Web Payments Telecon Minutes for 2014-04-09

Thanks to Dave Longley for scribing this week! The minutes
for this week's Web Payments telecon are now available:

https://web-payments.org/minutes/2014-04-09/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Web Payments Community Group Telecon Minutes for 2014-04-09

Agenda:
  http://lists.w3.org/Archives/Public/public-webpayments/2014Apr/0018.html
Topics:
  1. Internet Governance Forum 2014
  2. Getting United Nations' CITRAL Involved
  3. Web Payments Workshop Review
  4. Identity, Anonymity, Privacy, and Security
  5. Current and Future Payment Systems
  6. Initiating Payments and Digital Receipts
Chair:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Manu Sporny, David I. Lehn, Pindar Wong, Joseph 
  Potvin, Brent Shambaugh
Audio:
  https://web-payments.org/minutes/2014-04-09/audio.ogg

Dave Longley is scribing.
Manu Sporny:  Additional to agenda, Joseph said he wanted to talk 
  about UNCITRAL stuff he'll be involved in during the next few 
  weeks.
Manu Sporny:  Any other updates/changes to the agenda?
David I. Lehn:  Nope
No other updates noted.

Topic: Internet Governance Forum 2014

Manu Sporny: http://www.intgovforum.org/cms/
Manu Sporny:  If folks will remember, last year we participated 
  in the IGF, as a result, a number of orgs from there came to the 
  web payments workshop, specifically, the british computer 
  society, they had great input on identity, the world bank came as 
  well, played a very big part talking about needs of world w/web 
  payments
Manu Sporny:  There were a number of other orgs as well, it was a 
  very good outcome based on our participation in IGF.
Manu Sporny:  So we should think heavily about how we should 
  participate, Pindar, any thoughts?
Pindar Wong:  Yeah, i'd like to speak in favor of our 
  participation, if you recall last year we tried to design it so 
  there were follow-on activities, so it would be more than just 
  talking about policy issues involved, i'd like to also structure 
  it so that any output from this years IGF and any other meetings 
  can be fed into W3C this year
Pindar Wong:  One of the things that came up from last year was 
  the tremendous interest in the web payments work and we'd like to 
  deal with the issues more than just once a year, there's an 
  interest in more than just talking about the issues, wanting to 
  move forward w/actions
Manu Sporny:  Talking about where we should take what can be 
  standardized is what we want to do, we have to get into consumer 
  rights issues, anonimity issues things we got from talking about 
  identity at the workshop, outlining the stuff that will happen at 
  w3c on identity and getting input from IGF and talk about getting 
  them to influence the work by discussing w3c's official group 
  that will be looking at this
Manu Sporny:  We're going to be creating technical standards, if 
  people at IGF want to get involved they can come to w3c and work 
  with the group
Pindar Wong:  Yes, moving from the theoretical to the practical 
  is very important, the deadline is 15th of april, so if we want 
  to participate we have to get cracking
Pindar Wong:  I'd be very happy to work with you to get something 
  put together
Pindar Wong:  I think seeing the results from last time is a 
  positive indicator we should go, it would be worth while, i'd be 
  happy to work with you to flesh out a proposal
Dave Longley:  I agree w/ Pindar's thoughts - getting more 
  feedback on the identity work would be helpful. [scribe assist by 
  Manu Sporny]
Manu Sporny:  Pindar were you thinking of focusing on web 
  payments or identity+web and security implications, etc?
Pindar Wong:  Given response from last year, the interface 
  between identity and web payments is the crux of the issue and 
  the IGF is a really good place to have dialog about interfacing, 
  the issue of identity+identifiers with respect to payments is 
  where we ought to focus
Pindar Wong:  Its the interface that's important, the payment is 
  the motivation. Ddealing with the interplay with identity and 
  anonymity is important and vital to address, etc.
Pindar Wong:  Last year i made a mistake of not controlling 
  presentation time and we can correct that this year and get a lot 
  of good policy-level feedback on areas we would not normally have 
  access to
Brent Shambaugh: +1
Manu Sporny:  The one thing we were really missing at the web 
  payments workshop was that kind of policy input, so IGF is 
  important to get feedback from
Manu Sporny:  So maybe Pindar and i can take this offline and 
  report back to CG later
Pindar Wong:  I'll have some time to work on this for the next 
  few days
Manu Sporny:  Good, let's work together on this. We'll take it 
  offline and report back to the group when we have it figured out. 
  Anything else on IGF?
Nothing else on IGF.

