Web Payments Telecon Minutes for 2013-09-25

Thanks to Dave Longley for scribing today! The minutes for this
week's Web Payments telecon are now available here:

https://payswarm.com/minutes/2013-09-25/

Full text of the discussion follows for archival purposes at the W3C.
Audio of the meeting is available as well (link provided below).

--------------
Web Payments Community Group Telecon Minutes for 2013-09-25

Agenda:
   http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0126.html
Topics:
   1. Update on GSoC Student Progress
   2. Updates to HTTP Signatures spec
   3. Postmortem: World Banking Conference (SIBOS)
   4. Postmortem: EDGE Conference and Financial Times
   5. Identity and Payments
Chair:
   Manu Sporny
Scribe:
   Dave Longley, David I. Lehn
Present:
   David I. Lehn, Andrei Oprea, Manu Sporny, Dave Longley,
   Madhu Nott, Melvin Carvalho, Evan Schwartz
Audio:
   http://payswarm.com/minutes/2013-09-25/audio.ogg

David I. Lehn is scribing.

Topic: Update on GSoC Student Progress

Andrei Oprea:  Things that I worked on the past two weeks
   consisted in improvements to the login system, adding gravatar
   image support for users and adding multiple payees that can be
   added to receive payment when you create the asset (I had a
   question about this: I have 3 fields for this, price, currency
   and payswarm accout, how should this last information, the
   accout, be made accesible/publicly-known? Is it acceptable to
   presume its known such as an email address? [scribe assist by
   Manu Sporny]
Manu Sporny:  Yes, financial account URLs can be publicly known
   just like email addresses.
Andrei Oprea:  The commits will be online by the end of the week.
   [scribe assist by Manu Sporny]

Topic: Updates to HTTP Signatures spec

Manu Sporny: https://payswarm.com/specs/source/http-signatures/
Manu Sporny:
   https://payswarm.com/specs/source/http-signatures-audit/
Manu Sporny:  been doing traveling, updated http signature spec
   in spare time
Manu Sporny:  discussing if we wanted to take http sig spec to
   ietf with nonces and trailers
Manu Sporny:  Want to keep the HTTP Signatures spec simple. We
   moved nonces and trailers into other specs:
Manu Sporny:
   https://payswarm.com/specs/source/http-signature-nonces
Manu Sporny:
   https://payswarm.com/specs/source/http-signature-trailers
Manu Sporny:  Greatly simplifies core spec. IETF going to wrap up
   work soon, wanted to get this into their work pipeline soon.
Manu Sporny:  HTTP Signatures spec needs examples updated.
David I. Lehn:  One of the examples I made in one of the
   implementations have the values from the spec in there. So, we
   should be able to generate that stuff easily. [scribe assist by
   Manu Sporny]
David I. Lehn:  What changed in the examples?
Manu Sporny:  Took out nonces and http trailer support. Also
   require request line, host, and date are now required to be
   signed.
Manu Sporny:  Did a pass and looks like gramatical things are ok.
   Security audit document took longer, but is good enough to submit
   at this point.

Topic: Postmortem: World Banking Conference (SIBOS)

Manu Sporny:  Spent last week at world banking conference in
   Dubai.
Manu Sporny:  Introduce PaySwarm, Ripple, etc to people.
Manu Sporny:  Spent time with lots of bankers, Bitcoin's chief
   legal counsel, Director of product strategy from OpenCoin/Ripple.
Dave Longley is scribing.
Manu Sporny:  Basically found out that it would be very difficult
   to switch production banking systems to new tech, old systems
   written in cobol/fortran from the 80s, they'd have to probably
   run side-by-side for a decade or two.
Manu Sporny:  there were 100-140 banking technology people in the
   room for the Web Payments presentation. Will have video from that
   later in the week.
Manu Sporny:  SWIFT is an international standards org for banks,
   so like w3c is to the web, SWIFT is to banks
Manu Sporny:  SWIFT doesn't create open source tech for banks,
   they just define the standards, ISO20022
Manu Sporny:  they have 2000 pages long standard about messages
   banks communicate with each other. SWIFT is many times larger
   than w3c.
Manu Sporny:  SWIFT message was that banks are very conservative
   when it comes to this tech, and because of this they are one of
   the last groups to adopt new tech
Manu Sporny:  people from payswarm/bitcoin/ripple have hard time
   communicating with banks because the main threat is for them to
   even think about integrating tech ... because of how archaic
   their current architectures are, there's a potential business
   threat too, but the new tech is the bigger barrier
Manu Sporny:  SWIFT wants to participate though
Manu Sporny:  they are very open to new tech, and want to get
   involved with w3c
Manu Sporny:  they know that banks will have to deal with these
   new techs and their standards group believes that they need to at
   least participate in this work so they can tell banks how to
   integrate payswarm/ripple/bitcoin into the banking infrastructure
   when the time comes
Manu Sporny:  really good news for us since they want to
   participate in the standards setting work.

