- From: <msporny@digitalbazaar.com>
- Date: Wed, 08 Jan 2014 16:13:58 -0500
- To: Web Payments CG <public-webpayments@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Web Payments telecon are now available:
https://web-payments.org/minutes/2014-01-08/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Web Payments Community Group Telecon Minutes for 2014-01-08
Agenda:
http://lists.w3.org/Archives/Public/public-webpayments/2014Jan/0047.html
Topics:
1. Update on Web Payments Workshop
2. New web-payments.org website
3. Web Payments Workshop Position Paper
4. Web Identity Updates/Concerns
Action Items:
1. Manu to suggest that the Web Payments Program Committee
publish a protocol for journalists and live bloggers at the Web
Payments Workshop.
Chair:
Manu Sporny
Scribe:
Dave Longley
Present:
Dave Longley, Manu Sporny, Evan Schwartz, Erik Anderson, Joseph
Potvin, David I. Lehn
Audio:
http://payswarm.com/minutes/2014-01-08/audio.ogg
Dave Longley is scribing.
Manu Sporny: Any changes to the Agenda?
Evan Schwartz: None
Topic: Update on Web Payments Workshop
Manu Sporny: http://www.w3.org/2013/10/payments/
Manu Sporny: The program committee is responsible for setting
the agenda for the workshop and saying which participants get to
talk on which topics, we're accepting position papers from a
variety of orgs, from them we will get a broad representation of
the topics across industries, etc.
Manu Sporny: From now until feb. 8th we can get in papers,
typically there is a mad rush at the end to get the papers in
Manu Sporny: The dates are on the landing page for the workshop
Manu Sporny: Workshop submissions are open now, we're taking two
types, first one is an expression of interest, you can attend
workshop by sending in 1-4 paragraphs with why your org wants to
attend and what you want to bring to the workshop, etc.
Manu Sporny: Low barrier of entry to the workshop
Manu Sporny: Other type is submitting a position paper, 1-5
pages long, and should outline the set of problems you've
identified with respect to payments, or tech/policy issues
Manu Sporny: At this point, the thing that we need to do as the
web payments CG is to whip up interest about the workshop, get
orgs to at least send expression of interest (1-4 paragraphs), if
org is very involved in this space, have them submit a position
paper
Manu Sporny: We've gotten a couple of really interesting things
so far, we're trying to figure out a way to make them public if
we can sooner rather than later so people can see the types of
papers that are being submitted
Manu Sporny: Anything else on the web payments workshop? the
takeaway here is contact as many people as you can
Manu Sporny: There are only 100 spots, all orgs are limited to
sending 1 person right now, if we find out not all 100 seats are
taken up we will allow more than 1 person from an org
Manu Sporny: It can be an individual, not just an org
Manu Sporny: We just want unique ideas brought to the tables
Manu Sporny: If 3 papers have the same content, then the org
with the most influence will likely be invited
Erik Anderson: Would it behoove us to have a reporter from
someone who is active from the bitcoin community?
Manu Sporny: Usually the workshops are not very good venues for
reporters, it may cause orgs to clam up about the things they are
interested in, if the reporter wants to represent on how these
new techs might effect reporting online that would be a good idea
Manu Sporny: It's up to them, they can submit an expression of
interest and then the program committee will decide
Erik Anderson: Ok
Manu Sporny: We want the world to know this stuff is being
worked on, but we don't want to make the orgs that attend uneasy
about saying anything, so there's a balance
Joseph Potvin: Is it worth having a statement about the protocol
for reporting, etc.?
Manu Sporny: That's a good idea, it's hard to strike a balance,
we want people to talk about it, but we want them to talk about
it very accurately
Erik Anderson: The problem is that everything i do is public
record, this is a wide open standard, you can't control this
Joseph Potvin: The protocol i'm talking about is saying you can
talk about issues but not attribute them to anyone
Manu Sporny: In general we just need to discuss it a bit more
and clarify in the program committee
Manu Sporny: Personally, i agree with what eric said
Manu Sporny: I think the concern comes from a company saying
"hey that's cool" and a reporter running a line saying "google
says they are going to implement web payments" when they made no
such statement
ACTION: Manu to suggest that the Web Payments Program Committee
publish a protocol for journalists and live bloggers at the Web
Payments Workshop.