Topic: Getting United Nations' CITRAL Involved

Joseph Potvin:  Is anyone familiar with UNCITRAL?
Pindar Wong:  Yes, i am a bit
Joseph Potvin:  They focus on international trade law has some 
  working groups for ecommerce and has a number of initiatives that 
  seem to me to provide the legal environment in which the whole 
  discussion w/w3c web payments seems to be situated, they way it 
  works is they have delegates from numerous countries, they've 
  been doing ecommerce since 80s, countries have their own legal 
  positions, they produce a model/template law and that is taken 
  and interpreted into the legal context of each participating 
  country, as a result each country's legal tradition comes in, but 
  across borders there are some common things that come into play 
  because of the template, etc.
Joseph Potvin:  A fair bit of work on nitty gritty details of 
  ecommerce trying to determine the specific thing that is being 
  moved around with the various ecommerce payments alternatives, 
  whether a digital packet of money going around or is meta data 
  about money, and if meta data, what is it, is it a bill of 
  exchange a promisory note, etc. when writing software you have to 
  be really clear about classes and properties, etc.
Pindar Wong:  The point about terminology about promissory notes 
  and negotiable instruments, and getting to know the terminology 
  in this space is really important if only to avoid potential 
  friction later on, the terminology is quite key
Joseph Potvin:  To give an example of the degree of headache: in 
  1978 the bank in canada in montreal was shipping dollar $5 bills 
  and had an accident where the truck transporting the bills 
  burned. The legal case went to the supreme court and question was 
  whether or not bank could get money back by reprinting, split 
  decision 3-3
Joseph Potvin:  Even at highest court there is disagreement with 
  what we're dealing with
Joseph Potvin:  In the case of w3c potential specifications, i 
  don't think we want to have ambiguity about the classes we're 
  dealing with, so there's a legal side and a technical side to 
  this, on tech side legal stuff becomes requirements for what's 
  being coded, etc.
Joseph Potvin:  Accounting entries that cause numbers to go 
  up/down aren't money moving around and are at a level of systems 
  architecture but it will be problematic if the community gets 
  them wrong and courts start deciding that things are invalid
Joseph Potvin: Example link on UNCITRAL: 
  http://www.uncitral.org/pdf/english/workinggroups/wg_4/wp_120_e.pdf
Manu Sporny:  I definitely agree that we need to get the 
  terminology right and make sure that it lines up with 
  international law, my concern is that we dont' want to create 
  some kind of blocking item that prevents tech work from happening 
  because we're waiting for legal decision to play out
Manu Sporny:  This is the UN so it works in broad strokes, not 
  low-level technical detail
Manu Sporny:  There may be a mismatch with high-level vs. 
  low-level language and a speed mismatch with how quickly w3c can 
  work vs. UN
Pindar Wong:  The phasing and expectations of when useful output 
  from this group might interface is quite an important one, i 
  think there is a phasing issue where these processes are 
  deliberate and slow moving but i wouldn't actually say them 
  informing our process is the right perspective, i'd look at it 
  the other way around, getting them to shape their processes as 
  ours evolve, the flow of the direction is a little bit back to 
  front
Manu Sporny:  I think that since Joseph is volunteering to 
  participate in that work and is very motivated to do so, we 
  should have him  reach out to that group and be the liason.
Pindar Wong:  Absolutely, i'm in full  support, nothing i've said 
  should imply otherwise
Manu Sporny:  I agree, joseph should reach out and liaise with 
  them
Manu Sporny:  But i agree with you pindar that the faster moving 
  w3c process should inform the slower moving UN proecss
Pindar Wong:  After first year they should be very aware of this 
  group's existence
Manu Sporny:  So in general, if Joseph wants to interface with 
  that group, we should make first contact with them, make them 
  aware of the work at W3C CG and the potential upcoming IG, and we 
  want faster moving group to provide input to the slower moving 
  group (faster=w3c cg, slower=UN)
Manu Sporny:  And then there's a feedback loop where we get input 
  from UN and put back into w3c cg
Joseph Potvin:  I was just talking to someone on phone about w3c 
  having observer status with that working group and i will follow 
  up
Manu Sporny:  It would be Wendy or Rigo. I'd be surprised if any 
  one of them can make it, but they'd be the contact at w3c
Joseph Potvin:  I'll try and arrange for w3c to have observer 
  status and see if i can be the observer
Manu Sporny:  Definitely clear that with w3c first, do not say 
  that you're representing them.
Manu Sporny:  You can't use their name without their permission
Joseph Potvin:  Of course, I was going to clear it with them 
  first.
Manu Sporny:  It sounds like there's al ot of positive upside as 
  long as we don't tie two groups together too tightly
Joseph Potvin:  Bitcoin a good example of not getting legal stuff 
  working early on then with a stroke of a pen all the tech work 
  becomes bogged down by the legal ramifications.
Joseph Potvin:  My experience over past 15 years working on this 
  kind of thing ... as long as lawyers are comfortable with 
  concepts being straightened out then they can move pretty quickly
Manu Sporny:  Let us know if you need anything from us, otherwise 
  ball is in your court, go ahead and make first contact, let us 
  know how things go
Joseph Potvin: :-)  I'll leave it at that.  I'll follow up with 
  Wendy Selzer and keep you al l informed