Topic: Postmortem: EDGE Conference and Financial Times

Manu Sporny:  yesterday, i was at EDGE, there was an hour long
   panel on Web Payments:
   http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s
Manu Sporny:  EDGE was really interesting in that it was one of
   the first times we had a number of people from the web payments
   group on the stage
Manu Sporny:  and a lot of tech people in the audience, lots of
   big names in the Web industry like John Resig (jQuery), Paul
   Irish (Modernizr), Jake Archibald (Google Chrome), Alex Russel
   (IE Chrome Frame), etc.
Manu Sporny:  talking at the conference a lot of people didn't
   know the web payments work was going on and we had a number of
   people join the group as a result
Manu Sporny:  we had people from stripe join, got some google
   wallet contacts, people from the audience excited about payswarm,
   bitcoin, ripple, etc.
Manu Sporny:  people from google wallet, etc. still pushing their
   proprietary stacks but also promoting movement toward something
   btter.
Manu Sporny:  payment startups more interested in the new open
   standard work
Manu Sporny:  google/etc. have a proprietary silo and lots of
   customers there and don't necessarily want to have to compete
   with others in the area
Manu Sporny:  but they are interested in new payment standards,
   etc.
Manu Sporny: Here's video of the EDGE Conference Panel on
   Payments: http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s
Manu Sporny:  we were also talking to New York Times, Getty,
   Associated Press, and International Press Telecommunications
   Council yesterday at financial times talking about how to get rid
   of large amount of money spending on proprietary systems.
Manu Sporny:  people at all orgs interested in the web payments
   work as well as an identity solution for their customers.
Manu Sporny:  they are pushing us up to their technology teams to
   take a deeper look at what we're doing, and showing interest in
   joining us, bloomberg already in the group and very
   interested/supportive of what we're doing
Manu Sporny:  it was a great trip, we got lots of interest in
   various different verticals, etc.
Madhu Nott:  having worked in the banking industry for a long
   time (JP Morgan Chase, Royal Bank of Scotland, etc.), you'd be
   surprised at how brittle their systems are, so much is spend just
   on testing, there is often production code running and there's no
   documentation and the source code is not available
Manu Sporny:  that's scary
Madhu Nott:  yes, it's very very difficult, for people working in
   this environment, etc.
Melvin Carvalho: following conversation on IRC, interesting
   stuff.
Manu Sporny:  i was having discussions about this with [...
   banks] and people don't want to touch these systems because they
   "work", they were built in the 1980s and are still part of their
   core business and in production
Manu Sporny:  anyone who had any idea about web tech were slim,
   only people in core tech teams in SWIFT, etc. if you talk to the
   bank technologists, they are still in cobol/fortran land, they
   are talking about private financial networks, only a very
   high-level (heard of it) understanding of bitcoin
Madhu Nott:  these are the people i talk to every day, and one of
   the banks i was with, and they were working on a part of the
   infrastructure and it was so old and interesting that a historic
   museum wanted a piece
Manu Sporny:  yeah, that's why it's so difficult for SWIFT to
   change anything, they have an IBANN[sp?] number
Manu Sporny:  and changing one digit in that number would cost
   banks to spend between 5-10 million to deal with that change
Manu Sporny:  because some banks were using that number to decide
   whether or not banks could use faxes to send money, etc.
Manu Sporny:  the banks are very focused on keeping that old
   infrastructure up and running, they dont' have resources to focus
   on anything new
Manu Sporny:  no one is working on this stuff ,SWIFT said this
   was the first time they saw anyone working on open next gen
   banking technology and they were very excited to hear about it;
   hopefully we can get some of the SWIFT people on the calls in the
   future. It was interesting because they said that their hands are
   tied, they can only really work on stuff that the banks need in
   the immediate term and no bank wants large disruptive changes,
   even if they end up with a system that is far better than the one
   we currently have.
Manu Sporny:  the nice thing about SWIFT is that they have so
   much knowledge about how these financial systems work,e tc.
Manu Sporny:  they were impressed with payswarm and ripple and
   bitcoin
Manu Sporny:  we've got a very good dialogue going with them and
   we hope to continue that dialog.

