Web Payments Community Group Telecon

Minutes for 2013-09-25

Agenda
http://lists.w3.org/Archives/Public/public-webpayments/2013Sep/0126.html
Topics
  1. Update on GSoC Student Progress
  2. Updates to HTTP Signatures spec
  3. Postmortem: World Banking Conference (SIBOS)
  4. Postmortem: EDGE Conference and Financial Times
  5. Identity and Payments
Chair
Manu Sporny
Scribe
Dave Longley
Present
David I. Lehn, Andrei Oprea, Manu Sporny, Dave Longley, Madhu Nott, Melvin Carvalho, Evan Schwartz
Audio Log
David I. Lehn is scribing.

Topic: Update on GSoC Student Progress

Andrei Oprea: Things that I worked on the past two weeks consisted in improvements to the login system, adding gravatar image support for users and adding multiple payees that can be added to receive payment when you create the asset (I had a question about this: I have 3 fields for this, price, currency and payswarm accout, how should this last information, the accout, be made accesible/publicly-known? Is it acceptable to presume its known such as an email address? [scribe assist by Manu Sporny]
Manu Sporny: Yes, financial account URLs can be publicly known just like email addresses.
Andrei Oprea: The commits will be online by the end of the week. [scribe assist by Manu Sporny]

Topic: Updates to HTTP Signatures spec

Manu Sporny: been doing traveling, updated http signature spec in spare time
Manu Sporny: discussing if we wanted to take http sig spec to ietf with nonces and trailers
Manu Sporny: Want to keep the HTTP Signatures spec simple. We moved nonces and trailers into other specs:
Manu Sporny: Greatly simplifies core spec. IETF going to wrap up work soon, wanted to get this into their work pipeline soon.
Manu Sporny: HTTP Signatures spec needs examples updated.
David I. Lehn: One of the examples I made in one of the implementations have the values from the spec in there. So, we should be able to generate that stuff easily. [scribe assist by Manu Sporny]
David I. Lehn: What changed in the examples?
Manu Sporny: Took out nonces and http trailer support. Also require request line, host, and date are now required to be signed.
Manu Sporny: Did a pass and looks like gramatical things are ok. Security audit document took longer, but is good enough to submit at this point.

Topic: Postmortem: World Banking Conference (SIBOS)

Manu Sporny: Spent last week at world banking conference in Dubai.
Manu Sporny: Introduce PaySwarm, Ripple, etc to people.
Manu Sporny: Spent time with lots of bankers, Bitcoin's chief legal counsel, Director of product strategy from OpenCoin/Ripple.
Dave Longley is scribing.
Manu Sporny: Basically found out that it would be very difficult to switch production banking systems to new tech, old systems written in cobol/fortran from the 80s, they'd have to probably run side-by-side for a decade or two.
Manu Sporny: there were 100-140 banking technology people in the room for the Web Payments presentation. Will have video from that later in the week.
Manu Sporny: SWIFT is an international standards org for banks, so like w3c is to the web, SWIFT is to banks
Manu Sporny: SWIFT doesn't create open source tech for banks, they just define the standards, ISO20022
Manu Sporny: they have 2000 pages long standard about messages banks communicate with each other. SWIFT is many times larger than w3c.
Manu Sporny: SWIFT message was that banks are very conservative when it comes to this tech, and because of this they are one of the last groups to adopt new tech
Manu Sporny: people from payswarm/bitcoin/ripple have hard time communicating with banks because the main threat is for them to even think about integrating tech ... because of how archaic their current architectures are, there's a potential business threat too, but the new tech is the bigger barrier
Manu Sporny: SWIFT wants to participate though
Manu Sporny: they are very open to new tech, and want to get involved with w3c
Manu Sporny: they know that banks will have to deal with these new techs and their standards group believes that they need to at least participate in this work so they can tell banks how to integrate payswarm/ripple/bitcoin into the banking infrastructure when the time comes
Manu Sporny: really good news for us since they want to participate in the standards setting work.

