Web Payments Community Group Telecon

Minutes for 2014-01-08

Agenda
http://lists.w3.org/Archives/Public/public-webpayments/2014Jan/0047.html
Topics
  1. Update on Web Payments Workshop
  2. New web-payments.org website
  3. Web Payments Workshop Position Paper
  4. Web Identity Updates/Concerns
Action Items
  1. Manu to suggest that the Web Payments Program Committee publish a protocol for journalists and live bloggers at the Web Payments Workshop.
Chair
Manu Sporny
Scribe
Dave Longley
Present
Dave Longley, Manu Sporny, Evan Schwartz, Erik Anderson, Joseph Potvin, David I. Lehn
Audio Log
Dave Longley is scribing.
Manu Sporny: Any changes to the Agenda?
Evan Schwartz: None

Topic: Update on Web Payments Workshop

Manu Sporny: The program committee is responsible for setting the agenda for the workshop and saying which participants get to talk on which topics, we're accepting position papers from a variety of orgs, from them we will get a broad representation of the topics across industries, etc.
Manu Sporny: From now until feb. 8th we can get in papers, typically there is a mad rush at the end to get the papers in
Manu Sporny: The dates are on the landing page for the workshop
Manu Sporny: Workshop submissions are open now, we're taking two types, first one is an expression of interest, you can attend workshop by sending in 1-4 paragraphs with why your org wants to attend and what you want to bring to the workshop, etc.
Manu Sporny: Low barrier of entry to the workshop
Manu Sporny: Other type is submitting a position paper, 1-5 pages long, and should outline the set of problems you've identified with respect to payments, or tech/policy issues
Manu Sporny: At this point, the thing that we need to do as the web payments CG is to whip up interest about the workshop, get orgs to at least send expression of interest (1-4 paragraphs), if org is very involved in this space, have them submit a position paper
Manu Sporny: We've gotten a couple of really interesting things so far, we're trying to figure out a way to make them public if we can sooner rather than later so people can see the types of papers that are being submitted
Manu Sporny: Anything else on the web payments workshop? the takeaway here is contact as many people as you can
Manu Sporny: There are only 100 spots, all orgs are limited to sending 1 person right now, if we find out not all 100 seats are taken up we will allow more than 1 person from an org
Manu Sporny: It can be an individual, not just an org
Manu Sporny: We just want unique ideas brought to the tables
Manu Sporny: If 3 papers have the same content, then the org with the most influence will likely be invited
Erik Anderson: Would it behoove us to have a reporter from someone who is active from the bitcoin community?
Manu Sporny: Usually the workshops are not very good venues for reporters, it may cause orgs to clam up about the things they are interested in, if the reporter wants to represent on how these new techs might effect reporting online that would be a good idea
Manu Sporny: It's up to them, they can submit an expression of interest and then the program committee will decide
Erik Anderson: Ok
Manu Sporny: We want the world to know this stuff is being worked on, but we don't want to make the orgs that attend uneasy about saying anything, so there's a balance
Joseph Potvin: Is it worth having a statement about the protocol for reporting, etc.?
Manu Sporny: That's a good idea, it's hard to strike a balance, we want people to talk about it, but we want them to talk about it very accurately
Erik Anderson: The problem is that everything i do is public record, this is a wide open standard, you can't control this
Joseph Potvin: The protocol i'm talking about is saying you can talk about issues but not attribute them to anyone
Manu Sporny: In general we just need to discuss it a bit more and clarify in the program committee
Manu Sporny: Personally, i agree with what eric said
Manu Sporny: I think the concern comes from a company saying "hey that's cool" and a reporter running a line saying "google says they are going to implement web payments" when they made no such statement
ACTION: Manu to suggest that the Web Payments Program Committee publish a protocol for journalists and live bloggers at the Web Payments Workshop.