Topic: Identity and Payments

Manu Sporny:  so while talking with the banking industry ... one
   thing became very apparent, there has been a big pain point
   w/banks for a long time, they don't have an identity solution
   that works on a banking level
Manu Sporny:  this idea that you could do KYC (know your
   customer)
Manu Sporny:  on a customer and then that customer could get a
   line of credit at a different bank or a new account at a new bank
Manu Sporny:  or use that identity to do some other financial
   activity...
Manu Sporny:  you just can't do that today
Manu Sporny:  i've also been talking to bitcoin community and
   they have been having to do KYC
Manu Sporny:  and they have to go through the same process that
   the banks have to go through
Manu Sporny:  and when you are doign any kind of financial thing
   you have to go through that mechanism
Manu Sporny:  there are some startups now that are doing just KYC
   for the banks
Manu Sporny:  all of them kind of have the same problem, there is
   no mechanism to express identity information, verified addresses
   ,social security, etc.
Manu Sporny:  there's no container format for it
Manu Sporny:  and we've been talking to them and payswarm has a
   mechanism that would work for all of these banking/financial
   institutations/organizations
Manu Sporny:  we have something that's based on crypto that would
   let these orgs do identity
Manu Sporny:  and verify etc
Manu Sporny:  we're trying to figure out a way to work with the
   mozilla persona people to see if there's an identity solution ...
   if we can use persona, and the payswarm-based identity solution
   to address some of these issues for banks and bitcoin-based
   financial services
Manu Sporny:
   http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0127.html
Manu Sporny:  we've had a decent bit of high level discussion
   about it on the mailing list
Manu Sporny:  some of the discussion went off topic
Manu Sporny:  some of it is based on ricardo's (from telefonica)
   and he thinks we're proposing some e-mail based solution, we're
   not... that's a red herring, so we need to make sure that people
   understand that we're not being simplistic about this.
Manu Sporny:  so i was wondering, madhu, what you were thinking
   about what banks could pick up in 2-3 years or 7-10 years if we
   standardized today on the web
Manu Sporny:  could you do a quick intro on identity as it
   relates to banking and we'll go from there?
Madhu Nott:  real quick, it may be worth it to delve into this in
   more far more depth on a different call. Here's a high-level
   overview -
Madhu Nott:  today, banks do identity checking as a routine every
   day process
Madhu Nott:  what is essential, and i don't see this changing, is
   that an identity be govt endorsed, they always want drivers
   license or passport, etc.
Madhu Nott:  that is a fundamental building block
Madhu Nott:  they are required by law to know who they do
   business with
Madhu Nott:  they need to know who they do business with, banking
   secrecy act, etc. layers on additional requirements
Madhu Nott:  it is done in a different way by different banks,
   and sometimes worse it is different per product
Madhu Nott:  if you understand where banking has come from, some
   countries have 4-5 huge banks, others, they have 4-5 big ones and
   then 7000 smaller banks
Madhu Nott:  banks grew up by combining different banks together
   and diff products
Madhu Nott:  if a customer applies for a credit card vs. checking
   account, KYC is often different between the two
Madhu Nott:  even within a single institution
Madhu Nott:  it's being done today and in a way that's expensive,
   it's seen as a significant risk driver, all it takes is 10-20
   large accounts or even small ones that fall into the wrong hands
   and it's a huge issue for the banks
Madhu Nott:  if a bank cannot establish your identity, they will
   and should refuse to do business with you
Madhu Nott:  so govt issue is important
Madhu Nott:  the problem is coming sideways at me ... if someone
   said "wouldn't it be a nice thing if you could share identity?"
Madhu Nott:  i haven't heard that from the banks
Madhu Nott:  the systems are largely closed today as are the
   protocols for establishing identity and it works quite fast
Madhu Nott:  identity can be established in a few seconds
Madhu Nott:  there are proprietary stacks to establish identity