Topic: New web-payments.org website
Manu Sporny: https://web-payments.org/
Manu Sporny: Before the holiday break we raised the possibility
of rebranding payswarm to "web payments" because we didn't want
the message to be incorrect
Manu Sporny: Some people were getting the message that there's
one company that owns payswarm (inaccurate) and that it was being
promoted at the expense of other techs, when we really want the
message to be that we're working on payment solutions in general
for the web
Manu Sporny: At the same time, we can't just be a community that
talks about payment technologies instead of putting something
forward, the payswarm specs are the first set of specs that have
been submitted to the w3c under patent-free royalty-free
licenses, etc.
Manu Sporny: Following the w3c process for turning things over
to become a standard
Manu Sporny: So far it seems that people are fairly happy with
the rebranding and remessaging
Joseph Potvin: The website is excellent you did a great job on
it, it functions well, it's easy to find stuff, the text is great
Joseph Potvin: What's up with the pig?
Manu Sporny: It's meant to represent money, excesses of
humanity, etc. but if that has to be explained it's a bad logo,
other complaints have come in
Dave Longley: Manu also just loves his animal logos
Manu Sporny: I liked the universal sign for currency from joseph
Joseph Potvin: There are some questions in the communities i'm
involved in with price stabilization, etc. i'm wondering if
there's a way we can have a subgroup under web payments for that
Manu Sporny: I don't know, i imagine that's a question for the
community
Manu Sporny: My personal opinion is that if we get too far away
from technical standards people will drop off
Joseph Potvin: Maybe the web payments community group could have
sub groups for identity, technical, monetary issues (interaction
with the fed)
Manu Sporny: If we make multiple mailing lists things will
splinter and duplicates will occur, but that being said, if this
really needs to happen we can make a separate mailling list
Joseph Potvin: There are a few interests that are of great
interest to me and evidently not too many others on the list
Joseph Potvin: I'm seeing a lot of discussion outside of this
venue and this might be happening with some of the other
particular interests associated here, if there was some way to
link other activities into this sphere it may actually do the
opposite of splintering
Manu Sporny: A lot of the discussions do happen outside the
group, the identity stuff happens across about 5 different
mailing lists
Manu Sporny: Secure messaging is split across ietf and here
Manu Sporny: If you're communicating with people and just using
a big long list of email addresses, then that's a good case for
creating a subgroup
Joseph Potvin: An example: on different indices, i'm
collaborating with a few others to coordinate their work into
indices, people working on their own indexes (eg: retired from
IMF, retired from UK monetary authority). We have a common
interest in a venue for such indices and among us we talk about
how that could be used in the web payments venue; at least there
should be a way to bring others who might not be in this
discussion into the group.
Erik Anderson: You might want to talk with a contact in a large
financial industry about indexes
Manu Sporny: Do you want me to ask w3c staff to create a mailing
list for this?
Joseph Potvin: Does it make organizational sense for how you'd
like to see web payments as a CG/WG proceed ... does it make
sense to have subgroups?
Manu Sporny: W3C has had subgroups before, you can usually
identify a subgroup
Manu Sporny: Another mailing list is cheap, it's not a great
cost
Joseph Potvin: That would be good because i don't think there's
a lot of interest for what i'm working on
Joseph Potvin: In the CG, so i'd prefer to move those
discussions to a subgroup
Manu Sporny: Ok, send an email to the community about this and
we'll see what we can do
Manu Sporny: As always, anyone can submit an edit to the web
payments website, it's on github
Manu Sporny: https://github.com/web-payments/web-payments.org/
Manu Sporny: I see that joseph has already used the github
interface to make some edits
Manu Sporny: It's a completely open website, anyone can submit
pull requests, etc.
Manu Sporny: We're fairly open about who can change what and
when
Topic: Web Payments Workshop Position Paper
Manu Sporny: http://www.w3.org/2013/10/payments/participate.html
Manu Sporny: In order to participate in the web payments
workshop, you have to do one of two things: submit expression of
interest or position paper
Manu Sporny: By design, we didn't mention the web payments CG in
the workshop body text, that allows us to then participate as the
CG
Manu Sporny: In order to do that i was thinking of writing a
position paper with all of the issues we've identified over the
3+ years ... any solution for web payments on the web is going to
have to look at these things, X, Y, Z
Manu Sporny: Outlining all the specs we've worked on and the
reasons why we're working on them
Manu Sporny: We can start the discussion on what the CG has done
by submitting a position paper from the group
Manu Sporny: So the question is whether or not people think
that's a good idea, an alternative would be members submitting
their own papers
Manu Sporny: For instance, DB could submit a paper on payswarm
and Ripple on Ripple
Manu Sporny: We could do both of these things as well
Joseph Potvin: In the way that the agenda works, if it's one
position paper, does that mean it's only going to get one time
slot?
