- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 08 Apr 2014 10:14:44 +0200
- To: Joseph Potvin <jpotvin@opman.ca>, Steven Rowat <steven_rowat@sunshine.net>
- CC: Web Payments CG <public-webpayments@w3.org>
On 2014-04-08 02:11, Joseph Potvin wrote: > RE: members of [any group] will not, unless forced, take kindly to > anything that obstructs their interests (as they define them) > > There's nothing unique in that way about large companies. The same can > be said for any organization, including a local farmer's market. This is true. I would though like to add a constraint that not everybody is aware of: If you work for a US tech giant you are not allowed to speak openly about novel ideas for addressing a problem without first have checked this with the legal department due to IPR issues. As we can read in the trade press, a simple "slide unlock" feature is enough to get you in deep trouble. Due to this, only listing requirements is out of scope unless you restrict yourself to watered-downed nonsense statements like "payments must be secured". > > The earlier eCommerce work of the W3C, since it was underway at a time > when computing was very expensive, depended entirely on centralized > resourcing. In contrast, today, any smart group of geeks has the > computing and deployment power and create and operate an eCommerce > platform. But the earlier work ought to be reviewed for useful ideas. > That's why I think it can be useful to find somebody who was immersed > in that first round of efforts two decades ago. As I wrote there are tons of dead initiatives out there if somebody want to go over the casualties. I believe 3D Secure is a very good example of a failed standard that only banks in the EU still try to impose on their clients. However, the core idea has a lot of mileage if put in a better web platform which VISA and MasterCard never considered because then they would have had to talk to Microsoft & Netscape. There's a reason why on-line credit-card payments remains insecure and EMV-cards still come with the magstrip + security info in clear text... The Web Payments CG faces a bigger problem than VISA and MasterCard: Due to the browser vendors' decision to "outlaw" plugins you can't introduce _anything_ new the client side without their participation and support. I do not see much interest from these guys. In fact, even in W3C's WebCrypto applications were put in the back-seat. 95% of the postings are from pretty opinionated cryptographers whose prime interest is trying to save the world from using "bad crypto algorithms". (in reality most crypto-related screw-ups are due to incorrect usage of crypto). I had a similar experience in TrustedComputingGroup where I repeatably (and to many peoples' dismay) questioned why payments etc. were not dealt with by any of the 10 TCG sub-groups. It also took way too long to get the stuff out. "Perfection" is great but unfortunately what looks fine on the drawing board may not work exactly as planned IRL. MSFT _manadate_ TPMs, other vendors are working with their own and IMO better concepts: http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf It's a battlefield out there if you didn't knew it... I guess you feel that I'm a true pessimist, right? I'm not, I just believe that most people would be quite happy "only" getting the core web platform in a better shape for new and exciting missions! Thanx, Anders > > Joseph Potvin > > > On Mon, Apr 7, 2014 at 6:51 PM, Steven Rowat <steven_rowat@sunshine.net> wrote: >> Greetings, >> >>> Anders' law of standardization: >>> Innovation is a fuzzy process. Standardization is fuzzy but in another >>> way. >>> Do not combine these activities unless everybody is prepared for a rocky >>> ride. >> >> >> I'm inclined to agree with Anders comments in response to Joseph (about the >> history of W3C following through on standards to do with payments). >> >> Although it's tangential to Joseph's questions, I'd like to add my own >> experience with being a member/contributing to the W3C, about 5-7 years ago: >> >> I became concerned that there was a pivotal change in the playing field >> afoot with HTML 5, namely that HTML 4 and earlier were markup languages, >> which any literate person could engage in, while HTML 5 appeared to be >> Javascript and DOM based in a much more complex way, essentially ceding the >> web-page writing field to paid professional specialists. >> >> More germane to the current situation is that I didn't feel I was given a >> thorough hearing