Topic: Web Payments Workshop Review

Manu Sporny: http://www.w3.org/2013/10/payments/minutes/
Manu Sporny:  Web payments workshop very successful, more so than 
  we thought there would be, lots of problems brought up (identity, 
  payments) and general feeling that w3c should do something about 
  them
Manu Sporny:  We could have found out that there was no desire 
  for w3c to address these problems, instead orgs thought there 
  were lots of problems and w3c could and should solve them with 
  relatively narrowly scoped work.
Manu Sporny:  Minutes were cleaned up by web payments cg, we've 
  gotten compliments about how nice they are, etc. there are 14 
  hours of minutes there so we can't go through all of them of 
  course
Manu Sporny:  We can hit 3 highlights on the call today, spending 
  about 10 minutes per highlight ... any questions in general about 
  workshop?
Pindar Wong:  Slides were excellent and thanks for taking such 
  outstanding notes
Brent Shambaugh: +1
Manu Sporny:  W3c has a great history of being very open and 
  transparent for these events and running them, etc.
Manu Sporny:  Half of the people coming to the workshop were new 
  to w3c and chatter afterwards was that attendees were very 
  impressed with the community and people were trying to solve 
  problems of a technical nature and not getting stuck on policy, 
  etc. and most felt that everyone was really on point for most of 
  the time there

