- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 25 Sep 2013 15:07:06 -0400
- To: Web Payments <public-webpayments@w3.org>
Thanks to Dave Longley for scribing today! The minutes for this week's Web Payments telecon are now available here: https://payswarm.com/minutes/2013-09-25/ Full text of the discussion follows for archival purposes at the W3C. Audio of the meeting is available as well (link provided below). -------------- Web Payments Community Group Telecon Minutes for 2013-09-25 Agenda: http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0126.html Topics: 1. Update on GSoC Student Progress 2. Updates to HTTP Signatures spec 3. Postmortem: World Banking Conference (SIBOS) 4. Postmortem: EDGE Conference and Financial Times 5. Identity and Payments Chair: Manu Sporny Scribe: Dave Longley, David I. Lehn Present: David I. Lehn, Andrei Oprea, Manu Sporny, Dave Longley, Madhu Nott, Melvin Carvalho, Evan Schwartz Audio: http://payswarm.com/minutes/2013-09-25/audio.ogg David I. Lehn is scribing. Topic: Update on GSoC Student Progress Andrei Oprea: Things that I worked on the past two weeks consisted in improvements to the login system, adding gravatar image support for users and adding multiple payees that can be added to receive payment when you create the asset (I had a question about this: I have 3 fields for this, price, currency and payswarm accout, how should this last information, the accout, be made accesible/publicly-known? Is it acceptable to presume its known such as an email address? [scribe assist by Manu Sporny] Manu Sporny: Yes, financial account URLs can be publicly known just like email addresses. Andrei Oprea: The commits will be online by the end of the week. [scribe assist by Manu Sporny] Topic: Updates to HTTP Signatures spec Manu Sporny: https://payswarm.com/specs/source/http-signatures/ Manu Sporny: https://payswarm.com/specs/source/http-signatures-audit/ Manu Sporny: been doing traveling, updated http signature spec in spare time Manu Sporny: discussing if we wanted to take http sig spec to ietf with nonces and trailers Manu Sporny: Want to keep the HTTP Signatures spec simple. We moved nonces and trailers into other specs: Manu Sporny: https://payswarm.com/specs/source/http-signature-nonces Manu Sporny: https://payswarm.com/specs/source/http-signature-trailers Manu Sporny: Greatly simplifies core spec. IETF going to wrap up work soon, wanted to get this into their work pipeline soon. Manu Sporny: HTTP Signatures spec needs examples updated. David I. Lehn: One of the examples I made in one of the implementations have the values from the spec in there. So, we should be able to generate that stuff easily. [scribe assist by Manu Sporny] David I. Lehn: What changed in the examples? Manu Sporny: Took out nonces and http trailer support. Also require request line, host, and date are now required to be signed. Manu Sporny: Did a pass and looks like gramatical things are ok. Security audit document took longer, but is good enough to submit at this point. Topic: Postmortem: World Banking Conference (SIBOS) Manu Sporny: Spent last week at world banking conference in Dubai. Manu Sporny: Introduce PaySwarm, Ripple, etc to people. Manu Sporny: Spent time with lots of bankers, Bitcoin's chief legal counsel, Director of product strategy from OpenCoin/Ripple. Dave Longley is scribing. Manu Sporny: Basically found out that it would be very difficult to switch production banking systems to new tech, old systems written in cobol/fortran from the 80s, they'd have to probably run side-by-side for a decade or two. Manu Sporny: there were 100-140 banking technology people in the room for the Web Payments presentation. Will have video from that later in the week. Manu Sporny: SWIFT is an international standards org for banks, so like w3c is to the web, SWIFT is to banks Manu Sporny: SWIFT doesn't create open source tech for banks, they just define the standards, ISO20022 Manu Sporny: they have 2000 pages long standard about messages banks communicate with each other. SWIFT is many times larger than w3c. Manu Sporny: SWIFT message was that banks are very conservative when it comes to this tech, and because of this they are one of the last groups to adopt new tech Manu Sporny: people from payswarm/bitcoin/ripple have hard time communicating with banks because the main threat is for them to even think about integrating tech ... because of how archaic their current architectures are, there's a potential business threat too, but the new tech is the bigger barrier Manu Sporny: SWIFT wants to participate though Manu Sporny: they are very open to new tech, and want to get involved with w3c Manu Sporny: they know that banks will have to deal with these new techs and their standards group believes that they need to at least participate in this work so they can tell banks how to integrate payswarm/ripple/bitcoin into the banking infrastructure when the time comes Manu Sporny: really good news for us since they want to participate in the standards setting work. Topic: Postmortem: EDGE Conference and Financial Times Manu Sporny: yesterday, i was at EDGE, there was an hour long panel on Web Payments: http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s Manu Sporny: EDGE was really interesting in that it was one of the first times we had a number of people from the web payments group on the stage Manu Sporny: and a lot of tech people in the audience, lots of big names in the Web industry like John Resig (jQuery), Paul Irish (Modernizr), Jake Archibald (Google Chrome), Alex Russel (IE Chrome Frame), etc. Manu Sporny: talking at the