   today and how much is it worth for us to create an open standard
   for establishing identity? That's the question we should be
   asking.
Madhu Nott:  establishing an open standard for payments will
   require some identity, but maybe not KYC identity
Madhu Nott:  one more point, there is a kind of identity required
   to KYC, there's another kind to require to authorize transactions
Madhu Nott:  today auth and identity are conflated in the banking
   world
Madhu Nott:  establishing that you are manu when you open an
   account is different from using your payment card
Madhu Nott:  identity, authorization are conflated, permission to
   use, if you will
Madhu Nott:  there's a presumed identity there, for example, if
   you gave me your card, the institutions presume the identity
Madhu Nott:  they presume it's you using it, but that's not
   always true
Madhu Nott:  there's a nuance there, things are conflated and
   that's a problem
Madhu Nott:  so that's a different issue, what the system is
   authorizing is the number ... are there good funds behind it that
   hasn't been complained about, it isn't establishing that it's
   actually you spending the funds
Madhu Nott:  it was not possible when the system was invented 30
   years ago that there were two things separately in an efficient
   way, we were using signatures and photo ids , etc
Madhu Nott:  but that has gone away, we could achieve this today
Madhu Nott:  but doing that, it may be a value-add to the system
   if we can focus our efforts on that
Manu Sporny:  we are using a lot of public key/cryptography with
   payswarm and bitcoin/ripple
Manu Sporny:  there are passwords you could place on your wallet
   so you need more than the account itself to do a transaction
Manu Sporny:  when you do a digital signature your key may be
   locked in some way so a smart card or something else holds your
   key that you must unlock to do a payment. Like a PIN on a
   chip/pin card.
Manu Sporny:  so you have to be the actual owner
Madhu Nott:  i could see a scenario today where it's far less
   likely to give someone your atm card to use it vs. a credit card
Madhu Nott:  i think it's very valuable to establish the
   difference/support what people want here
Madhu Nott:  the fraud rate is very different for pin-based
   products (lower fraud)
Manu Sporny:  yeah, whenever you have a token it helps lower
   fraud
Manu Sporny:  i dont' think whatever identity solution we come up
   with be used by the banks right away, it will take time. In fact,
   the banks may be the last organizations adopting it.
Manu Sporny:  if we don't support what they already need then our
   new tech won't be a good replacement for what they have today
Manu Sporny:  they make proprietary calls out to services to do
   KYC and it would be great if those banks didn't have to pay for
   that
Manu Sporny:  obviously some orgs wouldn't like that but a lot of
   other orgs that need to verify shipping addresses, etc could all
   use this system, so it's not just about banks and easier log in
   on the web, it's about both and more, and making sure we have a
   solution that can scale to address both of those use case needs
Manu Sporny:  do you think that's worth pursuing, madhu?
Madhu Nott:  yes, i think it makes sense; if you want to do
   anything in the world of payments, establishing identity is an
   essential part of it, if we want to evolve and change the
   payments world and make it more friendly on the web
Madhu Nott:  you always need identity at the very least the
   identity solution must do as well as the banks now and it's great
   if it's better and we can advertise that business proposition
   across different ways
Manu Sporny: Right now, In PaySwarm, we have identities that look
   like this (public identity information):
   https://dev.payswarm.com/i/manu
Madhu Nott:  we need identity for payments, since we need it, how
   do we craft something, or use existing mechanisms, that are
   already available or make it applicable to a wider audience
Manu Sporny:  so we have the core of that already in payswarm,
   the idea here is that you have a URL for your identity in
   payswarm, at that URL is a whole bunch of machine readable data,
   in order to get to other stuff there's an ACL, you have to
   provide access to the person who wants the info
Manu Sporny:  an ideal use case would be going to a financial
   site to log in with persona and then persona would give your
   identity URL to the bank
Manu Sporny:  once the bank has that, it can then start querying
   that URL to complete its KYC process
Manu Sporny:  like, what is the physical mailing address, are
   they a citizen, etc, all that can be stored in an external
   identity and queried by the bank and then the banks don't need to
   pay as much, and the bank doesn't have to keep those processes
   inside the bank, they can just query this external identity
Manu Sporny:  the question is how to trust that information
Manu Sporny:  anyone could put whatever they want at that URL,
   well, what we can do is ... there are companies that already do
   KYC clearing for customers, instead they can assert some
   information and digitally sign it, then write it to that identity
   URL
Manu Sporny:  by doing that, as long as the bank trusts the
   entity doing KYC, if there's a signature on their info at the
   identity URL from that KYC provider institution, and the customer
   says "yes, i agree to release this info to the bank i'm signing
   up for" this seems like a fairly workable solution
Manu Sporny:  instead of making these proprietary calls they
   could just make an open call, and it's really simple and the
   person is automatically in and the bank doesn't have to pay for
   KYC'ing the customer.
Manu Sporny:  the person just gives access to the bank if they
   want to and they don't have to fill out any forms, etc.
Manu Sporny:  and they just share whatever info they want with
   the bank and that gets them their account there
Manu Sporny:  other companies, vendors, etc. would adopt this
   first before banks would, to get shipping info, etc.
Manu Sporny:  do you think that could work for banks in the
   future?
Madhu Nott:  i think so, in many ways it replicates the work flow
   of today, which is great, it's a good thing, that's what
   companies do today that process that's new and different here, is
   that the customer is giving permission
Madhu Nott:  today this information isn't necessarily in the
   customer's control
Madhu Nott:  bureaus currently control it
Madhu Nott:  but right now that's exactly what happens now when
   opening accounts at the bank, we go check the KYC institutions, i
   trust someone who trusts someone else, etc.
Madhu Nott:  and the information flows and ... this new idea
   works, i think it makes sense
Manu Sporny:  this would require just a small set of tweaks to
   the existing identity solution we have
Manu Sporny:  with payswarm
Manu Sporny:  the idea here would be that you can write to an
   identity by posting some JSON to it
Manu Sporny:  and the customer could say yes or no
Manu Sporny:  and the other thing would be so-and-so institution
   wants info X, customer says yes or no
Manu Sporny:  so that's almost the exact same thing as we do for
   the PaySwarm buy flow right now
Dave Longley:  I don't think you missed anything, that's more or
   less what we were looking at doing in the future anyway. [scribe
   assist by Manu Sporny]
Dave Longley:  We would have to look at all the details of how to
   do the "writing to your identity" portion, but what you outlined
   is the high-level of what would work. [scribe assist by Manu
   Sporny]
David I. Lehn:  could this work in the background?
Manu Sporny:  it could work like our budgeting feature right now
Manu Sporny:  to grant continuous access to certain institutions,
Manu Sporny:  then they could pull when you wanted
Manu Sporny:  this would allow them to pull the info whenever
   they needed to use it
Manu Sporny:  that may be a version 2.0 thing, we dont'
   necessarily need it in the first cut
Manu Sporny:  we also need to figure out how to integrate this
   with persona and the larger identity sphere
Manu Sporny:  persona can already clear 700 million+ email
   addresses so that's a good start/place to get this integrated
Manu Sporny:  i'm hoping next week we can get the mozilla persona
   folks here to discuss this stuff
Manu Sporny:  that's the last bit, we can do everything else
Manu Sporny:  we just need the persona folks to tell us how to
   tie an identity URL to a login
Manu Sporny:  any other comments or questions?
Manu Sporny:  if that's a fairly easy technical solution then we
   just need to do the specs, etc.
Manu Sporny:  thanks all
Evan Schwartz:  bye

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

Received on Wednesday, 25 September 2013 19:07:30 UTC