Topic: Identity, Anonymity, Privacy, and Security

Manu Sporny:  We're kind of going out of order ... it's ordered 
  by items with most about interest at workshop 
Manu Sporny:  First item was somewhat tangential to payments, 
  there was a big push at the workshop to try and address the 
  identity problem on the web
Manu Sporny: 
  http://www.w3.org/2013/10/payments/minutes/2014-03-25-s6/
Manu Sporny:  In order to do a payment of any sizeable amount you 
  have to sort out the identities involved in the transaction, to 
  establish trust and sort out know-your-customer and anti money 
  laundering issues, etc.
Manu Sporny:  Identity was a huge topic at the workshop, 70% of 
  the papers submitted stated that identity was a serious issue on 
  the web, that we needed to figure out at a way to transmit 
  personal credentials without violating privacy, even for 
  incredibly low-value transactions you currently have to give otu 
  too much personal data
Manu Sporny:  There was a debate, one group saying eradicating 
  anonymity, another one saying eradicating that would be like 1984 
  future, etc. good debate
Manu Sporny:  Folks involved in the discussion were IETF, 
  qualcomm, microsoft, w3c talking about webcrypto API and role 
  played in identity space, Louise Bennett  from the Chartered 
  Institute for IT (British Computer Society) did a phenomenal job 
  talking about balance between anonymity and privacy and security 
  and balancing with the law, etc.
Manu Sporny:  End result, personal opinion here, it would be very 
  difficult for w3c to ignore identity problem for much longer
Manu Sporny:  Big swell of w3c companies wanting to address the 
  identity problem, 1. by itself it's a problem on the internet, 2. 
  for payments use cases we have to figure identity problem out
Manu Sporny:  Any thoughts so far?
Pindar Wong:  Do you recall any specific comments bout Lucy Lynch 
  from ISOC?
Manu Sporny:  She wasn't there, Karen O'Donahue was (from IETF / 
  ISOC). I emailed Lucy and she said she couldn't make it ... sent 
  karen on her behalf
Manu Sporny:  Karen did digital signature stuff at IETF, she 
  co-chairs the JOSE working group.
Manu Sporny:  Hannes Tschofenig in charge of OAuth work at IETF 
  and strong proponent for getting anonymity and privacy right, was 
  speaking on behalf of privacy and identity, and wendy seltzer 
  from w3c were some of the strongest voices for supporting 
  anonymity and privacy from day 1
Pindar Wong:  I value Lucy's opinion/views deeply, she's a great 
  star in this area, so was curious
Manu Sporny:  She did help shape agenda for workshop, but was 
  unfortunate she had a conflict and couldn't make it
Manu Sporny:  It was interesting because at w3c ... i spoke with 
  some w3c staff ... and my general input was you're going to have 
  to do something about identity it's clear, and w3c said they 
  tried to do something about this 3 years ago, we had a workshop 
  and it wasn't clear what identity was, the problem wasn't clearly 
  defined, and w3c is wary about picking it up again because it 
  wasn't clear what identity is on the web, and it means a wh ole 
  bunch of different things to different people, but now there are 
  w3c orgs that want to solve very specific identity issues, like 
  transmitting credentials across the web ins a secure, private 
  way, passport, license ID, citizen of a particular 
  state/province, whether you have a degree from a university, an 
  email address is another type of verifiable credential, etc.
Manu Sporny:  We have put out the "Identity Credentials" 
  specification via the Web Payments CG, OpenID Connect also 
  exists, as do things like LTI - so we're not starting from 
  scratch:
Manu Sporny: http://manu.sporny.org/2014/credential-based-login/
Manu Sporny:  There's a blog post out there about this, it's a 
  call for a credential-based login, there's a spec built someway 
  off of persona, reuses best bits of web payments work, puts a 
  stake in the ground to build off of, etc.
Manu Sporny:  Pindar, if you could make her aware of the Identity 
  Credentials spec work in the CG that would be great
Manu Sporny:  I'll be pushing this myself in various places, 
  we'll also be having a w3c plenary later where this proposal will 
  be on the table in october, so this is something concrete to look 
  at
Pindar Wong:  Since we have IGF 2014 in september, plenary in 
  october, maybe focusing on the identity issue would be best
Joseph Potvin:  I provided a link on identity management in IRC, 
  which connects in because it provides the pathway to communicate 
  on all of this stuff with the ministries and departments of 
  justice in these countries where this will matter where these 
  things must be permitted within these jurisdictions, so once 
  again it goes beyond the technical ability to resolve these 
  issues, it also has to do with linkage w/justice departments, 
  etc.
Brent Shambaugh: For security, I was trying to reach out to 
  OWASP. Could I drop a link?
Manu Sporny:  I agree, please get them involved and aware that 
  this is going on.
Brent Shambaugh: 
  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risk
Manu Sporny:  Security was also a big thing that went along with 
  identity, just like security+payments, brent added link about 
  OWASP, can you give a background?
Brent Shambaugh:  It's an open source security group that deals 
  with mobile security.
Brent Shambaugh:  They have a top 10 mobile problems list -  
  password, identity, securing sensitive data, things like that.
Brent Shambaugh:  I was really impressed with what they had put 
  together, check out the Top Ten Mobile Risks list they have 
  above.
Manu Sporny:  Maybe one of the things we could do is just invite 
  some of the OWASP people onto the call and chat with them, talk 
  about there's work at w3c that might start in the next year, we'd 
  like their input on it, etc.
Manu Sporny:  Maybe also contact Natasha Rooney at GSMA as she 
  may be in contact w/them as well.