Topic: New web-payments.org website

Manu Sporny: Before the holiday break we raised the possibility of rebranding payswarm to "web payments" because we didn't want the message to be incorrect
Manu Sporny: Some people were getting the message that there's one company that owns payswarm (inaccurate) and that it was being promoted at the expense of other techs, when we really want the message to be that we're working on payment solutions in general for the web
Manu Sporny: At the same time, we can't just be a community that talks about payment technologies instead of putting something forward, the payswarm specs are the first set of specs that have been submitted to the w3c under patent-free royalty-free licenses, etc.
Manu Sporny: Following the w3c process for turning things over to become a standard
Manu Sporny: So far it seems that people are fairly happy with the rebranding and remessaging
Joseph Potvin: The website is excellent you did a great job on it, it functions well, it's easy to find stuff, the text is great
Joseph Potvin: What's up with the pig?
Manu Sporny: It's meant to represent money, excesses of humanity, etc. but if that has to be explained it's a bad logo, other complaints have come in
Dave Longley: Manu also just loves his animal logos
Manu Sporny: I liked the universal sign for currency from joseph
Joseph Potvin: There are some questions in the communities i'm involved in with price stabilization, etc. i'm wondering if there's a way we can have a subgroup under web payments for that
Manu Sporny: I don't know, i imagine that's a question for the community
Manu Sporny: My personal opinion is that if we get too far away from technical standards people will drop off
Joseph Potvin: Maybe the web payments community group could have sub groups for identity, technical, monetary issues (interaction with the fed)
Manu Sporny: If we make multiple mailing lists things will splinter and duplicates will occur, but that being said, if this really needs to happen we can make a separate mailling list
Joseph Potvin: There are a few interests that are of great interest to me and evidently not too many others on the list
Joseph Potvin: I'm seeing a lot of discussion outside of this venue and this might be happening with some of the other particular interests associated here, if there was some way to link other activities into this sphere it may actually do the opposite of splintering
Manu Sporny: A lot of the discussions do happen outside the group, the identity stuff happens across about 5 different mailing lists
Manu Sporny: Secure messaging is split across ietf and here
Manu Sporny: If you're communicating with people and just using a big long list of email addresses, then that's a good case for creating a subgroup
Joseph Potvin: An example: on different indices, i'm collaborating with a few others to coordinate their work into indices, people working on their own indexes (eg: retired from IMF, retired from UK monetary authority). We have a common interest in a venue for such indices and among us we talk about how that could be used in the web payments venue; at least there should be a way to bring others who might not be in this discussion into the group.
Erik Anderson: You might want to talk with a contact in a large financial industry about indexes
Manu Sporny: Do you want me to ask w3c staff to create a mailing list for this?
Joseph Potvin: Does it make organizational sense for how you'd like to see web payments as a CG/WG proceed ... does it make sense to have subgroups?
Manu Sporny: W3C has had subgroups before, you can usually identify a subgroup
Manu Sporny: Another mailing list is cheap, it's not a great cost
Joseph Potvin: That would be good because i don't think there's a lot of interest for what i'm working on
Joseph Potvin: In the CG, so i'd prefer to move those discussions to a subgroup
Manu Sporny: Ok, send an email to the community about this and we'll see what we can do
Manu Sporny: As always, anyone can submit an edit to the web payments website, it's on github
Manu Sporny: I see that joseph has already used the github interface to make some edits
Manu Sporny: It's a completely open website, anyone can submit pull requests, etc.
Manu Sporny: We're fairly open about who can change what and when