conference a lot of people didn't know the web payments work was going on and we had a number of people join the group as a result Manu Sporny: we had people from stripe join, got some google wallet contacts, people from the audience excited about payswarm, bitcoin, ripple, etc. Manu Sporny: people from google wallet, etc. still pushing their proprietary stacks but also promoting movement toward something btter. Manu Sporny: payment startups more interested in the new open standard work Manu Sporny: google/etc. have a proprietary silo and lots of customers there and don't necessarily want to have to compete with others in the area Manu Sporny: but they are interested in new payment standards, etc. Manu Sporny: Here's video of the EDGE Conference Panel on Payments: http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s Manu Sporny: we were also talking to New York Times, Getty, Associated Press, and International Press Telecommunications Council yesterday at financial times talking about how to get rid of large amount of money spending on proprietary systems. Manu Sporny: people at all orgs interested in the web payments work as well as an identity solution for their customers. Manu Sporny: they are pushing us up to their technology teams to take a deeper look at what we're doing, and showing interest in joining us, bloomberg already in the group and very interested/supportive of what we're doing Manu Sporny: it was a great trip, we got lots of interest in various different verticals, etc. Madhu Nott: having worked in the banking industry for a long time (JP Morgan Chase, Royal Bank of Scotland, etc.), you'd be surprised at how brittle their systems are, so much is spend just on testing, there is often production code running and there's no documentation and the source code is not available Manu Sporny: that's scary Madhu Nott: yes, it's very very difficult, for people working in this environment, etc. Melvin Carvalho: following conversation on IRC, interesting stuff. Manu Sporny: i was having discussions about this with [... banks] and people don't want to touch these systems because they "work", they were built in the 1980s and are still part of their core business and in production Manu Sporny: anyone who had any idea about web tech were slim, only people in core tech teams in SWIFT, etc. if you talk to the bank technologists, they are still in cobol/fortran land, they are talking about private financial networks, only a very high-level (heard of it) understanding of bitcoin Madhu Nott: these are the people i talk to every day, and one of the banks i was with, and they were working on a part of the infrastructure and it was so old and interesting that a historic museum wanted a piece Manu Sporny: yeah, that's why it's so difficult for SWIFT to change anything, they have an IBANN[sp?] number Manu Sporny: and changing one digit in that number would cost banks to spend between 5-10 million to deal with that change Manu Sporny: because some banks were using that number to decide whether or not banks could use faxes to send money, etc. Manu Sporny: the banks are very focused on keeping that old infrastructure up and running, they dont' have resources to focus on anything new Manu Sporny: no one is working on this stuff ,SWIFT said this was the first time they saw anyone working on open next gen banking technology and they were very excited to hear about it; hopefully we can get some of the SWIFT people on the calls in the future. It was interesting because they said that their hands are tied, they can only really work on stuff that the banks need in the immediate term and no bank wants large disruptive changes, even if they end up with a system that is far better than the one we currently have. Manu Sporny: the nice thing about SWIFT is that they have so much knowledge about how these financial systems work,e tc. Manu Sporny: they were impressed with payswarm and ripple and bitcoin Manu Sporny: we've got a very good dialogue going with them and we hope to continue that dialog. Topic: Identity and Payments Manu Sporny: so while talking with the banking industry ... one thing became very apparent, there has been a big pain point w/banks for a long time, they don't have an identity solution that works on a banking level Manu Sporny: this idea that you could do KYC (know your customer) Manu Sporny: on a customer and then that customer could get a line of credit at a different bank or a new account at a new bank Manu Sporny: or use that identity to do some other financial activity... Manu Sporny: you just can't do that today Manu Sporny: i've also been talking to bitcoin community and they have been having to do KYC Manu Sporny: and they have to go through the same process that the banks have to go through Manu Sporny: and when you are doign any kind of financial thing you have to go through that mechanism Manu Sporny: there are some startups now that are doing just KYC for the banks Manu Sporny: all of them kind of have the same problem, there is no mechanism to express identity information, verified addresses ,social security, etc. Manu Sporny: there's no container format for it Manu Sporny: and we've been talking to them and payswarm has a mechanism that would work for all of these banking/financial institutations/organizations Manu Sporny: we have something that's based on crypto that would let these orgs do identity Manu Sporny: and verify etc Manu Sporny: we're trying to figure out a way to work with the mozilla persona people to see if there's an identity solution ... if we can use persona, and the payswarm-based identity solution