9/Wg.iii/wp.136&Lang=E
Received on Thursday, 7 April 2016 06:19:37 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:41 UTC