Web Payments Telecon Minutes for 2014-01-08

Thanks to Dave Longley for scribing this week! The minutes
for this week's Web Payments telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Web Payments Community Group Telecon Minutes for 2014-01-08

  1. Update on Web Payments Workshop
  2. New web-payments.org website
  3. Web Payments Workshop Position Paper
  4. Web Identity Updates/Concerns
Action Items:
  1. Manu to suggest that the Web Payments Program Committee 
    publish a protocol for journalists and live bloggers at the Web 
    Payments Workshop.
  Manu Sporny
  Dave Longley
  Dave Longley, Manu Sporny, Evan Schwartz, Erik Anderson, Joseph 
  Potvin, David I. Lehn

Dave Longley is scribing.
Manu Sporny:  Any changes to the Agenda?
Evan Schwartz:  None

Topic: Update on Web Payments Workshop

Manu Sporny: http://www.w3.org/2013/10/payments/
Manu Sporny:  The program committee is responsible for setting 
  the agenda for the workshop and saying which participants get to 
  talk on which topics, we're accepting position papers from a 
  variety of orgs, from them we will get a broad representation of 
  the topics across industries, etc.
Manu Sporny:  From now until feb. 8th we can get in papers, 
  typically there is a mad rush at the end to get the papers in
Manu Sporny:  The dates are on the landing page for the workshop
Manu Sporny:  Workshop submissions are open now, we're taking two 
  types, first one is an expression of interest, you can attend 
  workshop by sending in 1-4 paragraphs with why your org wants to 
  attend and what you want to bring to the workshop, etc.
Manu Sporny:  Low barrier of entry to the workshop
Manu Sporny:  Other type is submitting a position paper, 1-5 
  pages long, and should outline the set of problems you've 
  identified with respect to payments, or tech/policy issues
Manu Sporny:  At this point, the thing that we need to do as the 
  web payments CG is to whip up interest about the workshop, get 
  orgs to at least send expression of interest (1-4 paragraphs), if 
  org is very involved in this space, have them submit a position 
Manu Sporny:  We've gotten a couple of really interesting things 
  so far, we're trying to figure out a way to make them public if 
  we can sooner rather than later so people can see the types of 
  papers that are being submitted
Manu Sporny:  Anything else on the web payments workshop? the 
  takeaway here is contact as many people as you can
Manu Sporny:  There are only 100 spots, all orgs are limited to 
  sending 1 person right now, if we find out not all 100 seats are 
  taken up we will allow more than 1 person from an org
Manu Sporny:  It can be an individual, not just an org
Manu Sporny:  We just want unique ideas brought to the tables
Manu Sporny:  If 3 papers have the same content, then the org 
  with the most influence will likely be invited
Erik Anderson:  Would it behoove us to have a reporter from 
  someone who is active from the bitcoin community?
Manu Sporny:  Usually the workshops are not very good venues for 
  reporters, it may cause orgs to clam up about the things they are 
  interested in, if the reporter wants to represent on how these 
  new techs might effect reporting online that would be a good idea
Manu Sporny:  It's up to them, they can submit an expression of 
  interest and then the program committee will decide
Erik Anderson:  Ok
Manu Sporny:  We want the world to know this stuff is being 
  worked on, but we don't want to make the orgs that attend uneasy 
  about saying anything, so there's a balance
Joseph Potvin:  Is it worth having a statement about the protocol 
  for reporting, etc.?
Manu Sporny:  That's a good idea, it's hard to strike a balance, 
  we want people to talk about it, but we want them to talk about 
  it very accurately
Erik Anderson:  The problem is that everything i do is public 
  record, this is a wide open standard, you can't control this
Joseph Potvin:  The protocol i'm talking about is saying you can 
  talk about issues but not attribute them to anyone
Manu Sporny:  In general we just need to discuss it a bit more 
  and clarify in the program committee
Manu Sporny:  Personally, i agree with what eric said
Manu Sporny:  I think the concern comes from a company saying 
  "hey that's cool" and a reporter running a line saying "google 
  says they are going to implement web payments" when they made no 
  such statement

ACTION: Manu to suggest that the Web Payments Program Committee 
  publish a protocol for journalists and live bloggers at the Web 
  Payments Workshop.

