Re: Web Payments and Identity from Manu Sporny on 2013-09-24 (public-webpayments@w3.org from September 2013)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 24 Sep 2013 00:38:23 -0400
To: Ben Adida <ben@adida.net>
CC: Web Payments CG <public-webpayments@w3.org>, "Joe Cascio, Jr." <joe.cascio.jr@gmail.com>, Dan Callahan <dan.callahan@gmail.com>, Lloyd Hilaiel <lloyd@mozilla.com>
Message-ID: <5241173F.8000102@digitalbazaar.com>

On 09/22/2013 12:40 PM, Ben Adida wrote:
> it's not
> obvious to me that we should conflate all identity use cases into one.

I totally agree.

> 1. simple web login and financial login are totally different and should
> be served by different technologies.

I'd like us to try and figure out if we can create some sort of bridge 
from simple web login (Persona) to financial login (PaySwarm) without 
adding a considerable amount of complexity to either identity ecosystem.

> 2. financial login can build on top of simple web login with additional
> layered features.

Yes, I think we're at the point where we should create a few proposals 
so that we can discuss how this would work for payments. Specifically, 
how can I bootstrap Know Your Customer (KYC) assertions using a 
Persona-based login? The KYC assertions can be something that PaySwarm 
specifies, but in a way that is bootstrapped via Persona in some yet to 
be determined way.

> 3. financial and simple web login can be served by the same product.

This could mean several things. The way I'm interpreting it is that you 
have a banking software product that is capable of doing Persona-based 
logins as well as some other 2-factor based login, which is a completely 
different code path than the Persona-based login. In that case, I'm 
afraid that this would be a failure to standardize something that could 
have had a cleaner UX.

> My only nudge here is to not presume that option 3 is the only way to
> go. If the burden of KYC complicates the technology too much, the right
> solution could be 1 or 2.

Right. I think one of the driving goals here should be to figure out a 
way to layer this stuff on top of Persona without adding too much 
complexity to Persona. Ideally, the mechanism we'd use is the same sort 
of mechanism some other identity solution that needs to do something 
completely different would use (two-factor yubikey auth, for instance).

Pushing the KYC complexity into Persona is a recipe for disaster, imo. 
Creating a completely new identity mechanism that is Persona-like would 
be just as bad.

We don't know quite what the Persona folks are thinking when it comes to 
attaching 3rd party information to a Persona login, and we have a pretty 
solid use case for doing this (KYC). Talking through the use case w/ a 
person or two from the Persona team would be very helpful.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

Received on Tuesday, 24 September 2013 04:38:41 UTC