Topic: Postmortem: EDGE Conference and Financial Times

Manu Sporny: yesterday, i was at EDGE, there was an hour long panel on Web Payments: http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s
Manu Sporny: EDGE was really interesting in that it was one of the first times we had a number of people from the web payments group on the stage
Manu Sporny: and a lot of tech people in the audience, lots of big names in the Web industry like John Resig (jQuery), Paul Irish (Modernizr), Jake Archibald (Google Chrome), Alex Russel (IE Chrome Frame), etc.
Manu Sporny: talking at the conference a lot of people didn't know the web payments work was going on and we had a number of people join the group as a result
Manu Sporny: we had people from stripe join, got some google wallet contacts, people from the audience excited about payswarm, bitcoin, ripple, etc.
Manu Sporny: people from google wallet, etc. still pushing their proprietary stacks but also promoting movement toward something btter.
Manu Sporny: payment startups more interested in the new open standard work
Manu Sporny: google/etc. have a proprietary silo and lots of customers there and don't necessarily want to have to compete with others in the area
Manu Sporny: but they are interested in new payment standards, etc.
Manu Sporny: Here's video of the EDGE Conference Panel on Payments: http://www.youtube.com/watch?v=Al3SEbeK61s&t=3h20m5s
Manu Sporny: we were also talking to New York Times, Getty, Associated Press, and International Press Telecommunications Council yesterday at financial times talking about how to get rid of large amount of money spending on proprietary systems.
Manu Sporny: people at all orgs interested in the web payments work as well as an identity solution for their customers.
Manu Sporny: they are pushing us up to their technology teams to take a deeper look at what we're doing, and showing interest in joining us, bloomberg already in the group and very interested/supportive of what we're doing
Manu Sporny: it was a great trip, we got lots of interest in various different verticals, etc.
Madhu Nott: having worked in the banking industry for a long time (JP Morgan Chase, Royal Bank of Scotland, etc.), you'd be surprised at how brittle their systems are, so much is spend just on testing, there is often production code running and there's no documentation and the source code is not available
Manu Sporny: that's scary
Madhu Nott: yes, it's very very difficult, for people working in this environment, etc.
Melvin Carvalho: following conversation on IRC, interesting stuff.
Manu Sporny: i was having discussions about this with [... banks] and people don't want to touch these systems because they "work", they were built in the 1980s and are still part of their core business and in production
Manu Sporny: anyone who had any idea about web tech were slim, only people in core tech teams in SWIFT, etc. if you talk to the bank technologists, they are still in cobol/fortran land, they are talking about private financial networks, only a very high-level (heard of it) understanding of bitcoin
Madhu Nott: these are the people i talk to every day, and one of the banks i was with, and they were working on a part of the infrastructure and it was so old and interesting that a historic museum wanted a piece
Manu Sporny: yeah, that's why it's so difficult for SWIFT to change anything, they have an IBANN[sp?] number
Manu Sporny: and changing one digit in that number would cost banks to spend between 5-10 million to deal with that change
Manu Sporny: because some banks were using that number to decide whether or not banks could use faxes to send money, etc.
Manu Sporny: the banks are very focused on keeping that old infrastructure up and running, they dont' have resources to focus on anything new
Manu Sporny: no one is working on this stuff ,SWIFT said this was the first time they saw anyone working on open next gen banking technology and they were very excited to hear about it; hopefully we can get some of the SWIFT people on the calls in the future. It was interesting because they said that their hands are tied, they can only really work on stuff that the banks need in the immediate term and no bank wants large disruptive changes, even if they end up with a system that is far better than the one we currently have.
Manu Sporny: the nice thing about SWIFT is that they have so much knowledge about how these financial systems work,e tc.
Manu Sporny: they were impressed with payswarm and ripple and bitcoin
Manu Sporny: we've got a very good dialogue going with them and we hope to continue that dialog.

