Re: Thanks to all and next steps from Nick Shearer on 2015-06-26 (public-webpayments-ig@w3.org from June 2015)

From: Nick Shearer <nshearer@apple.com>
Date: Fri, 26 Jun 2015 12:16:05 -0700
To: Joseph Potvin <jpotvin@opman.ca>
Cc: Web Payments IG <public-webpayments-ig@w3.org>
Message-id: <34F72F66-4D84-4BF9-A69D-E2143F672EF0@apple.com>
> On Jun 26, 2015, at 11:55 AM, Joseph Potvin <jpotvin@opman.ca> wrote:
> 
> Nick, Might we agree on the following statement?   "ISO 20022 standardizes only a message 'scheme' without specifying the various message types, because messages are transitory and they evolve with the diversity of payment systems in operation. For convenience the ISO 20022 community maintains a catalogue of message types structured according to the ISO 20022 standard. However that catalogue is not intrinsic to the standard."
> 
> Are you recommending that the IG's work should not even accept any dependence upon the financial industry's messaging scheme (or compatible)?

First of all, thanks to Ian for the clarifying e-mail. 

Just so you can better understand my position - it rather depends what you mean by “dependence”. I don’t think it’s unreasonable to suppose that in the future there may be radically different payment instruments and schemes than what we have today. Such schemes should not necessarily be encumbered or dependent on an existing ISO standard, and so neither should the standard. But that is not to say ISO 20022 could not form part of any web payments standard - just it should not be a mandatory part.