about my concerns, in the sense that the directors and >> editors of the HTML5 spec didn't see this as a problem. These directors and >> editors were members of large corporations (Apple, etc.), which may have >> been, and probably was, related to this reception. >> >> So I also caution that "there's a lack of openness with the W3C" as Anders >> said, in the sense that members of large corporations will not, unless >> forced, take kindly to anything that obstructs their interests (as they >> define them). If members of such corporations are in positions of power in >> the writing or passing of the web payments specs then that might be a >> problem. I don't know enough about the current political setup to know if >> this is the case in this situation, but if it is then I'd speculate that no >> new level playing field could be created for web payments by the W3C route. >> >> Steven Rowat >> >> >> >> On 4/7/14 7:18 AM, Anders Rundgren wrote: >>> >>> Hi Joseph, >>> I only have a 18 year perspective on standardization in the payment and EC >>> space. >>> >>> It is important realizing that W3C is only one of quite a bunch of SDOs >>> and that W3C >>> to date have been much more successful with basic technology than with >>> applications. >>> >>> If we then enter into the world payments there is a veritable desert out >>> there >>> with dead payment standards and initiatives. >>> >>> One of the problems is that there's no documented interest among leading >>> banks >>> to standardize anything in open. The Web Payment Workshop delegates may >>> differ >>> but I never saw any bank folks in W3C's WebCrypto although it was said >>> that one >>> of the use-cases were high-value transactions. >>> >>> There's also a lack of openness within the W3C itself. The current W3C SE >>> API >>> standardization effort (which is highly related to payments) is mum on the >>> fact >>> that SIM-cards are owned by operators which makes such a standard >>> inaccessible >>> for probably some 99% of the potential market. >>> >>> Personally, I stick to business-model-neutral "nuts and bolts" technology. >>> The challenge is understanding "just enough" of the application space >>> without >>> getting lost there :-) >>> >>> Compared to the "good old days", standardization has become much more >>> difficult >>> since it is challenged by companies like Google who can do whatever they >>> want. >>> The tempo has also increased while automatic updates reduce the need for >>> "perfection". >>> Open source has turned out to be a strong alternative to real standards. >>> >>> Anders' law of standardization: >>> Innovation is a fuzzy process. Standardization is fuzzy but in another >>> way. >>> Do not combine these activities unless everybody is prepared for a rocky >>> ride. >>> >>> Cheers, >>> Anders >>> >>> On 2014-04-07 13:15, Joseph Potvin wrote: >>>> >>>> Further to the wrap-up discussion about the creating on an Interest Group >>>> http://www.w3.org/2013/10/payments/minutes/2014-03-25-wrapup/ >>>> >>>> Does anyone on these lists have the "two-decades view" of W3C >>>> involvement with this topic? >>>> http://www.w3.org/ECommerce/ >>>> http://www.w3.org/TR/EC-related-activities >>>> http://www.w3.org/ECommerce/Micropayments/ >>>> http://www.w3.org/TR/NOTE-jepi >>>> >>>> Three questions: >>>> >>>> 1. What happened to those original efforts towards a W3C Specification >>>> on eCommerce that would have included specifications on web payments? >>>> >>>> 2. What should we learn from substance and fate of those earlier efforts? >>>> >>>> 3. Is there a need to "start" a new IG? Or might the W3C eCommerce IG >>>> just re-convene, update its charter, and carry on? >>>> >>>> Joseph Potvin >>>> >>>> >>>> On Thu, Apr 3, 2014 at 11:51 AM, Stephane Boyera <boyera@w3.org> wrote: >>>>> >>>>> Dear All, >>>>> >>>>> Thanks to the great help from the Web Payments Community Group and Manu >>>>> Sporny, we just published a new cleaned version of the minutes of the >>>>> workshop at >>>>> http://www.w3.org/2013/10/payments/minutes/ >>>>> The agenda with links to slides and presentations is available at >>>>> http://www.w3.org/2013/10/payments/agenda >>>>> >>>>> We are planning to circulate a draft report for your comments in the >>>>> next 10 >>>>> days. >>>>> >>>>> Best >>>>> Stephane >>>>> -- >>>>> Stephane Boyera stephane@w3.org >>>>> W3C +33 (0) 6 73 84 87 27 >>>>> BP 93 >>>>> F-06902 Sophia Antipolis Cedex, >>>>> France >>>>> >>>> >>> >>> >>> >> >
Received on Tuesday, 8 April 2014 08:15:29 UTC