Topic: Identity and Payments

Manu Sporny: so while talking with the banking industry ... one thing became very apparent, there has been a big pain point w/banks for a long time, they don't have an identity solution that works on a banking level
Manu Sporny: this idea that you could do KYC (know your customer)
Manu Sporny: on a customer and then that customer could get a line of credit at a different bank or a new account at a new bank
Manu Sporny: or use that identity to do some other financial activity...
Manu Sporny: you just can't do that today
Manu Sporny: i've also been talking to bitcoin community and they have been having to do KYC
Manu Sporny: and they have to go through the same process that the banks have to go through
Manu Sporny: and when you are doign any kind of financial thing you have to go through that mechanism
Manu Sporny: there are some startups now that are doing just KYC for the banks
Manu Sporny: all of them kind of have the same problem, there is no mechanism to express identity information, verified addresses ,social security, etc.
Manu Sporny: there's no container format for it
Manu Sporny: and we've been talking to them and payswarm has a mechanism that would work for all of these banking/financial institutations/organizations
Manu Sporny: we have something that's based on crypto that would let these orgs do identity
Manu Sporny: and verify etc
Manu Sporny: we're trying to figure out a way to work with the mozilla persona people to see if there's an identity solution ... if we can use persona, and the payswarm-based identity solution to address some of these issues for banks and bitcoin-based financial services
Manu Sporny: we've had a decent bit of high level discussion about it on the mailing list
Manu Sporny: some of the discussion went off topic
Manu Sporny: some of it is based on ricardo's (from telefonica) and he thinks we're proposing some e-mail based solution, we're not... that's a red herring, so we need to make sure that people understand that we're not being simplistic about this.
Manu Sporny: so i was wondering, madhu, what you were thinking about what banks could pick up in 2-3 years or 7-10 years if we standardized today on the web
Manu Sporny: could you do a quick intro on identity as it relates to banking and we'll go from there?
Madhu Nott: real quick, it may be worth it to delve into this in more far more depth on a different call. Here's a high-level overview -
Madhu Nott: today, banks do identity checking as a routine every day process
Madhu Nott: what is essential, and i don't see this changing, is that an identity be govt endorsed, they always want drivers license or passport, etc.
Madhu Nott: that is a fundamental building block
Madhu Nott: they are required by law to know who they do business with
Madhu Nott: they need to know who they do business with, banking secrecy act, etc. layers on additional requirements
Madhu Nott: it is done in a different way by different banks, and sometimes worse it is different per product
Madhu Nott: if you understand where banking has come from, some countries have 4-5 huge banks, others, they have 4-5 big ones and then 7000 smaller banks
Madhu Nott: banks grew up by combining different banks together and diff products
Madhu Nott: if a customer applies for a credit card vs. checking account, KYC is often different between the two
Madhu Nott: even within a single institution
Madhu Nott: it's being done today and in a way that's expensive, it's seen as a significant risk driver, all it takes is 10-20 large accounts or even small ones that fall into the wrong hands and it's a huge issue for the banks
Madhu Nott: if a bank cannot establish your identity, they will and should refuse to do business with you
Madhu Nott: so govt issue is important
Madhu Nott: the problem is coming sideways at me ... if someone said "wouldn't it be a nice thing if you could share identity?"
Madhu Nott: i haven't heard that from the banks
Madhu Nott: the systems are largely closed today as are the protocols for establishing identity and it works quite fast
Madhu Nott: identity can be established in a few seconds
Madhu Nott: there are proprietary stacks to establish identity today and how much is it worth for us to create an open standard for establishing identity? That's the question we should be asking.
Madhu Nott: establishing an open standard for payments will require some identity, but maybe not KYC identity
Madhu Nott: one more point, there is a kind of identity required to KYC, there's another kind to require to authorize transactions
Madhu Nott: today auth and identity are conflated in the banking world
Madhu Nott: establishing that you are manu when you open an account is different from using your payment card
Madhu Nott: identity, authorization are conflated, permission to use, if you will
Madhu Nott: there's a presumed identity there, for example, if you gave me your card, the institutions presume the identity
Madhu Nott: they presume it's you using it, but that's not always true
Madhu Nott: there's a nuance there, things are conflated and that's a problem
Madhu Nott: so that's a different issue, what the system is authorizing is the number ... are there good funds behind it that hasn't been complained about, it isn't establishing that it's actually you spending the funds
Madhu Nott: it was not possible when the system was invented 30 years ago that there were two things separately in an efficient way, we were using signatures and photo ids , etc
Madhu Nott: but that has gone away, we could achieve this today
Madhu Nott: but doing that, it may be a value-add to the system if we can focus our efforts on that
Manu Sporny: we are using a lot of public key/cryptography with payswarm and bitcoin/ripple
Manu Sporny: there are passwords you could place on your wallet so you need more than the account itself to do a transaction
Manu Sporny: when you do a digital signature your key may be locked in some way so a smart card or something else holds your key that you must unlock to do a payment. Like a PIN on a chip/pin card.
Manu Sporny: so you have to be the actual owner
Madhu Nott: i could see a scenario today where it's far less likely to give someone your atm card to use it vs. a credit card
Madhu Nott: i think it's very valuable to establish the difference/support what people want here