Topic: Web Payments Workshop Position Paper

Manu Sporny: In order to participate in the web payments workshop, you have to do one of two things: submit expression of interest or position paper
Manu Sporny: By design, we didn't mention the web payments CG in the workshop body text, that allows us to then participate as the CG
Manu Sporny: In order to do that i was thinking of writing a position paper with all of the issues we've identified over the 3+ years ... any solution for web payments on the web is going to have to look at these things, X, Y, Z
Manu Sporny: Outlining all the specs we've worked on and the reasons why we're working on them
Manu Sporny: We can start the discussion on what the CG has done by submitting a position paper from the group
Manu Sporny: So the question is whether or not people think that's a good idea, an alternative would be members submitting their own papers
Manu Sporny: For instance, DB could submit a paper on payswarm and Ripple on Ripple
Manu Sporny: We could do both of these things as well
Joseph Potvin: In the way that the agenda works, if it's one position paper, does that mean it's only going to get one time slot?
Manu Sporny: Yes, one presentation time slot, we still don't know what the format for the workshop will be, the first half may be presentation, the second may be an unconference format, companies put their topics on a whiteboard and people pick what they wnat to attend
Manu Sporny: I don't know is the short answer
Manu Sporny: There will be multiple ways to present topics at the workshop, not just presentatino
Joseph Potvin: It might be useful if a composition paper from the CG would have more than one section if they'd be submitted separately
Joseph Potvin: Maybe it should be done by subject not by individual companies
Manu Sporny: What the CG could do is present "these are what we think the problems are" and we could have people provide more specific information on each of those subjects
Manu Sporny: There's no strict format for how we get papers in there
Manu Sporny: I just don't want the CG to write a paper that makes it difficult for CG members to attend if they want to
Manu Sporny: Eg: if we submit a position paper with a section on price indexes, then that means that you (joseph) would not be able to submit another paper with more details
Manu Sporny: The CG paper could mention the problem but not go into details, and then let you submit another paper
Joseph Potvin: Would the CG constitute one org?
Manu Sporny: Yes, and that's the problem
Manu Sporny: We don't want to shoot our members in the shoot
Manu Sporny: We could submit a paper as DB/CG and coordinate with CG members to ensure we're not preventing them from submitting their own paper
Manu Sporny: I think we we'll do is create a wiki page like we did with the fed paper, i expect a 40% overlap with that paper
Manu Sporny: It will be targeted to the workshop, but we'll raise the same issues about identity, using linked data, etc.
Joseph Potvin: You said the workshop is just to identify problems not the solutions?
Manu Sporny: In general, that's the loose thought of the program committee right now, we (the workshop) want to gather consensus around what the pain points are with payments on the web today and discuss how standards can address those
Manu Sporny: We might want to gloss over some of the techs that could be standardized to address, but this isn't a sales pitch thing, no org should try to do a sales pitch on their tech