to address some of these issues for banks and bitcoin-based financial services Manu Sporny: http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0127.html Manu Sporny: we've had a decent bit of high level discussion about it on the mailing list Manu Sporny: some of the discussion went off topic Manu Sporny: some of it is based on ricardo's (from telefonica) and he thinks we're proposing some e-mail based solution, we're not... that's a red herring, so we need to make sure that people understand that we're not being simplistic about this. Manu Sporny: so i was wondering, madhu, what you were thinking about what banks could pick up in 2-3 years or 7-10 years if we standardized today on the web Manu Sporny: could you do a quick intro on identity as it relates to banking and we'll go from there? Madhu Nott: real quick, it may be worth it to delve into this in more far more depth on a different call. Here's a high-level overview - Madhu Nott: today, banks do identity checking as a routine every day process Madhu Nott: what is essential, and i don't see this changing, is that an identity be govt endorsed, they always want drivers license or passport, etc. Madhu Nott: that is a fundamental building block Madhu Nott: they are required by law to know who they do business with Madhu Nott: they need to know who they do business with, banking secrecy act, etc. layers on additional requirements Madhu Nott: it is done in a different way by different banks, and sometimes worse it is different per product Madhu Nott: if you understand where banking has come from, some countries have 4-5 huge banks, others, they have 4-5 big ones and then 7000 smaller banks Madhu Nott: banks grew up by combining different banks together and diff products Madhu Nott: if a customer applies for a credit card vs. checking account, KYC is often different between the two Madhu Nott: even within a single institution Madhu Nott: it's being done today and in a way that's expensive, it's seen as a significant risk driver, all it takes is 10-20 large accounts or even small ones that fall into the wrong hands and it's a huge issue for the banks Madhu Nott: if a bank cannot establish your identity, they will and should refuse to do business with you Madhu Nott: so govt issue is important Madhu Nott: the problem is coming sideways at me ... if someone said "wouldn't it be a nice thing if you could share identity?" Madhu Nott: i haven't heard that from the banks Madhu Nott: the systems are largely closed today as are the protocols for establishing identity and it works quite fast Madhu Nott: identity can be established in a few seconds Madhu Nott: there are proprietary stacks to establish identity today and how much is it worth for us to create an open standard for establishing identity? That's the question we should be asking. Madhu Nott: establishing an open standard for payments will require some identity, but maybe not KYC identity Madhu Nott: one more point, there is a kind of identity required to KYC, there's another kind to require to authorize transactions Madhu Nott: today auth and identity are conflated in the banking world Madhu Nott: establishing that you are manu when you open an account is different from using your payment card Madhu Nott: identity, authorization are conflated, permission to use, if you will Madhu Nott: there's a presumed identity there, for example, if you gave me your card, the institutions presume the identity Madhu Nott: they presume it's you using it, but that's not always true Madhu Nott: there's a nuance there, things are conflated and that's a problem Madhu Nott: so that's a different issue, what the system is authorizing is the number ... are there good funds behind it that hasn't been complained about, it isn't establishing that it's actually you spending the funds Madhu Nott: it was not possible when the system was invented 30 years ago that there were two things separately in an efficient way, we were using signatures and photo ids , etc Madhu Nott: but that has gone away, we could achieve this today Madhu Nott: but doing that, it may be a value-add to the system if we can focus our efforts on that Manu Sporny: we are using a lot of public key/cryptography with payswarm and bitcoin/ripple Manu Sporny: there are passwords you could place on your wallet so you need more than the account itself to do a transaction Manu Sporny: when you do a digital signature your key may be locked in some way so a smart card or something else holds your key that you must unlock to do a payment. Like a PIN on a chip/pin card. Manu Sporny: so you have to be the actual owner Madhu Nott: i could see a scenario today where it's far less likely to give someone your atm card to use it vs. a credit card Madhu Nott: i think it's very valuable to establish the difference/support what people want here Madhu Nott: the fraud rate is very different for pin-based products (lower fraud) Manu Sporny: yeah, whenever you have a token it helps lower fraud Manu Sporny: i dont' think whatever identity solution we come up with be used by the banks right away, it will take time. In fact, the banks may be the last organizations adopting it. Manu Sporny: if we don't support what they already need then our new tech won't be a good replacement for what they have today Manu Sporny: they make proprietary calls out to services to do KYC and it would be great if those banks didn't have to pay for that Manu Sporny: obviously some orgs wouldn't like that but a lot of other orgs that need to verify shipping addresses, etc could all use this system, so it's not just about banks and