Re: Thanks to all and next steps

RE: "the messaging standard used is specific to both the payment instrument
and the jurisdictional preference"

Nick, That statement is self-contradictory.

Besides, the issue has to do with whether and how W3C specifications ought
to reference any global standards from any other global standards body. The
general point is that, as the recognized global web standards body enters
into the domain of money and payments, will the global web standards body
W3C accept that there are multiple pre-existing legitimate and useful
global financial system and e-commerce standards and specifications (and
global principles and global model laws) that it should just accept as
boundary conditions for its own mandate & workplan (except where they are
determined to contradict W3C Principles of Design), or does this global web
standards body intend to start from scratch?

Given that the original intent expressed a year and a half ago was to get
something useful in place asap, it would seem pragmatic to default into
accepting the thoughtful efforts of the multiple global technical
committees that have already negotiated numerous global financial system
and e-commerce standards and specifications. Should any of their
requirements be found to contradict W3C Design Principles, very likely they
would be willing to adjust their standards or specifications to accommodate
core Web principles.

FWIW, I quote TBL's "Principles of Design: Test of Independent Invention:
If someone else had already invented your system, would theirs work with
yours?  Does this system have to be the only one of its kind? This simple
thought test is described in more detail in "Evolution" in these Design
Issues. It is connectted to modularity inside-out: designing a system not
to be modular in itself, but to be a part of an as-yet unspecified larger
system. A critical property here is that the system tries to do one thing
well, and leaves other things to other modules. It also has to avoid
conceptual or other centralization, as no two modules can claim the need to
be the unique center of a larger system."
http://www.w3.org/DesignIssues/Principles.html

Joseph Potvin
On behalf of DataKinetics http://www.dkl.com
Operations Manager | Gestionnaire des opérations
The Opman Company | La compagnie Opman
jpotvin@opman.ca
Mobile: 819-593-5983

On Fri, Jun 26, 2015 at 11:55 AM, Nick Shearer <nshearer@apple.com> wrote:

>
> On Jun 26, 2015, at 8:02 AM, Joseph Potvin <jpotvin@opman.ca> wrote:
>
> RE: "ISO Standards being made mandatory"
>
> Whatever the reasons some WC3 members may have for not wanting to
> explicitly or implicitly require conformance with external global standards
> or specifications, possibly the following approach would supply a workable
> solution:
>
> ***
>
> *Any explicit requirement or reference in the W3C specification to another
> external standard or specification that is developed and maintained by a
> separate global standards body, will be followed by words such as “or
> compatible”, unless the W3C has been directly involved in the development
> and maintenance of that external standard or specification.*
>
> ***
>
> Source for this idea: I've borrowed the underlying logic of Paragraph 3 in
> Article VI: Technical Specifications of the WTO Agreement on Government
> Procurement
> https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI.
> This logic is also implemented in regional trade agreements.
>
> By using the phrase "or compatible" (the WTO phrase is a narrower "or
> equivalent"), we accommodate the scenario whereby any other specification
> (particular to a country, a supply chain, a widely deloyed solution, etc.)
> would be suitable so long as it can semantically map with the named
> external global standard. Compatibilty can be demonstrated/tested with the
> mapping tables.
>
> Is that approach good enough for consensus?  We would therefore say "ISO
> 20022 or compatible", etc.
>
>
> I don’t think this is really much different. I concur with Adrian that the
> messaging standard used is specific to both the payment instrument and the
> jurisdictional preference. There will be payment schemes we haven’t even
> thought of in the future, and we need to account for them (ISO 20022 does
> not).
>
> Again, to echo Adrian - if a payment instrument decides its messaging must
> be compliant with a particular standard then that is totally fine. But
> defining the nuances of how a specific instrument works doesn’t seem like
> something in scope here.
>
>
> ***
>
> RE: "Security Framework" & "US hasn't taken a mandatory approach yet.
> Other countries have but not the US."
>
> A view from this month's UNCITRAL meeting on global digital identity:
>
> "What's hampering the use of Electronic identification (eID) and
> electronic Trust Services (eTS) in global businesses?
> - Lack of legal predictability cross-border
> - Diversity of legal frameworks
>    * differences in legal effects
>    * national/regional legal frameworks
>    * differences in security and accountability obligations
>    * difference in liability regimes
> - Lack of interoperability on a global level
> - National silos vs global digital market/businesses
> - Lack of transparency on the quality of the services
> - Trust and security aspects"
>
> Source:
> "Open issues on Electronic Commerce: the digital identity"
> Presentation by Andrea Servida, Head of eIDAS Task Force, DG CONNECT,
> European Commission
> UNCITRAL Workshop, 10 June 2015
>
> http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf
>
> ***
>
> Joseph Potvin
> On behalf of DataKinetics http://www.dkl.com
> Operations Manager | Gestionnaire des opérations
> The Opman Company | La compagnie Opman
> jpotvin@opman.ca
> Mobile: 819-593-5983
>
> On Fri, Jun 26, 2015 at 9:28 AM, Erik Anderson <eanders@pobox.com> wrote:
>
>> >From my brief exchange with some in the F2F, I interpreted the
>>> "reservation"
>>> or skepticism was more along the lines of ISO Standards being made
>>> mandatory.
>>>
>>
>> US hasnt taken a mandatory approach yet. Other countries have but not the
>> US.
>>
>> This is true in the financial services world but for security, not for
>> something like ISO 20022 nor ISO 12812.
>>
>> Obama executive order on cybersecurity issued a recommendation for a
>> "Security Framework" that would be a NIST + ISO standard.
>>
>> Short term incentive was
>> 1) Firms who implement the Framework, in good faith, will not be punished
>> for weaknesses identified during vulnerability assessments in their programs
>> 2) A shift in liability if fraud/data breaches/personal information was
>> stolen and the Framework was not followed.
>>
>> The long term was to turn the Framework into a mandatory compliance
>> mechanism that included end-to-end data security, enhanced key management
>> mechanisms, and constant risk assessment of
>> security/vulnerability/penetration scanning.
>>
>> This will effect the W3C Web Payments. I will be pushing that the Web
>> Payments standards go through this Government/NIST risk assessment, both at
>> the W3C level and IETF level. This is happening and will be the hot topic
>> within the Federal Reserve Security Taskforce.
>>
>> I covered this on my presentation.
>>
>> W3C Web Payment standard mandatory? ISO? X9? Not likely.
>> Identity/Credentials = maybe. End-to-end security = absolutely.
>>
>> Erik Anderson
>> Bloomberg R&D
>>
>>
>>
>
>

Received on Friday, 26 June 2015 17:32:52 UTC