Topic: New web-payments.org website

Manu Sporny: https://web-payments.org/
Manu Sporny:  Before the holiday break we raised the possibility 
  of rebranding payswarm to "web payments" because we didn't want 
  the message to be incorrect
Manu Sporny:  Some people were getting the message that there's 
  one company that owns payswarm (inaccurate) and that it was being 
  promoted at the expense of other techs, when we really want the 
  message to be that we're working on payment solutions in general 
  for the web
Manu Sporny:  At the same time, we can't just be a community that 
  talks about payment technologies instead of putting something 
  forward, the payswarm specs are the first set of specs that have 
  been submitted to the w3c under patent-free royalty-free 
  licenses, etc.
Manu Sporny:  Following the w3c process for turning things over 
  to become a standard
Manu Sporny:  So far it seems that people are fairly happy with 
  the rebranding and remessaging
Joseph Potvin:  The website is excellent you did a great job on 
  it, it functions well, it's easy to find stuff, the text is great
Joseph Potvin:  What's up with the pig?
Manu Sporny:  It's meant to represent money, excesses of 
  humanity, etc. but if that has to be explained it's a bad logo, 
  other complaints have come in
Dave Longley:  Manu also just loves his animal logos
Manu Sporny:  I liked the universal sign for currency from joseph
Joseph Potvin:  There are some questions in the communities i'm 
  involved in with price stabilization, etc. i'm wondering if 
  there's a way we can have a subgroup under web payments for that
Manu Sporny:  I don't know, i imagine that's a question for the 
Manu Sporny:  My personal opinion is that if we get too far away 
  from technical standards people will drop off
Joseph Potvin:  Maybe the web payments community group could have 
  sub groups for identity, technical, monetary issues (interaction 
  with the fed)
Manu Sporny:  If we make multiple mailing lists things will 
  splinter and duplicates will occur, but that being said, if this 
  really needs to happen we can make a separate mailling list
Joseph Potvin:  There are a few interests that are of great 
  interest to me and evidently not too many others on the list
Joseph Potvin:  I'm seeing a lot of discussion outside of this 
  venue and this might be happening with some of the other 
  particular interests associated here, if there was some way to 
  link other activities into this sphere it may actually do the 
  opposite of splintering
Manu Sporny:  A lot of the discussions do happen outside the 
  group, the identity stuff happens across about 5 different 
  mailing lists
Manu Sporny:  Secure messaging is split across ietf and here
Manu Sporny:  If you're communicating with people and just using 
  a big long list of email addresses, then that's a good case for 
  creating a subgroup
Joseph Potvin:  An example: on different indices, i'm 
  collaborating with a few others to coordinate their work into 
  indices, people working on their own indexes (eg: retired from 
  IMF, retired from UK monetary authority). We have a common 
  interest in a venue for such indices and among us we talk about 
  how that could be used in the web payments venue; at least there 
  should be a way to bring others who might not be in this 
  discussion into the group.
Erik Anderson:  You might want to talk with a contact in a large 
  financial industry about indexes
Manu Sporny:  Do you want me to ask w3c staff to create a mailing 
  list for this?
Joseph Potvin:  Does it make organizational sense for how you'd 
  like to see web payments as a CG/WG proceed ... does it make 
  sense to have subgroups?
Manu Sporny:  W3C has had subgroups before, you can usually 
  identify a subgroup
Manu Sporny:  Another mailing list is cheap, it's not a great 
Joseph Potvin:  That would be good because i don't think there's 
  a lot of interest for what i'm working on
Joseph Potvin:  In the CG, so i'd prefer to move those 
  discussions to a subgroup
Manu Sporny:  Ok, send an email to the community about this and 
  we'll see what we can do
Manu Sporny:  As always, anyone can submit an edit to the web 
  payments website, it's on github
Manu Sporny: https://github.com/web-payments/web-payments.org/
Manu Sporny:  I see that joseph has already used the github 
  interface to make some edits
Manu Sporny:  It's a completely open website, anyone can submit 
  pull requests, etc.
Manu Sporny:  We're fairly open about who can change what and 