Topic: Web Identity Updates/Concerns

Manu Sporny: We may just say this is a subset that we think standardization can apply to
Manu Sporny: So some of this started as a way to deal with KYC for banks, so banks could do a web request and check a digital signature on identity information and smooth the whole transaction process
Manu Sporny: It is not trying to solve login on the web, there are other mechanisms to do that
Manu Sporny: This should work with those other mechanisms, for example, when you use persona, one of the pieces of information that is transferred is your identity URL
Manu Sporny: Using that URL you can do discover on citizenship information/age, etc. things of that nature
Manu Sporny: We put the spec out in a very unfinished state because we wanted to get those ideas out there
Manu Sporny: We've got some feedback already
Manu Sporny: On google+ there has been a long discussion involving people who work on identity on the web, and there's concern there with overlap and reinventing the wheel, etc.
Manu Sporny: We could start going over the issues in the identity tracker and try and figure out a general approach for addressing those issues
Manu Sporny: The first issue that comes up with most people is that the web identity spec doesn't distinguish itself from existing solutions
Manu Sporny: We need to clarify that it's not a login solution for the web, it is specifically not trying to solve that problem
Manu Sporny: It is trying to solve the problem of transferring private information about yourself to another entity
Joseph Potvin: I worked with some people with the Canadian govt with this, it's not about login, if people are in an agency that gets subsumed by another one [missed], all of this becomes an issue and a horrible mess over 5 years, etc.
Joseph Potvin: The identity issue is huge, it's not an area that i know myself, if it's useful to have someone that has worked in the bowels of that issue i can perhaps track someone down to get some examples of that
Manu Sporny: Yes that would be very helpful, particularly someone from govt, we hope to be able to let govts use this to attach information to people's identity online
Manu Sporny: You should be able to store passport information (encrypted)
Manu Sporny: Etc.
Manu Sporny: It would be even more helpful because if we can talk to the right people in the canadian govt then we can talk to them about adopting this as the way to do identity
Manu Sporny: This one integrates with banking so it might be a different level of interest to them (vs. existing tech)
Joseph Potvin: They are the core procurement side of the govt so they're dealing with [missed] as well as individuals [missed] they expressed an interest in sharing what they've done
Manu Sporny: It would be great to get them on a call and make sure the spec addresses their pain points
Manu Sporny: In general, we need more elaboration on what other specs we looked at and why they didn't work well for the problem in front of us
Manu Sporny: That's the first set of feedback that we've had
Manu Sporny: The other set of feedback is more of a technical nature, dave longley, your feedback
Manu Sporny: So the UK wants to write something to your identity, you've logged in via persona, so they know where your identity resides, the problem is that your identity provider will have to say that "so and so is trying to write to your identity"
Manu Sporny: The question is, how do you ensure that the person who is writing to your identity is who they say they are"
Dave Longley: It captures half of the concern, this is a concern with reading or writing. [scribe assist by Manu Sporny]
Dave Longley: When some organization wants to access the identity for reading, you need to know who you're giving that information out to. It is a concerns with both read and write. We need to have a way to do that. We may want to make it so that people with identities will trust certain types of identitifcation methods. [scribe assist by Manu Sporny]
Dave Longley: There are various ways we can approach this, maybe HTTP Signatures only? [scribe assist by Manu Sporny]
Dave Longley: There needs to be some sort of trust network behind it, they've said they're the UK Government, but do I know if that's who they are? [scribe assist by Manu Sporny]
Dave Longley: We could do something similar to what WebID does, piggyback over SSL certificates? [scribe assist by Manu Sporny]
Dave Longley: If someone wants to read/write to the URL, they would serve the URL with SSL, if they try to read/write your identity, you verify that the public key is from that URL and that URL has a trusted certificate associated with it. [scribe assist by Manu Sporny]
Dave Longley: That means that anyone that wants to read/write to your identity must have an identity themselves. If anyone wants to request your information, they should have some identity information. Some trust network needs to be tapped into, maybe the CA trust network. Some fields could be pulled from the SSL cert so that you know you can trust them. [scribe assist by Manu Sporny]
Dave Longley: That entire layer is missing from the spec, so there is no way to know whether or not you should release your information. [scribe assist by Manu Sporny]
Manu Sporny: The current state is that none of the identity solutions verify who is doing that reading or writing
Manu Sporny: For example, when you log in via google or twitter, it says "so and so is trying to read your information" ... the don't verify anything they just say "are you ok with someone reading this"
Manu Sporny: If you look at the flow that people are going through it will likely make it ok in most cases
Manu Sporny: That's not to say it's ok, it's just that there are varying degrees of information
Manu Sporny: In the case that something isn't verified, we should throw up a big warning
Manu Sporny: If people don't want to see warnings then people could associate public keys, etc. for other identities
Joseph Potvin: Is there a privacy model for this?
Manu Sporny: The openID-connect people would say "yes", but the privacy implications of this is a piece of on going work
Manu Sporny: There is always new data that pops up
Manu Sporny: 5 Years ago we didn't worry about the NSA snooping on everything and now we do
Manu Sporny: So some people would say "yes", but i think the actual answer is no
Manu Sporny: We should engage with those groups working on it
Joseph Potvin: It just might be useful to point to say "our approach to privacy comes from there"
Joseph Potvin: The whole area of ethics and expertise, etc.
Joseph Potvin: Conform the technologies with that model
Manu Sporny: There was a privacy group that was proposed but i don't think it went anywhere...
Joseph Potvin: We can take that offline, it's a hot topic of the year
David I. Lehn: Also, this: http://tools.ietf.org/wg/websec/ [scribe assist by Manu Sporny]
Manu Sporny: Unfortunately, there's no one place to point to this stuff
Manu Sporny: This became clear at the w3c technical plenary this year, we realized 5-7 different groups were having this discussion
Joseph Potvin: Just in terms of identifying requirements to work towards
Joseph Potvin: It could be that the privacy model is over there, but when doing digital payments, there is no privacy, there is no model for privacy assurance, that could be an answer, but it would at least make a clear statement about what the model is, etc.

Created by the Web Payments Community Group. Shared with love under a CC-BY license. Thanks to our contributors.