Web Payments Telecon Minutes for 2014-03-19

Thanks to Evan Schwartz for scribing this week! The minutes
for this week's Web Payments telecon are now available:

https://web-payments.org/minutes/2014-03-19/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Web Payments Community Group Telecon Minutes for 2014-03-19

Agenda:
  http://lists.w3.org/Archives/Public/public-webpayments/2014Mar/0128.html
Topics:
  1. Web Payments Workshop Agenda
  2. Web Payments Mobile Use Cases
  3. Credential-based Login
  4. HTTP Signatures Update
Chair:
  Manu Sporny
Scribe:
  Evan Schwartz
Present:
  Evan Schwartz, Manu Sporny, Brent Shambaugh, Matt Kaufman, Dave 
  Longley, Erik Anderson, David I. Lehn
Audio:
  https://web-payments.org/minutes/2014-03-19/audio.ogg

Evan Schwartz is scribing.
Manu Sporny:  Any changes to the agenda? *long pause* If not, 
  moving on.

Topic: Web Payments Workshop Agenda

Manu Sporny: http://www.w3.org/2013/10/payments/agenda.html
Manu Sporny:  Agenda is almost finalized. ton of big 
  multinational companies and startups attending. only thing that's 
  weak at the conference is participation by retailers and 
  regulators
Manu Sporny:  6 Sessions, each 2 hours, mostly attendee-driven, 
  main purpose of speakers is to kickstart discussion
Manu Sporny: Session 1 — Overview of Current and Future Payment 
  Ecosystems
Manu Sporny: Session 2 — Toward an Ideal Web Payment Experience
Manu Sporny: Session 3 — Back End: Banks, Regulation, and Future 
  Clearing
Manu Sporny: Session 4 — Enhancing the Customer and Merchant 
  Experience
Manu Sporny: Session 5 — Front End: Wallets - Initiating Payment 
  and Digital Receipts
Manu Sporny: Session 6 — Identity, Security, and Privacy
Manu Sporny: Papers that were accepted are at the bottom of the 
  page: http://www.w3.org/2013/10/payments/agenda.html
Manu Sporny:  Accepted papers for the workshop can be found on 
  conference page
Manu Sporny:  Papers that were not accepted will not be shown on 
  the conference webpage because some of them were quite bad and 
  got bad reviews, authors that want theirs published can publish 
  them through other means
Manu Sporny:  Conference starts next monday, fantastic group 
  coming to it
Manu Sporny:  All of the minutes will be made public shortly 
  after, if not during the conference
Manu Sporny:  Pindar has asked if we can record the video or 
  audio of the conference, we'll have to ask w3c
Manu Sporny:  W3C might agree to it, unless the PC or attendees 
  don't want it to happen, or if there isn't the time to set it up

Topic: Web Payments Mobile Use Cases

Manu Sporny: Would you mind giving us an overview of the use 
  cases you've been collecting, Brent? 
  https://github.com/w3c-webmob/payments-use-cases
Brent Shambaugh: 
  https://www.w3.org/community/webpayments/wiki/WebPaymentsMobileUseCases 
Brent Shambaugh: https://github.com/w3c-webmob/payments-use-cases
Brent Shambaugh: Due to discussions with Marcos Caceres and 
  Natasha Rooney am attempting to apply the following template:
Brent Shambaugh: Name: name of the solution
Brent Shambaugh: Use Cases: Key use cases for the solution
Brent Shambaugh: Regions and currencies: Any SDKs or APIs which 
  are available to developers
Brent Shambaugh: With the following things to consider (for use 
  cases):
Brent Shambaugh: (1) Add real money to the service
Brent Shambaugh: (2) Buy a physical good in the real wold (e.g., 
  a cup of coffee)
Brent Shambaugh: (3) Pay for physical service (e.g., gym 
  membership)?
Brent Shambaugh: (4) Convert virtual money back into paper money
Brent Shambaugh: (5) Transfer money from one person to another 
  (even if the second person is not signed up for the service)?
Brent Shambaugh: (6) Buy product online
Brent Shambaugh: (7) Resolve disputes?
Brent Shambaugh: (8) View transactions?
Brent Shambaugh: (9) Secure the wallet
Brent Shambaugh: (10) Etc.
Brent Shambaugh:  Right now i have a lot of information, trying 
  to fit it in a template
Brent Shambaugh:  Next stage is to weeding stuff out, make it 
  more digestable
Brent Shambaugh:  How the phone is communicating with other 
  devices, new hardware or legacy hardware, existing ACH system or 
  replace that entirely with bitcoin or ripple, start adding info 
  to transactions with payswarm and linked data or namecoin or 
  colored coin?
Brent Shambaugh:  Emphasis towards trying to use the legacy 
  hardware, difficult to push people to use new stuff
Brent Shambaugh:  Convert virtual money back into paper money -- 
  might be a small use case
Brent Shambaugh:  If you compare stripe and square, square has 
  POS system, stripe is only API no hardware
Brent Shambaugh:  Many systems store reward card or store credit 
  card info in the system
Manu Sporny:  Fantastic amount of info on the wiki page, 
  condensing all of the info down is easier than getting the info
Manu Sporny:  Natasha was hoping we would have a summary to share 
  with the web payments workshop, need a bit more time to condense 
  it further
Manu Sporny:  What are the common features across all of these 
  solutions, what could be standardized and what couldn't, combine 
  that with the CG's work and the workshop attendees input, we'll 
  have some authority to say we've done our homework
Manu Sporny:  Can turn the use cases into spreadsheet of features 
  and solutions and just have check boxes for which solutions have 
  which services and tally the most widely spread features, only 
  problem is that may lose most innovative solutions
Brent Shambaugh:  Do we care about listing hardware stuff too?
Manu Sporny:  Might be good to outline hardware, educates us 
  about what's missing in mobile phones or devices, square reader 
  tells us that card readers are missing from mobile phones
Manu Sporny:  Brent should brainstorm and send an email to the 
  mailing list about how to coalesce info into 1-2 page summary
Manu Sporny:  Brent should talk to natasha about the most updated 
  list of use cases