Manu Sporny: Yes, one presentation time slot, we still don't
know what the format for the workshop will be, the first half may
be presentation, the second may be an unconference format,
companies put their topics on a whiteboard and people pick what
they wnat to attend
Manu Sporny: I don't know is the short answer
Manu Sporny: There will be multiple ways to present topics at
the workshop, not just presentatino
Joseph Potvin: It might be useful if a composition paper from
the CG would have more than one section if they'd be submitted
separately
Joseph Potvin: Maybe it should be done by subject not by
individual companies
Manu Sporny: What the CG could do is present "these are what we
think the problems are" and we could have people provide more
specific information on each of those subjects
Manu Sporny: There's no strict format for how we get papers in
there
Manu Sporny: I just don't want the CG to write a paper that
makes it difficult for CG members to attend if they want to
Manu Sporny: Eg: if we submit a position paper with a section on
price indexes, then that means that you (joseph) would not be
able to submit another paper with more details
Manu Sporny: The CG paper could mention the problem but not go
into details, and then let you submit another paper
Joseph Potvin: Would the CG constitute one org?
Manu Sporny: Yes, and that's the problem
Manu Sporny: We don't want to shoot our members in the shoot
Manu Sporny: We could submit a paper as DB/CG and coordinate
with CG members to ensure we're not preventing them from
submitting their own paper
Manu Sporny: I think we we'll do is create a wiki page like we
did with the fed paper, i expect a 40% overlap with that paper
Manu Sporny: It will be targeted to the workshop, but we'll
raise the same issues about identity, using linked data, etc.
Joseph Potvin: You said the workshop is just to identify
problems not the solutions?
Manu Sporny: In general, that's the loose thought of the program
committee right now, we (the workshop) want to gather consensus
around what the pain points are with payments on the web today
and discuss how standards can address those
Manu Sporny: We might want to gloss over some of the techs that
could be standardized to address, but this isn't a sales pitch
thing, no org should try to do a sales pitch on their tech
Topic: Web Identity Updates/Concerns
Manu Sporny: We may just say this is a subset that we think
standardization can apply to
Manu Sporny: https://web-payments.org/specs/source/web-identity/
Manu Sporny: So some of this started as a way to deal with KYC
for banks, so banks could do a web request and check a digital
signature on identity information and smooth the whole
transaction process
Manu Sporny: It is not trying to solve login on the web, there
are other mechanisms to do that
Manu Sporny: This should work with those other mechanisms, for
example, when you use persona, one of the pieces of information
that is transferred is your identity URL
Manu Sporny: Using that URL you can do discover on citizenship
information/age, etc. things of that nature
Manu Sporny:
https://github.com/web-payments/web-payments.org/issues?labels=web-identity
Manu Sporny: We put the spec out in a very unfinished state
because we wanted to get those ideas out there
Manu Sporny:
https://plus.google.com/+ManuSporny/posts/94fooRHDb6T
Manu Sporny: We've got some feedback already
Manu Sporny: On google+ there has been a long discussion
involving people who work on identity on the web, and there's
concern there with overlap and reinventing the wheel, etc.
Manu Sporny: We could start going over the issues in the
identity tracker and try and figure out a general approach for
addressing those issues
Manu Sporny: The first issue that comes up with most people is
that the web identity spec doesn't distinguish itself from
existing solutions
Manu Sporny: We need to clarify that it's not a login solution
for the web, it is specifically not trying to solve that problem
Manu Sporny: It is trying to solve the problem of transferring
private information about yourself to another entity
Joseph Potvin: I worked with some people with the Canadian govt
with this, it's not about login, if people are in an agency that
gets subsumed by another one [missed], all of this becomes an
issue and a horrible mess over 5 years, etc.
Joseph Potvin: The identity issue is huge, it's not an area that
i know myself, if it's useful to have someone that has worked in
the bowels of that issue i can perhaps track someone down to get
some examples of that
Manu Sporny: Yes that would be very helpful, particularly
someone from govt, we hope to be able to let govts use this to
attach information to people's identity online
Manu Sporny: You should be able to store passport information
(encrypted)
Manu Sporny: Etc.
