Re: Web Payments and Identity

On 22 September 2013 15:36, Manu Sporny <msporny@digitalbazaar.com> wrote:

> I was recently asked to speak at the world banking conference about Web
> Payments. I had a ton of meetings with various big banks (HSBC,
> Barclays, Royal Bank of Scotland, etc) over the past week. They
> desperately need an online identity solution, and I'm trying to get
> leading thinkers in this space together to talk about how we might come
> up with a solution that works for them while dovetailing it with the
> work we're doing here on identity.
>
> Here's the basic problem:
>
> In order to do anything serious with money in the world, financial
> institutions need to do something called a "Know Your Customer", aka
> KYC, process on their customers. This involves doing things like
> verifying their address, government ID, making sure they're not on a
> government watch list, etc. Each bank does this, typically in a way that
> is specific to that particular bank. The Bitcoin community is having to
> do this now as well, for large transactions.
>
> An identity solution for the Web should take these use cases into
> account. We already have a mechanism of endorsing data on the sorts of
> identities that we use in PaySwarm, but the bridge between that and
> things like Persona's PICL stuff is not clear at the present time. We
> really need to work through these details.
>
> Any future identity standard for the Web should take these issues (of
> KYC, government or private institutions endorsement, extensible
> metadata) into account. We're going to be discussing this at a high
> level on this weeks upcoming Web Payments call. I ask that at least a
> representative from the Persona, PICL, and Bitcoin communities
> participate in the conversation. The details about joining the call are
> here:
>
> http://lists.w3.org/Archives/**Public/public-webpayments/**
> 2013Sep/0126.html<http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0126.html>
>

+1

Identity on the web is challenging because everyone does it in a slightly
different way.  You need to model the concept then have digital identifiers
that point to that concept.

Following web axioms you ideally want to have identity as a URI so that it
is scalable and properly namespaced.  Payswarm does a pretty decent job
here, as does WebID, OAuth is not bad as it allows both email and profile
pages to be your identifier.  In persona your email *is* your identity,
which is a smart hack that allows memorable identifiers, but the trade off
is that is does excludes web style identifiers.  In systems like bitcoin
your account address is both your identifer and your public key, which is a
clever way to use content addressable identifiers that can verify
signatures without needing any kind of lookup.  In terms of standardization
you want to be able to model all of these eco systems, but that's very much
doable by giving each identity system a URI.

The things people like to model are "Person" and "Account".  Normally a
person "has-a" account.

There's a few ways to add authenticity.  For example if a bank shows you
your balance, you trust DNS (perhaps also TLS) that the information is
valid.  If you want to be more portable, you can use signing instead of /
or as well as DNS.

In a general sense I see three aims:

1. To create a scalable identity solution that allows key value pairs to be
tied to an identity (e.g. using RDFa) this allows users to be associated
with more data such as KYC

2. To separate identity from authentication in a modular scalable way, then
allow permissive first class solutions for both.

3. Have the correct privacy / access control options so that the correct
people see the correct data in a secure way, and there is no unauthorized
access


>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/**launch/ <http://blog.meritora.com/launch/>
>
>