> 
> Joseph Potvin
> On behalf of DataKinetics http://www.dkl.com <http://www.dkl.com/>
> Operations Manager | Gestionnaire des opérations
> The Opman Company | La compagnie Opman
> jpotvin@opman.ca <mailto:jpotvin@opman.ca>
> Mobile: 819-593-5983
> 
> On Fri, Jun 26, 2015 at 2:39 PM, Nick Shearer <nshearer@apple.com <mailto:nshearer@apple.com>> wrote:
> 
>> On Jun 26, 2015, at 10:32 AM, Joseph Potvin <jpotvin@opman.ca <mailto:jpotvin@opman.ca>> wrote:
>> 
>> RE: "the messaging standard used is specific to both the payment instrument and the jurisdictional preference"
>> 
>> Nick, That statement is self-contradictory. 
> 
> We agree to disagree. I think the difference of opinion here is how fine grained a specification needs to be regarding messaging format. I - and others - are of the opinion it doesn’t need to be granular, and the messaging standard is purely the responsibility of the payment instrument. Others seem to believe the spec should be closely defining the exact messaging specification. As Adrian says, for version one it doesn’t seem like we are proposing to bridge schemes and instruments.
> 
> I understand that some people believe financial institutions would be more willing to participate with a familiar format, but I’d counter that by suggesting regular developers would be less willing to participate. I don’t think anybody is talking about starting from scratch. It is simply a matter that compliance with ISO 20022 should not be enforced by the standard. It should be optional.
> 
>> 
>> Besides, the issue has to do with whether and how W3C specifications ought to reference any global standards from any other global standards body. The general point is that, as the recognized global web standards body enters into the domain of money and payments, will the global web standards body W3C accept that there are multiple pre-existing legitimate and useful global financial system and e-commerce standards and specifications (and global principles and global model laws) that it should just accept as boundary conditions for its own mandate & workplan (except where they are determined to contradict W3C Principles of Design), or does this global web standards body intend to start from scratch?
>> 
>> Given that the original intent expressed a year and a half ago was to get something useful in place asap, it would seem pragmatic to default into accepting the thoughtful efforts of the multiple global technical committees that have already negotiated numerous global financial system and e-commerce standards and specifications. Should any of their requirements be found to contradict W3C Design Principles, very likely they would be willing to adjust their standards or specifications to accommodate core Web principles.
>> 
>> FWIW, I quote TBL's "Principles of Design: Test of Independent Invention: If someone else had already invented your system, would theirs work with yours?  Does this system have to be the only one of its kind? This simple thought test is described in more detail in "Evolution" in these Design Issues. It is connectted to modularity inside-out: designing a system not to be modular in itself, but to be a part of an as-yet unspecified larger system. A critical property here is that the system tries to do one thing well, and leaves other things to other modules. It also has to avoid conceptual or other centralization, as no two modules can claim the need to be the unique center of a larger system."
>> http://www.w3.org/DesignIssues/Principles.html <http://www.w3.org/DesignIssues/Principles.html>
>> 
>> Joseph Potvin
>> On behalf of DataKinetics http://www.dkl.com <http://www.dkl.com/>
>> Operations Manager | Gestionnaire des opérations
>> The Opman Company | La compagnie Opman
>> jpotvin@opman.ca <mailto:jpotvin@opman.ca>
>> Mobile: 819-593-5983 <tel:819-593-5983>
>> On Fri, Jun 26, 2015 at 11:55 AM, Nick Shearer <nshearer@apple.com <mailto:nshearer@apple.com>> wrote:
>> 
>>> On Jun 26, 2015, at 8:02 AM, Joseph Potvin <jpotvin@opman.ca <mailto:jpotvin@opman.ca>> wrote:
>>> 
>>> RE: "ISO Standards being made mandatory"
>>> 
>>> Whatever the reasons some WC3 members may have for not wanting to explicitly or implicitly require conformance with external global standards or specifications, possibly the following approach would supply a workable solution:
>>> 
>>> ***
>>> 
>>> Any explicit requirement or reference in the W3C specification to another external standard or specification that is developed and maintained by a separate global standards body, will be followed by words such as “or compatible”, unless the W3C has been directly involved in the development and maintenance of that external standard or specification.
>>> 
>>> ***
>>> 
>>> Source for this idea: I've borrowed the underlying logic of Paragraph 3 in Article VI: Technical Specifications of the WTO Agreement on Government Procurement
>>> https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI <https://www.wto.org/english/docs_e/legal_e/gpr-94_01_e.htm#articleVI>.  This logic is also implemented in regional trade agreements.
>>> 
>>> By using the phrase "or compatible" (the WTO phrase is a narrower "or equivalent"), we accommodate the scenario whereby any other specification (particular to a country, a supply chain, a widely deloyed solution, etc.) would be suitable so long as it can semantically map with the named external global standard. Compatibilty can be demonstrated/tested with the mapping tables.
>>> 
>>> Is that approach good enough for consensus?  We would therefore say "ISO 20022 or compatible", etc.
>> 
>> I don’t think this is really much different. I concur with Adrian that the messaging standard used is specific to both the payment instrument and the jurisdictional preference. There will be payment schemes we haven’t even thought of in the future, and we need to account for them (ISO 20022 does not). 
>> 
>> Again, to echo Adrian - if a payment instrument decides its messaging must be compliant with a particular standard then that is totally fine. But defining the nuances of how a specific instrument works doesn’t seem like something in scope here.
>> 
>>> 
>>> ***
>>> 
>>> RE: "Security Framework" & "US hasn't taken a mandatory approach yet. Other countries have but not the US."
>>> 
>>> A view from this month's UNCITRAL meeting on global digital identity:
>>> 
>>> "What's hampering the use of Electronic identification (eID) and electronic Trust Services (eTS) in global businesses?
>>> - Lack of legal predictability cross-border
>>> - Diversity of legal frameworks
>>>    * differences in legal effects
>>>    * national/regional legal frameworks
>>>    * differences in security and accountability obligations
>>>    * difference in liability regimes
>>> - Lack of interoperability on a global level
>>> - National silos vs global digital market/businesses
>>> - Lack of transparency on the quality of the services
>>> - Trust and security aspects"
>>> 
>>> Source:
>>> "Open issues on Electronic Commerce: the digital identity"
>>> Presentation by Andrea Servida, Head of eIDAS Task Force, DG CONNECT, European Commission
>>> UNCITRAL Workshop, 10 June 2015
>>> http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf <http://www.blogstudiolegalefinocchiaro.it/wp-content/uploads/2015/06/servida-Bologna_10_06_2015.pdf>
>>> 
>>> ***
>>> 
>>> Joseph Potvin
>>> On behalf of DataKinetics http://www.dkl.com <http://www.dkl.com/>
>>> Operations Manager | Gestionnaire des opérations
>>> The Opman Company | La compagnie Opman
>>> jpotvin@opman.ca <mailto:jpotvin@opman.ca>
>>> Mobile: 819-593-5983 <tel:819-593-5983>
>>> On Fri, Jun 26, 2015 at 9:28 AM, Erik Anderson <eanders@pobox.com <mailto:eanders@pobox.com>> wrote:
>>> >From my brief exchange with some in the F2F, I interpreted the "reservation"
>>> or skepticism was more along the lines of ISO Standards being made mandatory.
>>> 
>>> US hasnt taken a mandatory approach yet. Other countries have but not the US.
>>> 
>>> This is true in the financial services world but for security, not for something like ISO 20022 nor ISO 12812.
>>> 
>>> Obama executive order on cybersecurity issued a recommendation for a "Security Framework" that would be a NIST + ISO standard.
>>> 
>>> Short term incentive was
>>> 1) Firms who implement the Framework, in good faith, will not be punished for weaknesses identified during vulnerability assessments in their programs
>>> 2) A shift in liability if fraud/data breaches/personal information was stolen and the Framework was not followed.
>>> 
>>> The long term was to turn the Framework into a mandatory compliance mechanism that included end-to-end data security, enhanced key management mechanisms, and constant risk assessment of security/vulnerability/penetration scanning.
>>> 
>>> This will effect the W3C Web Payments. I will be pushing that the Web Payments standards go through this Government/NIST risk assessment, both at the W3C level and IETF level. This is happening and will be the hot topic within the Federal Reserve Security Taskforce.
>>> 
>>> I covered this on my presentation.
>>> 
>>> W3C Web Payment standard mandatory? ISO? X9? Not likely. Identity/Credentials = maybe. End-to-end security = absolutely.
>>> 
>>> Erik Anderson
>>> Bloomberg R&D
>>> 
>>> 
>>> 
>> 
>> 
> 
>
Received on Friday, 26 June 2015 19:16:36 UTC