Topic: Current and Future Payment Systems

Manu Sporny: 
  http://www.w3.org/2013/10/payments/minutes/2014-03-24-s3/
Manu Sporny:  This had to do with ... they got all of the big 
  providers, big payment companies on stage to talk about where we 
  are currently and where we need to go, there was a pretty big gap 
  between what the current banks and payments companies were 
  talking about and what folks like ripple labs and bitcoin 
  companies and to some degree w3c were talking about
Manu Sporny:  The groups were Worldline, The World Bank, Ripple 
  Labs, The US Federal Reserve, CoinApex, and many others.
Manu Sporny:  We didn't have a lot of feedback from the banks ... 
  their position was mostly that nothing was so wrong that we 
  couldn't make minor changes to make progress, etc. the input from 
  the cryptocurrency providers was that there were fairly big 
  problems that need to be addressed, international remittances, 
  for example are absolutely awful, there was a lot of back and 
  forth for where this w3c standard would go, the clear outcome 
  from that was that there was nothing w3c could do to really 
  modify current payment systems in the world, the w3c standards 
  will have to apply to emerging nations w/no real banking 
  infrastructure, or they will have to layer on top of existing 
  payment systems today, the top layer will have to simulate the 
  complex underwriting below
Manu Sporny:  So payments will look faster to the customer but 
  will still use old infrastructure underneath, which we expected
Manu Sporny:  In the CG, we just need to build a shim that would 
  hide complexities of the old system
Manu Sporny:  The other thing is we can't create anything that 
  changes the fundamental movement of money in the first iteration 
  of this technology
Manu Sporny:  So the thing we need to focus on has more to do 
  with consumer facing tech ... than with back end banking systems.
Joseph Potvin:  Connie, from the US Federal Reserve, indicated 
  that there were technologies in Bitcoin that could improve 
  payments  for ACH-based systems.
Joseph Potvin:  GIRO (spanish word, pronounced "Hero") banking is 
  about moving money around but doesn't actually move money around, 
  it's just a distributed accounting system
Joseph Potvin: Here is a nice summary of how GIRO works -- see 
  the diagram on pg 2 
  http://www.abs.org.sg/pdfs/Financial/GIRO/IBG_Procedures.pdf
Joseph Potvin:  One account goes up the other goes down
Joseph Potvin:  And it can handle conversions as well, ACH is 
  like this system
Joseph Potvin:  The reserve bank of india is in the process of 
  setting one up as well, these are different from other currency 
  systems because the other ones move digital packets around
Joseph Potvin:  And this is just accounting
Joseph Potvin:  I'd like to reinforce what she said about that
Joseph Potvin:  More attention should be paid to GIRO banking as 
  well
Manu Sporny:  What i'm trying to get across is that our ability 
  to change ACH with a W3C spec is almost non-existent. That's 
  something that the banks have control over and are probably not 
  willing to change in any large way.
Joseph Potvin:  There are many GIRO banking systems
Joseph Potvin: My recommendation is for the community to 
  understand GIRO banking, and how it differs from conventional 
  banking. GIRO is a business model for banking, not a brand.
Joseph Potvin:  About what would would a w3c spec be about? and 
  it seems it should be able a generic GIRO spec ... and i don't 
  think it would be about the kind of thing that ripple is, a GIRO 
  wouldn't require anything like an XRP to (Joseph's audio becomes 
  garbled and disconnects).
Manu Sporny:  I think what we was going to say was that you 
  wouldn't need XRP to do transactions, it's merely based on the 
  trust of the banks in the network and w3c could try and 
  standardize that. We'll have to have a whole conference call to 
  talk about that, the feedback I got from banks is that they 
  wouldn't be all that interested in making that big of a change to 
  their systems.
Manu Sporny:  It's too expensive for them, to the tune of tens of 
  millions of dollars, unless it's fairly easy to make a technical 
  change there, i'm a bit dubious whether w3c could accomplish 
  that.

