W3C Web Payments: Information Control and Information Flow from Erik Anderson on 2015-04-05 (public-webpayments-ig@w3.org from April 2015)

From: Erik Anderson <eanders@pobox.com>
Date: Sat, 4 Apr 2015 22:15:29 -0400
To: <public-webpayments-ig@w3.org>
Message-ID: <037f01d06f46$6401ae50$2c050af0$@pobox.com>
W3C Web Payments Security & Messaging Standards Diagram

https://www.w3.org/Payments/IG/wiki/images/5/53/W3C_payments_Standards_Diagr
am.png

 

W3C Web Payments Mind Map

https://www.w3.org/Payments/IG/wiki/images/8/87/W3C_Web_Payments.png

 

Information Controls and Information Flows pretty much covers the entire
transactional messaging world of financial services.

 

Do you like the sound of the below then read on:

1)  Identity based encryption? Separate credentials and access controls per
element of information?

2)  Dynamic & recoverable encryption keys so you can have a unique security
for every transaction?

3)  A scalable security architecture so ACH, Browsers, Bitcoins, a
decentralized file server can all benefit.

4)  Hacker breaks into your Apple account and your personal pictures/data
were stolen but still 100% secure.

5)  Dynamic key constructed at time of need and immediately destroyed after
usage. Role based access to protected content. Even bitcoin private keys can
be inherited by your loved ones.

6)  Guaranteed confidentiality with that government boogieman because YOU
granted them the access controls for x time period but only to that small
bit of information the courts Ok'ed.

7)  Manage information control over time be it centralized, decentralized,
TOR network, blockchain, bank, web browser. The security of the environment
does little to nothing to affect the security of the data itself.

8)  Verifiable Information chain of custody: document went from A, to B, to
C. Non-repudiation of an electronic signature.

9)  Protection of transaction/data is maintained regardless of what networks
the data transfers over or where the data is finally stored.

10) Each Government, Institution, Bank can manage its own risk vs security
tradeoffs. Biometrics, hardware tokens, pins, passwords are theirs to
define.

11) Compromise of 1 banks Vendor account, 1 corporate executive PC does
little to impact the integrity of the data.

12) Governments and financial institutions all have their own favorite
approved algorithms so we need to make sure to use an encryption schema not
an encryption algorithm so the solution works across these political
barriers.

13) That 1 master key or backdoor shouldn't exist. No more MTGox. One person
should never hold THE key. Government boogiemen nor a CEO.

14) User can rent and download digital content that expires after 7 days?
Two 3D printings.

 

>From startups to large organizations. So many are trying to redo financial
systems, standards, and boil oceans. I haven't found an approach that isnt
trying to boil rivers, lakes, or even the entire ocean.

 

Everyone wants faster, transparent, and secure transaction systems be they
ACH, Bitcoin, Ripple. Everyone is doing their own thing with so little
collaboration. Each of their ideas are unique, their approach is the best,
and their developers are the best on the planet.

 

Its obvious, you cant have faster payments without first making them more
secure. Chip & Pin cards with a MPOS is the silver bullet?

 

Wait, along comes the W3C trying to put payments into the browser and woh,
brings a whole new meaning to "card not present transaction".

 

Well, I guess the W3C will help boil the waters just a little bit more.  Can
the W3C come up with some new WebCrypto+ to magically protect the worlds
financial institutions? Obviously Governments nor financial service have any
expertise in protecting their own systems.

 

FinTech, Federal Reserve, Bitcoin, encryption, federated electronic ID, the
answers must be out there without boiling the waters of the world. Its 2015,
its inconceivable we need a new technology nor a browser standard to solve
these issues.

 

For the last 6+ months I have been researching existing ISO's, Crypto 2.0,
ANSI, NIST, X9 documentation centered around electronic transaction systems
and security that can be used as a common infrastructure not just for
browser based payments but for everyone. I have been convinced that
Financial Services has the answers somewhere but those answers just never
made it mainstream.

 

Bitcoin has all the answers! All of the true innovation is occurring in the
cryptocurrency space! Crypto 2.0 started in Bitcoin. OOPS, I lost my bitcoin
private key and I lost my entire 401k. Hum... Maybe not. I just dont think
that will go over well.

 

Is there a way to align everyone's approaches? Aligning financial payment
standards, internet security standards, Federal Reserve & Government payment
system improvements, crypocurrency approaches.

 

The browser is suppose to be the center of the world when it comes to
collaboration & interoperability. Certainly there must be something W3C can
do for the financial services world other than adopt an XML messaging
standards? Perhaps W3C can leverage its amazing reach to solve browser
payment standards and security frameworks.

 

A co-worker and friend of mine, Matthew Rawlings, is the expert. He has been
providing a lot of documentation links, connections, hours of explanations,
etc. The most recent connection was with TecSec.

 

This connection was the jackpot. I grabbed my family and took 2 days of
"workation" at TecSec near DC.