easier log in on the web, it's about both and more, and making sure we have a solution that can scale to address both of those use case needs Manu Sporny: do you think that's worth pursuing, madhu? Madhu Nott: yes, i think it makes sense; if you want to do anything in the world of payments, establishing identity is an essential part of it, if we want to evolve and change the payments world and make it more friendly on the web Madhu Nott: you always need identity at the very least the identity solution must do as well as the banks now and it's great if it's better and we can advertise that business proposition across different ways Manu Sporny: Right now, In PaySwarm, we have identities that look like this (public identity information): https://dev.payswarm.com/i/manu Madhu Nott: we need identity for payments, since we need it, how do we craft something, or use existing mechanisms, that are already available or make it applicable to a wider audience Manu Sporny: so we have the core of that already in payswarm, the idea here is that you have a URL for your identity in payswarm, at that URL is a whole bunch of machine readable data, in order to get to other stuff there's an ACL, you have to provide access to the person who wants the info Manu Sporny: an ideal use case would be going to a financial site to log in with persona and then persona would give your identity URL to the bank Manu Sporny: once the bank has that, it can then start querying that URL to complete its KYC process Manu Sporny: like, what is the physical mailing address, are they a citizen, etc, all that can be stored in an external identity and queried by the bank and then the banks don't need to pay as much, and the bank doesn't have to keep those processes inside the bank, they can just query this external identity Manu Sporny: the question is how to trust that information Manu Sporny: anyone could put whatever they want at that URL, well, what we can do is ... there are companies that already do KYC clearing for customers, instead they can assert some information and digitally sign it, then write it to that identity URL Manu Sporny: by doing that, as long as the bank trusts the entity doing KYC, if there's a signature on their info at the identity URL from that KYC provider institution, and the customer says "yes, i agree to release this info to the bank i'm signing up for" this seems like a fairly workable solution Manu Sporny: instead of making these proprietary calls they could just make an open call, and it's really simple and the person is automatically in and the bank doesn't have to pay for KYC'ing the customer. Manu Sporny: the person just gives access to the bank if they want to and they don't have to fill out any forms, etc. Manu Sporny: and they just share whatever info they want with the bank and that gets them their account there Manu Sporny: other companies, vendors, etc. would adopt this first before banks would, to get shipping info, etc. Manu Sporny: do you think that could work for banks in the future? Madhu Nott: i think so, in many ways it replicates the work flow of today, which is great, it's a good thing, that's what companies do today that process that's new and different here, is that the customer is giving permission Madhu Nott: today this information isn't necessarily in the customer's control Madhu Nott: bureaus currently control it Madhu Nott: but right now that's exactly what happens now when opening accounts at the bank, we go check the KYC institutions, i trust someone who trusts someone else, etc. Madhu Nott: and the information flows and ... this new idea works, i think it makes sense Manu Sporny: this would require just a small set of tweaks to the existing identity solution we have Manu Sporny: with payswarm Manu Sporny: the idea here would be that you can write to an identity by posting some JSON to it Manu Sporny: and the customer could say yes or no Manu Sporny: and the other thing would be so-and-so institution wants info X, customer says yes or no Manu Sporny: so that's almost the exact same thing as we do for the PaySwarm buy flow right now Dave Longley: I don't think you missed anything, that's more or less what we were looking at doing in the future anyway. [scribe assist by Manu Sporny] Dave Longley: We would have to look at all the details of how to do the "writing to your identity" portion, but what you outlined is the high-level of what would work. [scribe assist by Manu Sporny] David I. Lehn: could this work in the background? Manu Sporny: it could work like our budgeting feature right now Manu Sporny: to grant continuous access to certain institutions, Manu Sporny: then they could pull when you wanted Manu Sporny: this would allow them to pull the info whenever they needed to use it Manu Sporny: that may be a version 2.0 thing, we dont' necessarily need it in the first cut Manu Sporny: we also need to figure out how to integrate this with persona and the larger identity sphere Manu Sporny: persona can already clear 700 million+ email addresses so that's a good start/place to get this integrated Manu Sporny: i'm hoping next week we can get the mozilla persona folks here to discuss this stuff Manu Sporny: that's the last bit, we can do everything else Manu Sporny: we just need the persona folks to tell us how to tie an identity URL to a login Manu Sporny: any other comments or questions? Manu Sporny: if that's a fairly easy technical solution then we just need to do the specs, etc. Manu Sporny: thanks all Evan Schwartz: bye -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Wednesday, 25 September 2013 19:07:30 UTC