Topic: Web Payments Workshop Position Paper

Manu Sporny: http://www.w3.org/2013/10/payments/participate.html
Manu Sporny:  In order to participate in the web payments 
  workshop, you have to do one of two things: submit expression of 
  interest or position paper
Manu Sporny:  By design, we didn't mention the web payments CG in 
  the workshop body text, that allows us to then participate as the 
Manu Sporny:  In order to do that i was thinking of writing a 
  position paper with all of the issues we've identified over the 
  3+ years ... any solution for web payments on the web is going to 
  have to look at these things, X, Y, Z
Manu Sporny:  Outlining all the specs we've worked on and the 
  reasons why we're working on them
Manu Sporny:  We can start the discussion on what the CG has done 
  by submitting a position paper from the group
Manu Sporny:  So the question is whether or not people think 
  that's a good idea, an alternative would be members submitting 
  their own papers
Manu Sporny:  For instance, DB could submit a paper on payswarm 
  and Ripple on Ripple
Manu Sporny:  We could do both of these things as well
Joseph Potvin:  In the way that the agenda works, if it's one 
  position paper, does that mean it's only going to get one time 
Manu Sporny:  Yes, one presentation time slot, we still don't 
  know what the format for the workshop will be, the first half may 
  be presentation, the second may be an unconference format, 
  companies put their topics on a whiteboard and people pick what 
  they wnat to attend
Manu Sporny:  I don't know is the short answer
Manu Sporny:  There will be multiple ways to present topics at 
  the workshop, not just presentatino
Joseph Potvin:  It might be useful if a composition paper from 
  the CG would have more than one section if they'd be submitted 
Joseph Potvin:  Maybe it should be done by subject not by 
  individual companies
Manu Sporny:  What the CG could do is present "these are what we 
  think the problems are" and we could have people provide more 
  specific information on each of those subjects
Manu Sporny:  There's no strict format for how we get papers in 
Manu Sporny:  I just don't want the CG to write a paper that 
  makes it difficult for CG members to attend if they want to
Manu Sporny:  Eg: if we submit a position paper with a section on 
  price indexes, then that means that you (joseph) would not be 
  able to submit another paper with more details
Manu Sporny:  The CG paper could mention the problem but not go 
  into details, and then let you submit another paper
Joseph Potvin:  Would the CG constitute one org?
Manu Sporny:  Yes, and that's the problem
Manu Sporny:  We don't want to shoot our members in the shoot
Manu Sporny:  We could submit a paper as DB/CG and coordinate 
  with CG members to ensure we're not preventing them from 
  submitting their own paper
Manu Sporny:  I think we we'll do is create a wiki page like we 
  did with the fed paper, i expect a 40% overlap with that paper
Manu Sporny:  It will be targeted to the workshop, but we'll 
  raise the same issues about identity, using linked data, etc.
Joseph Potvin:  You said the workshop is just to identify 
  problems not the solutions?
Manu Sporny:  In general, that's the loose thought of the program 
  committee right now, we (the workshop) want to gather consensus 
  around what the pain points are with payments on the web today 
  and discuss how standards can address those
Manu Sporny:  We might want to gloss over some of the techs that 
  could be standardized to address, but this isn't a sales pitch 
  thing, no org should try to do a sales pitch on their tech