 

Thanks Jay, Ed, John, and Ron from TecSec.

 

TecSec has a wonderful set of technologies and ISO/X9 standards that can be
used to eliminate a lot of the issues with today's information flow and
information control.

 

>From an existing standards aspect W3C can accomplish Web Payments with 3
standards

X9.69 = Framework for Key Management Extensions (aka Constructive Key
Management and Key Usage Control)

X9.73 = Cryptographic Message Syntax

ISO 20022 = XML messaging standard for financial services

 

Can be used to solve all of the above bullet points and so muchhhh more.

 

However the technology and cryptography of this approach is immensely
challenging. Its very easy to get it wrong and 1 bug can make data
unrecoverable.

 

TecSec chairs the data security group of financial services (X9). TecSec has
a runtime engine called Constructive Key Management 7 (CKM7) that they have
agreed to open source. TecSec CKM7 + Enterprise Builder is an implementation
of X9.69 & X9.73.

 

If we add CKM7 runtime as an open source to the browser world we can use it
as a wrapper around financial messaging like ISO 20022, chat protocols,
password management systems, secure user interfaces, user identity
protection, merit based identity, dynamic electronic signatures, dynamic
cryptographic keys, time based access controls. CKM already has support for
biometrics (fingers, facial, voice, retina), passwords, hardware tokens,
geolocation & geofencing.

 

CKM7 has incredibly advanced cryptography but it has a cryptographic schema
to manage access to the raw cryptographic algorithms and dynamic key
management. CKM has a schema so its easily extensible to include new
innovations, mobile and biometric sensors, etc.

 

I am sure lots of you have heard about ISO 12812. Secure element, trusted
execution environment, managed dedicated execution contexts, trusted user
interface, Mobile Financial Service Provider, Trusted Service Manager,
authenticate the application downloaded, ensuring the secure execution of
the mobile financial applications. Some of the approaches ISO 12812 is about
physical security of the device. This is not necessary if you provide the
proper implementations of information security.

 

I don't believe ISO 12812, in its current form, can be directly used by the
browser world. This would likely mean a lot of custom browser development
for different devices. If its mathematically infeasible to impersonate the
financial institution or individual even on a compromised device. A
mathematical approach can still is superior to trying to maintain the
security of hardware elements themselves. The browser must always assume
itself to be a compromised environment so I think W3C stance must be
stronger on information security side and more agnostic to the physical
hardware.

 

A more generic approach like CKM's architecture for administering
credentials, keys and for an encryption schema will allow all to benefit
from a stronger information security stance. This will provide a common and
inter-operable approach from native applications to the browser.

 

IMO, the only unusable part of W3C Web Payments approach should be the
transactional message format itself (like ISO 20022)

 

ISO 12812, in its current implementation, will end up creating a lot of
inoperable services with incompatible messaging and security mechanisms. ISO
12812 is too specific to a financial transaction.

 

"AS IS" ISO 12812 will cause a lot of issues for W3C and browser vendors so
we should probably need to get involved ISO 12812 while it is still a draft.

 

Dont get me wrong, I agree with the general direction ISO 12812 is trying to
go, but its just not easily achievable. There is too much wiggle room in
12812 to make bad architecture decisions. Most certainly ISO 12812 cant
achieve success without W3C and browser vendor support. W3C Web Payments
needs to get very active with ISO 12812 if we are going to adopt it.

 

TecSec CKM7 runtime is a great security architecture wrapped with standards.
It will give financial institutions and browser vendors a plug-n-play
engineering solution to some very difficult problems.

 

CKM7 by no means restricts the world to a TecSec only solution. Its built
from standards so other can try and implement the X9.69 & X9.73 backends to
the CKM7 runtime. This will be a heck of a challenge but other companies can
try. TecSec has over 25 years of experience in this field so lets leverage
those standards and their experience to accomplish success.

 

IMO, its in W3C Web Payments interests to:
1) Adopt X9.69 and X9.73

2) Adopt CKM7 a browser standard implementation of X9.69 and X9.73. Add to
WebCrypto charter.

3) Adopt ISO 20022

4) If we are going to adopt ISO 12812 then we need to get involved in its
final drafts.

5) Write a W3C standard covering JavaScript payment API and adoption of the
above 

 

The above "W3C Web Payments Security & Messaging Standards Diagram" is a
rough overview of the approach we came to consensus at the TecSec office.
This approach has been provided to the Federal Reserve to see if this is
compatible with the direction financial services is heading.

 

The "W3C Web Payments Mind Map" is a brainstorm of mine, a mind map, of how
I see W3C fitting into the finance transactional space. Not just payments
but any financial transaction conducted over a browser.

 

Comments are welcome.

 

Erik Anderson

Bloomberg R&D & W3C Web Payments Co-Chair
Received on Sunday, 5 April 2015 02:21:21 UTC