Topic: Initiating Payments and Digital Receipts

Manu Sporny:  The key takeaway there is that we had agreement ... 
  we heard that banks wouldn't be willing to do that, we heard 
  instead that various people would be willing to standardize 
  payments and a mechanism that's universal on all websites for 
  intiating payments and a digital receipt and that dovetails into 
  the discussion here ... i'm not disagreeing with Joseph just 
  saying w3c may fail if we try to take a problem of that scope on.
Manu Sporny:  Definite agreement around initiating payments and 
  digital receipts at the workshop.
Joseph Potvin: There's no need to try to change or influence the 
  incumbent banking solutions, but GIRO banking seems to me to be 
  the model most suited to any eventual W3C spec on payments
Manu Sporny:  Standardizing initiating a payment ... and then 
  once initiated, regardless of which payment system you're using 
  then is up to the payment provider and what they do is generate a 
  standard digital receipt (standard across the web) so that the 
  merchant can verify that digital receipt, so the only three 
  things are really required to standardize. A basic 
  identity/credential protocol, a simple protocol to initiate 
  payments, and merchant-verifiable digital receipts.
Manu Sporny:  That would open up the entire market to far more 
  competition, it would mean you could plug and play payment 
  providers, etc.
Manu Sporny:  Visa mastercard, paypal would all still exist, but 
  banks could participate as well, they'd just run extra software 
  on top of their systems, and also new payment providers could pop 
  up and could operate int his space
Manu Sporny:  All using these standards
Manu Sporny:  So the first cut of the web paymetns work would 
  have fairly narrow scope, measurable goals, we have use cases 
  from CG, etc. it would be best way to proceed
Pindar Wong:  On the issue w/payments and digital receipts, 
  that's where i thought the CG was before Paris ... and afterwards 
  we're at the same place, and that sounds like a huge win for the 
  CG
Manu Sporny:  Yup, people at the workshop were essentially 
  playing catchup with the CG and it's great that we were in the 
  right place
Manu Sporny:  There was some gnashing of teeth by fairly large 
  payments players about the CG predicting this
Manu Sporny:  They wanted to say that for the first time a bunch 
  of people came together and decided initiating payments and 
  digital receipts was the way to go, but in reality the CG was 
  there years ago.
Manu Sporny:  But we don't need to hammer that home, it's more 
  important that two fairly diverse/different groups/events came 
  together and both agreed on the direction, etc.
Pindar Wong:  Yup, no interest in bragging rights, just think 
  it's huge win CG is in the right place
Pindar Wong:  Identity in payments is going to be a big one, good 
  to get more important from outside this field from IGF, etc.
Pindar Wong:  For initiation of payments, digital receipts, this 
  is a great outcome, great achievement
Manu Sporny:  To be clear, everyone thought identity was a big 
  problem and is important but not a clear path forward, just that 
  it needs to be addressed
Manu Sporny:  We're out of time for today
Manu Sporny:  We will probably have a follow up conversation next 
  week, tons of use cases to discuss, progress on specs that have 
  been happening in parallel to discuss, etc.
Manu Sporny:  I will be out in the bay area, silicon valley, next 
  week April 16th-18th,  in case any other Web Payments CG members 
  want to meet up.

Received on Wednesday, 9 April 2014 17:55:49 UTC