Topic: Web Identity Updates/Concerns

Manu Sporny:  We may just say this is a subset that we think 
  standardization can apply to
Manu Sporny: https://web-payments.org/specs/source/web-identity/
Manu Sporny:  So some of this started as a way to deal with KYC 
  for banks, so banks could do a web request and check a digital 
  signature on identity information and smooth the whole 
  transaction process
Manu Sporny:  It is not trying to solve login on the web, there 
  are other mechanisms to do that
Manu Sporny:  This should work with those other mechanisms, for 
  example, when you use persona, one of the pieces of information 
  that is transferred is your identity URL
Manu Sporny:  Using that URL you can do discover on citizenship 
  information/age, etc. things of that nature
Manu Sporny: 
Manu Sporny:  We put the spec out in a very unfinished state 
  because we wanted to get those ideas out there
Manu Sporny: 
Manu Sporny:  We've got some feedback already
Manu Sporny:  On google+ there has been a long discussion 
  involving people who work on identity on the web, and there's 
  concern there with overlap and reinventing the wheel, etc.
Manu Sporny:  We could start going over the issues in the 
  identity tracker and try and figure out a general approach for 
  addressing those issues
Manu Sporny:  The first issue that comes up with most people is 
  that the web identity spec doesn't distinguish itself from 
  existing solutions
Manu Sporny:  We need to clarify that it's not a login solution 
  for the web, it is specifically not trying to solve that problem
Manu Sporny:  It is trying to solve the problem of transferring 
  private information about yourself to another entity
Joseph Potvin:  I worked with some people with the Canadian govt 
  with this, it's not about login, if people are in an agency that 
  gets subsumed by another one [missed], all of this becomes an 
  issue and a horrible mess over 5 years, etc.
Joseph Potvin:  The identity issue is huge, it's not an area that 
  i know myself, if it's useful to have someone that has worked in 
  the bowels of that issue i can perhaps track someone down to get 
  some examples of that
Manu Sporny:  Yes that would be very helpful, particularly 
  someone from govt, we hope to be able to let govts use this to 
  attach information to people's identity online
Manu Sporny:  You should be able to store passport information 
Manu Sporny:  Etc.
Manu Sporny:  It would be even more helpful because if we can 
  talk to the right people in the canadian govt then we can talk to 
  them about adopting this as the way to do identity
Manu Sporny:  This one integrates with banking so it might be a 
  different level of interest to them (vs. existing tech)
Joseph Potvin:  They are the core procurement side of the govt so 
  they're dealing with [missed] as well as individuals [missed] 
  they expressed an interest in sharing what they've done
Manu Sporny:  It would be great to get them on a call and make 
  sure the spec addresses their pain points
Manu Sporny:  In general, we need more elaboration on what other 
  specs we looked at and why they didn't work well for the problem 
  in front of us
Manu Sporny:  That's the first set of feedback that we've had
Manu Sporny:  The other set of feedback is more of a technical 
  nature, dave longley, your feedback
Manu Sporny: 
Manu Sporny:  So the UK wants to write something to your 
  identity, you've logged in via persona, so they know where your 
  identity resides, the problem is that your identity provider will 
  have to say that "so and so is trying to write to your identity"
Manu Sporny:  The question is, how do you ensure that the person 
  who is writing to your identity is who they say they are"
Dave Longley:  It captures half of the concern, this is a concern 
  with reading or writing. [scribe assist by Manu Sporny]
Dave Longley:  When some organization wants to access the 
  identity for reading, you need to know who you're giving that 
  information out to. It is a concerns with both read and write. We 
  need to have a way to do that. We may want to make it so that 
  people with identities will trust certain types of 
  identitifcation methods. [scribe assist by Manu Sporny]
Dave Longley:  There are various ways we can approach this, maybe 
  HTTP Signatures only? [scribe assist by Manu Sporny]
Dave Longley:  There needs to be some sort of trust network 
  behind it, they've said they're the UK Government, but do I know 
  if that's who they are? [scribe assist by Manu Sporny]
Dave Longley:  We could do something similar to what WebID does, 
  piggyback over SSL certificates? [scribe assist by Manu Sporny]
Dave Longley:  If someone wants to read/write to the URL, they 
  would serve the URL with SSL, if they try to read/write your 
  identity, you verify that the public key is from that URL and 
  that URL has a trusted certificate associated with it. [scribe 
  assist by Manu Sporny]
Dave Longley:  That means that anyone that wants to read/write to 
  your identity must have an identity themselves. If anyone wants 
  to request your information, they should have some identity 
  information. Some trust network needs to be tapped into, maybe 
  the CA trust network. Some fields could be pulled from the SSL 
  cert so that you know you can trust them. [scribe assist by Manu 
Dave Longley:  That entire layer is missing from the spec, so 
  there is no way to know whether or not you should release your 
  information. [scribe assist by Manu Sporny]
Manu Sporny:  The current state is that none of the identity 
  solutions verify who is doing that reading or writing
Manu Sporny:  For example, when you log in via google or twitter, 
  it says "so and so is trying to read your information" ... the 
  don't verify anything they just say "are you ok with someone 
  reading this"
Manu Sporny:  If you look at the flow that people are going 
  through it will likely make it ok in most cases
Manu Sporny:  That's not to say it's ok, it's just that there are 
  varying degrees of information
Manu Sporny:  In the case that something isn't verified, we 
  should throw up a big warning
Manu Sporny:  If people don't want to see warnings then people 
  could associate public keys, etc. for other identities
Joseph Potvin:  Is there a privacy model for this?
Manu Sporny:  The openID-connect people would say "yes", but the 
  privacy implications of this is a piece of on going work
Manu Sporny:  There is always new data that pops up
Manu Sporny:  5 Years ago we didn't worry about the NSA snooping 
  on everything and now we do
Manu Sporny:  So some people would say "yes", but i think the 
  actual answer is no
Manu Sporny:  We should engage with those groups working on it
Joseph Potvin:  It just might be useful to point to say "our 
  approach to privacy comes from there"
Joseph Potvin:  The whole area of ethics and expertise, etc.
Joseph Potvin:  Conform the technologies with that model
Manu Sporny:  There was a privacy group that was proposed but i 
  don't think it went anywhere...
Joseph Potvin:  We can take that offline, it's a hot topic of the 
Manu Sporny: http://www.w3.org/community/dntrack/
Manu Sporny: http://www.w3.org/Security/
Manu Sporny: http://www.w3.org/2011/07/security-ig-charter.html
David I. Lehn:  Also, this: http://tools.ietf.org/wg/websec/ 
  [scribe assist by Manu Sporny]
Manu Sporny:  Unfortunately, there's no one place to point to 
  this stuff
Manu Sporny:  This became clear at the w3c technical plenary this 
  year, we realized 5-7 different groups were having this 
Joseph Potvin:  Just in terms of identifying requirements to work 
Manu Sporny: http://www.w3.org/community/custexpdata/
Joseph Potvin:  It could be that the privacy model is over there, 
  but when doing digital payments, there is no privacy, there is no 
  model for privacy assurance, that could be an answer, but it 
  would at least make a clear statement about what the model is, 

Received on Wednesday, 8 January 2014 21:14:22 UTC