Topic: Credential-based Login

Manu Sporny: http://manu.sporny.org/2014/credential-based-login/
Manu Sporny:  Now that persona's engineers have been transitioned 
  off the project, we needed to at least propose something for 
  doing transmission of digital wallet provider info
Manu Sporny:  Apply identity credentials spec to login on the 
  web. when you login to a website that you need to make a payment 
  on, the process used to transmit payment info should be the same 
  as transmitting address and login info
Manu Sporny:  Email is one credential, shipping address is 
  another credential, where you live, age, etc
Manu Sporny:  Use same method to transmit email as well as other 
  more complicated data, it's all transmission of credentials.
Manu Sporny:  Proposal looked at reasons mozilla thought persona 
  failed other than internal problems. google and yahoo didn't want 
  to add persona support
Manu Sporny:  Bypass the email providers so that a number of 
  organizations can digitally sign email address, no longer 
  beholden to email providers.
Manu Sporny:  Persona had to run centralized infrastructure while 
  getting the system off the ground, and that cost mozilla a lot of 
  money/time.
Manu Sporny:  Proposed decentralized solution based on telehash, 
  didn't know if telehash would work for this but after speaking w/ 
  Jeremie Miller, he said it could support this login mechanism
Manu Sporny:  Clearly there are problems with this proposal, but 
  the hope was that other people would specify what they would want 
  to replace parts of the system with
Manu Sporny:  Decentralized system could be replaced by any 
  decentralized network, namecoin, other distributed hash table 
  solutions
Matt Kaufman:  Is anyone aware of google migrating to google+ 
  single sign-on? They have a timeline migration table here: 
  https://developers.google.com/+/api/auth-migration
Matt Kaufman:  Why wouldn't the PGP system work for the public 
  key? Maybe with keys stored in DHT?
Manu Sporny:  Making it a little more web-y, trying to remove 
  centralization, login assertions are digitally signed using 
  public-private key crypto. we're using email because the system 
  has to work for people that don't understand crypto. if using an 
  email need a way of mapping email to identity
Manu Sporny:  System should be online at all times, could use DNS 
  system and make sure that core identity servers are up all the 
  time, but then there needs to be central organization that 
  maintains system
Manu Sporny:  Jeremie Miller has recently picked up telehash full 
  time, he always wanted xmpp to be decentralized
Manu Sporny:  If we want attack resistant network, bit torrent 
  uses kademlia, mpaa has tried many times to kill it and it hasn't 
  worked
Manu Sporny:  Very attack resilient
Manu Sporny:  Another network like bitcoin could do it as well
Manu Sporny:  Need to bridge those non-web protocols to the web
Manu Sporny:  User should be able to decide when to share or not 
  share info
Matt Kaufman:  Nxp has ucode gen2 chip, nfc rfid chip with 
  integrated i2c - do we care about that sort of hardware? Is that 
  out of scope?
Manu Sporny:  We do want to support two factor authentication, or 
  three factor authentication, but we can't count on it being in 
  every device so we leave that up to identity provider.
Manu Sporny:  If they trust no one they can setup their own 
  system
Manu Sporny:  People will pick identity providers based on 
  security and ease of use
Evan Schwartz:  Is the idea that you'd store actual credential 
  data in the Kademlia DHT? Do you only store the latter, just 
  store the mapping? [scribe assist by Manu Sporny]
Dave Longley:  You'd do the latter, right now. Mapping from email 
  to identity provider, primarily. [scribe assist by Manu Sporny]
Manu Sporny:  There is a potential future here where you'd store 
  all credentials in the cloud. [scribe assist by Manu Sporny]
Matt Kaufman:  How will the DHT first be populated?
Manu Sporny:  Go to some website, go to another that will do 
  email verification, now that website will digitally sign that 
  email is tied to your identity
Manu Sporny:  Information is stored at identity provider and then 
  send something to telehash network, everything is encrypted so if 
  you need to login to a website you type in email address and 
  passphrase, query goes to telehash network and if the passphrase 
  is correct then it's used to decrypt identity service. Identity 
  service verifies the email verification and sends it to the 
  website.
Manu Sporny:  This is a very loose plan right now, there are a 
  number of security concerns and usability/centralization 
  concerns.
Evan Schwartz:  I'm pretty interested in how to move away from 
  everything being stored by an identity provider. I don't like the 
  idea of depending on a specific service. If they're down, or 
  they're out of range/firewalled, or they're trying to block me, 
  that's not good. [scribe assist by Manu Sporny]
Evan Schwartz:  How does this system prevent the IdP from 
  impersonating me to a different service? How do you prevent the 
  IdP's from impersonating you. [scribe assist by Manu Sporny]
Brent Shambaugh: An improvement on DHT: 
  http://iptps06.cs.ucsb.edu/papers/Pouw-Tribler06.pdf, 
Brent Shambaugh: Another improvement (INGA) 
  http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.72.7668&rep=rep1&type=pdf
Brent Shambaugh: Use semantic information in the network
Dave Longley:  In the future, an IdP could always come along and 
  provide it's own decentralized solution that piggybacks off of 
  this. They could store stuff in the decentralized cloud that 
  avoids this sort of stuff. So, there could be innovation built on 
  top of this. [scribe assist by Manu Sporny]
Dave Longley:  An identity provider could come along and store 
  their info in a decentralized cloud
Erik Anderson:  Anything I need to know about this before the 
  workshop?
Manu Sporny:  No, but we can talk about it there if necessary.

Topic: HTTP Signatures Update

Manu Sporny:  This stuff is important for banking and verifying 
  high value transactions
Manu Sporny: Mark Nottingham and Julian Reschke gave us some good 
  input recently, offlist.
Manu Sporny:  They were positive but http auth working group is 
  shutting down in 3 months, but they have offered to make it part 
  of http bis working group if necessary.
Manu Sporny:  Proposed way to simplify spec for authorization and 
  non-authorization scenarios
Manu Sporny:  Could create new signature header, only adds 4-5 
  paragraphs to the spec
Manu Sporny:  Clear ietf path and clear editorial path
Manu Sporny:  This allows digital signature authorization on http 
  request, even without logging into a service
Manu Sporny:  Integrates with identity credentials and json-ld
David I. Lehn:  When should we start updating implementations? 
  Some of these are breaking changes, aren't they?
Manu Sporny:  The only thing that should change in library 
  implementations should be addition of signature header
Manu Sporny:  There are ways of making the code change without 
  breaking things that are out there
Dave Longley:  Maybe all the changes could be done in a 
  deprecation manner and phased out over time
Manu Sporny:  Ok, out of time for today. Next week is the Web 
  Payments Workshop, very excited about that. No call next week, 
  we'll pick up again to do a post-workshop wrap up in the first 
  week of April... April 2nd is the next call.

Received on Wednesday, 19 March 2014 18:22:16 UTC