Manu Sporny: It would be even more helpful because if we can
talk to the right people in the canadian govt then we can talk to
them about adopting this as the way to do identity
Manu Sporny: This one integrates with banking so it might be a
different level of interest to them (vs. existing tech)
Joseph Potvin: They are the core procurement side of the govt so
they're dealing with [missed] as well as individuals [missed]
they expressed an interest in sharing what they've done
Manu Sporny: It would be great to get them on a call and make
sure the spec addresses their pain points
Manu Sporny: In general, we need more elaboration on what other
specs we looked at and why they didn't work well for the problem
in front of us
Manu Sporny: That's the first set of feedback that we've had
Manu Sporny: The other set of feedback is more of a technical
nature, dave longley, your feedback
Manu Sporny:
https://github.com/web-payments/web-payments.org/issues/14
Manu Sporny: So the UK wants to write something to your
identity, you've logged in via persona, so they know where your
identity resides, the problem is that your identity provider will
have to say that "so and so is trying to write to your identity"
Manu Sporny: The question is, how do you ensure that the person
who is writing to your identity is who they say they are"
Dave Longley: It captures half of the concern, this is a concern
with reading or writing. [scribe assist by Manu Sporny]
Dave Longley: When some organization wants to access the
identity for reading, you need to know who you're giving that
information out to. It is a concerns with both read and write. We
need to have a way to do that. We may want to make it so that
people with identities will trust certain types of
identitifcation methods. [scribe assist by Manu Sporny]
Dave Longley: There are various ways we can approach this, maybe
HTTP Signatures only? [scribe assist by Manu Sporny]
Dave Longley: There needs to be some sort of trust network
behind it, they've said they're the UK Government, but do I know
if that's who they are? [scribe assist by Manu Sporny]
Dave Longley: We could do something similar to what WebID does,
piggyback over SSL certificates? [scribe assist by Manu Sporny]
Dave Longley: If someone wants to read/write to the URL, they
would serve the URL with SSL, if they try to read/write your
identity, you verify that the public key is from that URL and
that URL has a trusted certificate associated with it. [scribe
assist by Manu Sporny]
Dave Longley: That means that anyone that wants to read/write to
your identity must have an identity themselves. If anyone wants
to request your information, they should have some identity
information. Some trust network needs to be tapped into, maybe
the CA trust network. Some fields could be pulled from the SSL
cert so that you know you can trust them. [scribe assist by Manu
Sporny]
Dave Longley: That entire layer is missing from the spec, so
there is no way to know whether or not you should release your
information. [scribe assist by Manu Sporny]
Manu Sporny: The current state is that none of the identity
solutions verify who is doing that reading or writing
Manu Sporny: For example, when you log in via google or twitter,
it says "so and so is trying to read your information" ... the
don't verify anything they just say "are you ok with someone
reading this"
Manu Sporny: If you look at the flow that people are going
through it will likely make it ok in most cases
Manu Sporny: That's not to say it's ok, it's just that there are
varying degrees of information
Manu Sporny: In the case that something isn't verified, we
should throw up a big warning
Manu Sporny: If people don't want to see warnings then people
could associate public keys, etc. for other identities
Joseph Potvin: Is there a privacy model for this?
Manu Sporny: The openID-connect people would say "yes", but the
privacy implications of this is a piece of on going work
Manu Sporny: There is always new data that pops up
Manu Sporny: 5 Years ago we didn't worry about the NSA snooping
on everything and now we do
Manu Sporny: So some people would say "yes", but i think the
actual answer is no
Manu Sporny: We should engage with those groups working on it
Joseph Potvin: It just might be useful to point to say "our
approach to privacy comes from there"
Joseph Potvin: The whole area of ethics and expertise, etc.
Joseph Potvin: Conform the technologies with that model
Manu Sporny: There was a privacy group that was proposed but i
don't think it went anywhere...
Joseph Potvin: We can take that offline, it's a hot topic of the
year
Manu Sporny: http://www.w3.org/community/dntrack/
Manu Sporny: http://www.w3.org/Security/
Manu Sporny: http://www.w3.org/2011/07/security-ig-charter.html
David I. Lehn: Also, this: http://tools.ietf.org/wg/websec/
[scribe assist by Manu Sporny]
Manu Sporny: Unfortunately, there's no one place to point to
this stuff
Manu Sporny: This became clear at the w3c technical plenary this
year, we realized 5-7 different groups were having this
discussion
Joseph Potvin: Just in terms of identifying requirements to work
towards
Manu Sporny: http://www.w3.org/community/custexpdata/
Joseph Potvin: It could be that the privacy model is over there,
but when doing digital payments, there is no privacy, there is no
model for privacy assurance, that could be an answer, but it
would at least make a clear statement about what the model is,
etc.
Received on Wednesday, 8 January 2014 21:14:22 UTC