W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2013

Re: Web Payments and Identity

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 24 Sep 2013 00:52:14 -0400
Message-ID: <52411A7E.1090302@digitalbazaar.com>
To: Lloyd Hilaiel <lloyd@mozilla.com>
CC: Ben Adida <ben@adida.net>, Web Payments CG <public-webpayments@w3.org>, "Joe Cascio, Jr." <joe.cascio.jr@gmail.com>, Dan Callahan <dan.callahan@gmail.com>
On 09/22/2013 02:50 PM, Lloyd Hilaiel wrote:
 > I'd love to attend the call, Manu.

Great! Dial-in details are here:

https://payswarm.com/minutes/

> I agree with Ben on the general notion that a tight coupling between
> payments and identity could doom both efforts.

Agreed as well. We want a very loose coupling. We don't want to
re-invent Persona, we'd like to leverage it. How exactly we'd do that is
still unknown.

> The first step for me is a world where authentication and
> authorization are not tightly coupled, and users have a privacy
> preserving way to log into sites that is not conflated with more
> information sharing than they desire, and they can make a subsequent
> decision to authorize 3rd party services.

+1

> It seems like one thing we could do is begin defining conventions
> around extra parameters that IdPs can provide - promises they make
> about the level of verification that occurred.  But here I'm curious
> how the RP can ensure a level of certainty on claimed identities and
> their level of verification, and we can still build a usable and open
> system.

Yes, I think figuring out conventions of how an IdP can provide extra
information to a RP would be a good start. Perhaps figuring out a way
where the RP can ask for extra information would be nice.

One option is for the RP to provide a template that is filled out by the
IdP, for example:

{
   "email": "",
   "identity": "",
   "address": ""
}

The message above would be sent by the RP to the IdP to request the
information during the login process. The IdP would ask the customer if
it's okay to fill the information out and then provide an assertion back
to the RP that includes the requested information.

> But rather than digging in more, I'd love to join this call and
> explore the space, and figure out the loosest coupling that could let
> us support each other.

Great! Looking forward to it.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Tuesday, 24 September 2013 04:52:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC