Web Payments Community Group Telecon

Minutes for 2013-05-01

  1. Introductions
  2. Web Payments - Collaborating Organizations
  3. Web Payments - Collaboration Timeline
  4. PaySwarm / Mozilla's Payment mozPay() API
  5. Persona / Web Keys
  6. Web Keys / IETF HTTP Signatures
  7. Next Telecon
Manu Sporny
Dave Longley
Natasha Rooney, Manu Sporny, Dave Longley, Brent Shambaugh, David I. Lehn, Mark Cavage, John Foliot, Ian Myles, Pindar Wong
Audio Log
Natasha Rooney: Manu, I might need to just attend on IRC - big meeting happening here at GSMA today, but I will be paying attention!
Manu Sporny: ok Natasha, thanks for the update - we'll be recording the audio for the call, so you can always listen to it later (or just read the minutes)
Dave Longley is scribing.
Manu Sporny: today is basically going to be a review of everything that has been going on in the past month/month and a half
Manu Sporny: and an update for each one of the projects
Brent Shambaugh: does web payments collaboration go into what's going on in various groups, etc.?
Manu Sporny: yes, and we'll put down a timeline for what's going on in the future
Manu Sporny: are there any updates/changes to the agenda?
David I. Lehn: if we have time we could talk about the recent rise of crypto currencies in the public and how that fits into this work

Topic: Introductions

Manu Sporny: my name is Manu Sporny. I'm currently the chair of RDFa, JSON-LD, and web payments groups at W3C. Also CEO of Digital Bazaar, our primary interest is in figuring out a way to build payments into the core architecture of the Web.
Dave Longley: my name is Dave Longley - co-founder and CTO of Digital Bazaar. Spend most of my time doing software/spec design and implementation for PaySwarm. [scribe assist by Manu Sporny]
David I. Lehn: Work on PaySwarm specs/work and commercial implementations of it. [scribe assist by Manu Sporny]
Mark Cavage: I'm Mark Cavage. I'm a software engineer at Joyent and was also in charge of a group that did identity/authentication at Amazon Web Services. I wrote the http-signature spec we'll be discussing later.
John Foliot: Good morning, my name is John Foliot. I'm a member of various W3C groups and task forces. I work for JP Morgan Chase, this caught my interest, I'm looking to see what's going on in this area. Pesonal interest, not representing my employer.
Ian Myles: Hi, my name is Ian Myles from JP Morgan Chase - John Foliot let me know about this, here as an observer, not representing my employer in any way.
Brent Shambaugh: i'm Brent Shambaugh. I'm looking into Web Payments, it's kind of a long story, i began looking into this with online web economies. Melvin Carvalho directed me here. I'm working on the MNDF distributed economy project http://bshambaugh.org/MNDF_Project.html . I'm interested in web payments in a more holistic view of how it would all work
Natasha Rooney: I'm Natasha Rooney from the GSM Association. We represent 800 mobile operators in over 220 different countries. I run the w3c stuff from within the GSMA and we're interested in web payments there because we like things that work with money (joke)
Pindar Wong: Hi, this is Pindar Wong from Creative Commons / Asia-Pacific Internet Association. Based out of Hong Kong. I've been interested in financial topography for several years. I've been following the group for a while, I'm interested in financial policy, etc. and relation to taxes/banking and sales of digital assets and intellectual property.
Manu Sporny: Mozilla, and Telefonica in the EU, send in their regrets for today. A few other companies are waiting for clearance from their legal departments to join us on these calls. The next call is may 15 and they may join then.

Topic: Web Payments - Collaborating Organizations

Manu Sporny: There have been multiple companies that have shown interest now in participating. Mozilla working on the mozPay() API. Digital Bazaar working on PaySwarm. Telefonica (Mozilla's partner for mozPay API and Firefox OS). We have the IETF HTTP 2.0 WG, specifically the HTTP Auth Working Group. Some participants from the WebCrypto API group at W3C and some members from the standards body for GSM mobile devices (GSMA).
Manu Sporny: they are based out of the EU, and we also have some other people interested from various smaller companies.
Manu Sporny: any questions about the companies/people interested in participating in the web payments work?
Manu Sporny: the goal is to try and get more and more companies involved, specifically more browser vendors, over the next couple of months, and then banking and financial companies.
Manu Sporny: That's one of the reasons I'm glad you joined the call, John (Foliot) for that reason
Manu Sporny: Let's move on to the timeline for Web Payments Work

Topic: Web Payments - Collaboration Timeline

Manu Sporny: the idea here is that we're trying to get the web payments work kicked off at the w3c and we're trying to figure out which set of specifications will be the first in the pipe at w3c
Manu Sporny: and how to coordinate with a number of the aforementioned companies
Manu Sporny: in may we're trying to work with mozilla to get the mozPay API formatted into a w3c spec
Manu Sporny: right now it's on the mozilla wiki, we'll transition that to w3c
John Foliot: Need to be 100% clear that I am here as an interested individual, and not representing my employer. *VERY IMPORTANT*!
Manu Sporny: in june there's a w3c advisory committee meeting, there's currently a headlights program at w3c that is trying to figure out if web payments should be a big part of the late 2013-2014 big plans
Manu Sporny: if enough companies/people say web payments are a priority, then the hope is that a working group will be created around web payments
Manu Sporny: that's happening in june, we're trying to get support from w3c companies to get the web payments stuff started
Brent Shambaugh: if you follow the bitcoin forums, it would be an interesting thing to watch to see people associating urls with payments, etc.
Manu Sporny: we want bitcoin to be able to work with the specs we created, either via the mozPay api or via the payswarm specs, we want to keep our eyes on that over the next year
Manu Sporny: earlier in the year we talked with some core bitcoin developers and they were very interested in the web payments work
Manu Sporny: we have been talking with the ietf on how to standardize the spec that mark cavage wrote (http-signatures)
Manu Sporny: we hope to get something published very quickly (by july) via IETF on http-signatures
Mark Cavage: i think that's great, i hope that one of the things you get out of this call is figuring out exactly what that work entails, i haven't done an IETF spec before, but i know that Dave Longley has been lookign at the spec and reviewing it (and David Lehn has been making some code changes to the implementation)
Mark Cavage: i know there are perl and python implementations as well, we'll have to look at the deltas there (and get things synced up)
Manu Sporny: so that's july the ietf http-signatures spec
Manu Sporny: i've been invited to speak at sibos by peter who runs innotribe, etc. and swift and they are interested in web payments and they'd like to be involved in that work in some way
Manu Sporny: that's happening in september
Manu Sporny: in october of this year i'm hoping to figure out some way of going to the internet governments forum
Manu Sporny: pindar do you have anything to say about that?
Pindar Wong: a lot of these issues bring together payments, taxation, intellectual property, and Internet Governance. I'm hoping that you'll be able to go to Bali, Indonesia for a high level meeting with *a number* of delegates and discuss Web Payments.
Manu Sporny: The Internet Identity Workshop and the Internet Governance Forum in Bali happen at the same time
Manu Sporny: so we're trying to get someone else from web payments go to the identity work shop so i can go to bali
Manu Sporny: We plan to, in the november/december timeframe, have a workshop on web payments via W3C.
Manu Sporny: so it's going to be a very full year related to web payments
Manu Sporny: this year the interest is very strong
Manu Sporny: any questions about the timeline before we move on?
John Foliot: Manu, is that schedule/calendar posted anywhere?
Manu Sporny: no the schedule is not posted yet, i'll be sending it to the web payments mailing list, does that work?
John Foliot: yes

Topic: PaySwarm / Mozilla's Payment mozPay() API

Manu Sporny: Introduction to the Mozilla Payments API: https://hacks.mozilla.org/2013/04/introducing-navigator-mozpay-for-web-payments/
Manu Sporny: mozilla's mozPay api was introduced in April of this year, just last month, there's a link to a post about it in IRC. It's about being able to do payment in the browser whilst being agnostic to the payment network, the idea is to support multiple payment methods all through one payment API
Manu Sporny: They are launching this on the telefonica phones that the firefox os will be running on
Manu Sporny: PaySwarm also had a commercial release in April of this year - http://blog.meritora.com/launch/
Manu Sporny: we need to get that mozPay api into a w3c spec and figure out how the various systems will integrate
Manu Sporny: there is a commercial implementation of PaySwarm that launched in April
Manu Sporny: More details here about the identity system for PaySwarm: https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-identity-part-1-of-3/
Manu Sporny: Products for sale on the web via PaySwarm: https://hacks.mozilla.org/2013/04/payswarm-part-2/
Manu Sporny: the specs we've been working on for the past 2 years now have a commercial implementation behind them, the launch is just in the US for now, and uses US dollars, but we cover identity online and how to link payments and identity, how to mark up products for sale on the web, and how to do an actual purchase using PaySwarm
Manu Sporny: all of these are talked about in a 3-part series on a mozilla hacks post
Manu Sporny: the number one goal is to make the payments API in the browser payment-network agnostic
Manu Sporny: the idea here is that multiple different vendors could come in and provide various different methods of payment mechanism through the browser
Manu Sporny: and all of these things play into figuring out how we make all of these things happen in the web payments group
Manu Sporny: any questions on mozilla's payments API at this point?
Brent Shambaugh: there's a lot of stuff going on, we're interested in figuring out where we come into all this
Manu Sporny: there is a lot of work in front of us so the more people we have involved in the CG and the WG the better off we'll be
Manu Sporny: the more people that are heavily involved in the CG the better because when the WG starts up, we'll be able to transition those people over to the WG and we won't have to spend time trying to figure out who is working on what
Manu Sporny: any comments or questions on the mozPay api/PaySwarm specs?