Madhu Nott: the fraud rate is very different for pin-based products (lower fraud)
Manu Sporny: yeah, whenever you have a token it helps lower fraud
Manu Sporny: i dont' think whatever identity solution we come up with be used by the banks right away, it will take time. In fact, the banks may be the last organizations adopting it.
Manu Sporny: if we don't support what they already need then our new tech won't be a good replacement for what they have today
Manu Sporny: they make proprietary calls out to services to do KYC and it would be great if those banks didn't have to pay for that
Manu Sporny: obviously some orgs wouldn't like that but a lot of other orgs that need to verify shipping addresses, etc could all use this system, so it's not just about banks and easier log in on the web, it's about both and more, and making sure we have a solution that can scale to address both of those use case needs
Manu Sporny: do you think that's worth pursuing, madhu?
Madhu Nott: yes, i think it makes sense; if you want to do anything in the world of payments, establishing identity is an essential part of it, if we want to evolve and change the payments world and make it more friendly on the web
Madhu Nott: you always need identity at the very least the identity solution must do as well as the banks now and it's great if it's better and we can advertise that business proposition across different ways
Manu Sporny: Right now, In PaySwarm, we have identities that look like this (public identity information): https://dev.payswarm.com/i/manu
Madhu Nott: we need identity for payments, since we need it, how do we craft something, or use existing mechanisms, that are already available or make it applicable to a wider audience
Manu Sporny: so we have the core of that already in payswarm, the idea here is that you have a URL for your identity in payswarm, at that URL is a whole bunch of machine readable data, in order to get to other stuff there's an ACL, you have to provide access to the person who wants the info
Manu Sporny: an ideal use case would be going to a financial site to log in with persona and then persona would give your identity URL to the bank
Manu Sporny: once the bank has that, it can then start querying that URL to complete its KYC process
Manu Sporny: like, what is the physical mailing address, are they a citizen, etc, all that can be stored in an external identity and queried by the bank and then the banks don't need to pay as much, and the bank doesn't have to keep those processes inside the bank, they can just query this external identity
Manu Sporny: the question is how to trust that information
Manu Sporny: anyone could put whatever they want at that URL, well, what we can do is ... there are companies that already do KYC clearing for customers, instead they can assert some information and digitally sign it, then write it to that identity URL
Manu Sporny: by doing that, as long as the bank trusts the entity doing KYC, if there's a signature on their info at the identity URL from that KYC provider institution, and the customer says "yes, i agree to release this info to the bank i'm signing up for" this seems like a fairly workable solution
Manu Sporny: instead of making these proprietary calls they could just make an open call, and it's really simple and the person is automatically in and the bank doesn't have to pay for KYC'ing the customer.
Manu Sporny: the person just gives access to the bank if they want to and they don't have to fill out any forms, etc.
Manu Sporny: and they just share whatever info they want with the bank and that gets them their account there
Manu Sporny: other companies, vendors, etc. would adopt this first before banks would, to get shipping info, etc.
Manu Sporny: do you think that could work for banks in the future?
Madhu Nott: i think so, in many ways it replicates the work flow of today, which is great, it's a good thing, that's what companies do today that process that's new and different here, is that the customer is giving permission
Madhu Nott: today this information isn't necessarily in the customer's control
Madhu Nott: bureaus currently control it
Madhu Nott: but right now that's exactly what happens now when opening accounts at the bank, we go check the KYC institutions, i trust someone who trusts someone else, etc.
Madhu Nott: and the information flows and ... this new idea works, i think it makes sense
Manu Sporny: this would require just a small set of tweaks to the existing identity solution we have
Manu Sporny: with payswarm
Manu Sporny: the idea here would be that you can write to an identity by posting some JSON to it
Manu Sporny: and the customer could say yes or no
Manu Sporny: and the other thing would be so-and-so institution wants info X, customer says yes or no
Manu Sporny: so that's almost the exact same thing as we do for the PaySwarm buy flow right now
Dave Longley: I don't think you missed anything, that's more or less what we were looking at doing in the future anyway. [scribe assist by Manu Sporny]
Dave Longley: We would have to look at all the details of how to do the "writing to your identity" portion, but what you outlined is the high-level of what would work. [scribe assist by Manu Sporny]
David I. Lehn: could this work in the background?
Manu Sporny: it could work like our budgeting feature right now
Manu Sporny: to grant continuous access to certain institutions,
Manu Sporny: then they could pull when you wanted
Manu Sporny: this would allow them to pull the info whenever they needed to use it
Manu Sporny: that may be a version 2.0 thing, we dont' necessarily need it in the first cut
Manu Sporny: we also need to figure out how to integrate this with persona and the larger identity sphere
Manu Sporny: persona can already clear 700 million+ email addresses so that's a good start/place to get this integrated
Manu Sporny: i'm hoping next week we can get the mozilla persona folks here to discuss this stuff
Manu Sporny: that's the last bit, we can do everything else
Manu Sporny: we just need the persona folks to tell us how to tie an identity URL to a login
Manu Sporny: any other comments or questions?
Manu Sporny: if that's a fairly easy technical solution then we just need to do the specs, etc.
Manu Sporny: thanks all
Evan Schwartz: bye

Created by the Web Payments Community Group. Shared with love under a CC-BY license.