W3C home > Mailing lists > Public > public-webpayments-ig@w3.org > May 2015

Re: [Payments Architecture] A vision statement for the web payments architecture work

From: Ian Jacobs <ij@w3.org>
Date: Tue, 19 May 2015 19:03:58 -0500
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments IG <public-webpayments-ig@w3.org>, Web Payments CG <public-webpayments@w3.org>
Message-Id: <365944A2-EF97-45CF-98CC-C2487448063D@w3.org>
To: Melvin Carvalho <melvincarvalho@gmail.com>

> On May 19, 2015, at 3:14 PM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> On 19 May 2015 at 22:02, Ian Jacobs <ij@w3.org> wrote:
> > On May 19, 2015, at 1:17 PM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> >
> > On 05/19/2015 02:02 PM, Adrian Hope-Bailie wrote:
> >> Personally I think some mention of security is necessary but if there
> >> is a consensus that it is not I'll happily drop it.
> >
> > I'm strongly in favor of keeping the statement about security in the
> > vision document.
> >
> > I understand what Melvin is getting at, but I don't think we can get
> > away with saying nothing about security in the vision primarily because
> > most other people won't understand the nuances of decentralized systems
> > scaling security up as their size grows (e.g. Bitcoin).
> Although I am satisfied with "Being secure by design” here’s another perspective: security is
> SO important to payments it deserves a bullet in the list that follows. For example, something like:
>   * Supports a wide spectrum of security needs to meet industry and regulatory expectations.
>     To meet regulatory requirements and give people enough confidence to use the Web for
>     payments, the architecture must support a wide spectrum of security requirements and
>     solutions. This includes the ability to encrypt strongly both sensitive information and the
>     channels used to exchange the information, as well as supporting an evolving variety of
>     authentication techniques (multifactor, biometric, etc.). Trust in the Web of payments
>     is critical to its success.
> I like security, and I like all these features.
> However at an architectural level there's a continuum between connected and highly connected, and secure and highly secure.  There's an inverse correlation between security and connectivity.
> So on the web you're going to get security evangelists, and connectivity evangelists.  I'm in the latter camp because I think it adds significantly more value.  Security evangelists are invited to back up their arguments, which might be quite valid, with value creation metrics.
> It seems that security evangelists outnumber connectivity evangelists, tho the web has a habit of turning traditional assumptions on their head.
> I can certainly live with the language used, but I do see the danger of packing security into the spec to the extent that it struggles to get traction.  It's easy enough to vote stuff and make any of these requirements a *must*.

Hi Melvin,

One of my expectations is that there will be spectrum of needs and solutions. Allowing a spectrum suggests that we cannot have absolute requirements that would preclude a portion of the spectrum. That might increase traction (but it might also lower interoperability). I think we need to get more experience with, and more input, on how to find a sweet spot.

> I dont have any motives here apart from me personal mission which is maximize value creation.  I personally love all these security features on offer, and have great admiration for the work that's been done to facilitate them.  So, as an implementer I guess I'm spoilt to be able to hand pick the best parts from the spec, and just wanted to register my thoughts.

Thank you!

Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447

Received on Wednesday, 20 May 2015 00:04:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:08:35 UTC