Topic: Persona / Web Keys

Manu Sporny: Persona beta 2 just launched earlier this month: https://hacks.mozilla.org/2013/04/persona-beta-2-launch/
Manu Sporny: the set of PaySwarm specifications specify its own identity mechanism that overlaps slightly with Mozilla's Persona
Manu Sporny: persona is about a single sign-on mechanism for the web
Manu Sporny: that link talks about what identity on the web means, and is about making sign on more secure by getting rid of passwords, etc.
Manu Sporny: PaySwarm also has an identity mechanism that overlaps by a fairly sizeable amount: https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-identity-part-1-of-3/
Manu Sporny: we also have an identity solution in payswarm that is a bit different
Manu Sporny: It's based off of this public keys for the Web spec: https://payswarm.com/specs/source/web-keys/
Manu Sporny: we have something called a web keys specification that turns the web into a public key infrastructure system
Manu Sporny: the idea here is to figure out a way to get web keys and persona to work together
Manu Sporny: so we don't end up with two different identity mechanisms
Manu Sporny: where you'd use persona to log into the web and the web keys stuff to do payments
Manu Sporny: hopefully we can merge them
Manu Sporny: it would be a big failure to standardize if we can't figure that out
Manu Sporny: we're in contact with ben adida, lloyd, dan calahan in the person community
Manu Sporny: i worked closely with ben adida on rdfa, they are interested in making web keys and persona work together
Manu Sporny: any questions about persona/web keys?

Topic: Web Keys / IETF HTTP Signatures

Manu Sporny: The Web Keys spec is here: https://payswarm.com/specs/source/web-keys/
Manu Sporny: we (Digital Bazaar) had created a Web Keys spec to sign JSON blobs, and we also wanted the ability to sign HTTP requests (at a lower level) but do it in a way that allowed people publish keys anywhere on the web
Manu Sporny: so this is about allowing http requests (for authentication) to be signed using a PKI that lives on the web
Mark Cavage: for context, i am one of the lead software engineers at joyent and we have a slew of REST apis, before this i was the lead engineer at the amazon web services team, so i've been working with authenticated REST APIs for quite a while, there really is no ope nspec that solves this problem nicely, i think, most of what is out there was based on HMAC, and having done things with HMAC i have no interest in doing symmetric key management again because it's a nightmare, when i wrote this most of the talk was coming out of the oauth spec which is basically hmac/a cookie
Mark Cavage: so that's sort of the motivation for having written it, to avoid HMAC and have something that works
Mark Cavage: one of the nice properties of what we did is ultimately that we just use our customer's ssh keys
Mark Cavage: certainly technical power users are able to reuse that key management system
Mark Cavage: longer term one of the things that we wanted with the spec was to use smart card technology and have people maintain their keys on that
Mark Cavage: i personally at joyent am very delighted that you guys have picked this up
Mark Cavage: we're very interested in getting this pushed through at IETF/W3c
Mark Cavage: that's the background for where it came from and where it exists and right now there's no real alternative, still, that i see
Manu Sporny: to fill in the other side of it, we came across mark's spec (dave lehn did) and saw that it fits in really nicely with web keys and that it belongs at the IETF, etc. and it integrated cleanly and nicely
Manu Sporny: we're in a lot of agreement with mark w/hmac, etc. and the approach this spec took
Manu Sporny: there was some initial push back at the IETF http authentication group
Manu Sporny: but that's because there's a lot of other work going on there
Manu Sporny: and some of it has to do with creating sessions ,etc. and we're not interested in sessions for REST APIs, etc.
Manu Sporny: and the http-signature spec is clean and simple to use and build on top of, so i think we can see some progress getting it through
Manu Sporny: one of the questions mark had was how does the process work to getting an RFC out
Manu Sporny: i talked to the technical lead on this at IETF and we just need to put the http-signature spec into an RFC format and publish it anywhere on the web
Manu Sporny: we'll probably publish it on the payswarm website first and then through the http auth IETF working group
Manu Sporny: anyone can publish an experimental spec there
Manu Sporny: and then we'll have a long slew of arguments about the benefits and drawbacks of http signatures over HOBA and multifactor authentication, etc.
Manu Sporny: there are several other specs in the running and we'll see if http signatures can stand on its own or get absorbed into another one
Manu Sporny: i feel that a large amount of the technical work is done at this point, unless we find some kind of security vulnerability with it
Manu Sporny: do you agree with that general summary and approach, Mark?
Mark Cavage: yes, i don't see any problems with that, and wherever it ends up, as its own standalone spec, or absorbed into another spec, anything would be better than how it is alone now
Manu Sporny: any other comments on the http-signature stuff, etc.?

Topic: Next Telecon

Manu Sporny: the purpose of the q/a on the next telecon will be about figuring out how to get persona/payswarm/mozpay to work together, etc. and what the long term goals are to integrate, etc.
Manu Sporny: it should be a very interesting call because it will be about the main driver behind the web payments work
Natasha Rooney: i will be on a flight during that next call
Manu Sporny: we'll see if other people want to move the call, but it's always difficult to get everyone together at a particular time
Manu Sporny: we make announcements about all of these calls and the technical discussion on the web payments mailing list
Dave Longley: I think we should also mention that there are two public webpayments mailing lists. [scribe assist by Manu Sporny]
Manu Sporny: Yes, this group operates on public-webpayments@w3.org - see http://lists.w3.org/Archives/Public/public-webpayments/
Manu Sporny: next call will be May 15th, thanks everyone!

Created by the Web Payments Community Group. Shared with love under a CC-BY license.