W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 15 Jun 2014 16:22:57 -0400
Message-ID: <539E00A1.2060306@digitalbazaar.com>
To: public-webpayments@w3.org
On 06/12/2014 12:18 PM, Dave Lampton wrote:
> I too am still not convinced identity is always a necessary
> component either. Especially if using a trusted channel. If the
> channel itself identifies the payer, the payee has enough to record
> the debt as paid.

I don't think what you mean by "identity" is what some of us mean by
"identity". This is one of the problems related to the use of that word
wrt. payments. :)

The people that are proposing the Identity Credentials specification are
not saying that identity (knowing exactly who a person is) is a
necessary part of a transaction. What they're saying is that there are
at least two participants in a transaction and we need a reliable way of
identifying each one of the participants via an identifier.

With the PaySwarm specifications, we have chosen the URL to be the
identifier for many of the reasons that the Web has chosen the URL to
identify resources. For example, here are two participants in a transaction:

https://example.com/identities/78fe3
https://foo.net/ids/blerg

Each one of those identifiers may have more information associated with
it, such as a name, birthday, government issued identity card, shipping
address, preferred payment processor, etc. Who can read that extra
information and when depends on the type of transaction and agreements
around the transaction.

For example, a merchant selling digital goods for a game probably
doesn't need to know anything about you, and it would be fine for your
payment processor/software to mask the identity. For example, a
temporary identifier could be used just for a single transaction.

A merchant selling alcohol over the Web would need to know that you're
at least of legal age in your locality to buy alcohol and your shipping
address.

A money transmission service handling a transaction on your behalf for
$50K USD would need to know much more. Whatever identity solution we
choose for payments should take each of these use cases into account.

This is why we have the Identity Credentials specification: to ensure
that we have a good response to these use cases above.

If we do not take those use cases into account, we run the risk of
falling into the same trap that the Bitcoin community did, which is a
design that wasn't very well thought through wrt. how it does or does
not fit in with money transmission regulations in the vast majority of
industrialized nations.

This isn't a theoretical problem. I sat in on a US Federal Reserve
hosted round table last week with top CIOs from a number of banks and
financial processors that need a standardized solution to these
problems. The "identity problem" is a big reason there is so much fraud
today, and a global solution to the problem will make all financial
systems in the world (that adopt it) far safer and more efficient as a
result.

IMHO, operating without a solid understanding of how the payment
technology we're designing here can identify individuals for high-stakes
transactions is a recipe for failure. :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Sunday, 15 June 2014 20:23:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC