Web Payments Workshop - Wrap-up

Minutes for 2014-03-25

Agenda
http://www.w3.org/2013/10/payments/agenda.html
Topics
  1. Wrap-up of Workshop
  2. Existing Work/Short-term at W3C
  3. Strategic/Long-term Initiatives at W3C
  4. Goodbye and Next Steps
Chair
Daniel Appelquist
Scribe
Manu Sporny
Present
Daniel Appelquist, Manu Sporny, Stéphane Boyera, Wendy Seltzer, Charles McCathie Nevile, Ricardo Varela, Dave Raggett, Prakash Hariramani, Robin Berjon, Olivier Maas, David Ezell, Bryan Sullivan, Marie-Claire Forgue, Harry Halpin, Mountie Lee, Joseph Potvin, Jeff Jaffe, Giridhar Mandyam, WonSuk Lee, Virginie Galindo, Jörg Heuer, Stan Stalnaker, and 81 others for a total of 103+ people
Manu Sporny is scribing.

This page contains minutes for an official W3C workshop event that have been cleaned up and reformatted by the Web Payments Community Group. The W3C and the Web Payments Community Group are two separate organizations. Readers should understand that while the workshop was an official W3C event, the operation of the Web Payments Community Group is not officially sanctioned by W3C's membership. More information on joining W3C (membership fees) and/or the Web Payments Community Group (free) can be found on the respective websites.

Topic: Wrap-up of Workshop

Stéphane Boyera: I'm going to publish slides soon, Dan, on the Web Payments Workshop webpage.
Daniel Appelquist: I'm Dan Appelquist, I work for Telefonica, I chaired the program committee and chair the Technical Architecture Group (TAG) at W3C.
... The next hour will be unstructured, be interactive.
... So, what are the actionable items for W3C?
... What existing efforts are going on in W3C? Could those groups be influenced by this workshop? Think about this stuff.
... So, let's go through this - we've learned some interesting things.
... The Web should be a level playing field - that's a key concept for the Web. That leveling may be threatening to certain parties. We have to keep that in mind.
... There are not two different worlds (physical and web) - there is one world. More and more, this is not about "Web Payments", it's just "payments" and we're doing "commerce".
Daniel Appelquist: There is no distinct mobile web and fixed web.
... An underlying theme - the web includes both the browser and the web of data.
... When we talk about Web Crypto, we are talking about the browser.
... A browser centric web - that's where a lot of the energy is.
... The Web includes data and data formats. When we start talking about receipts, we need to think about that.
... We've talked about payment scenarios - physically transacting via web app, physically transacting via merchant device, user online and app is online, user to user, etc.
Attendees start to bikeshed wording on live document that Dan is editing.
Wendy Seltzer: Can we worry about the exact wording later?
Charles McCathie Nevile: +1 To wendy - let's not spend too much of our time agreeing on the exact weasel words we are all happy with, so long as we have done enough to remember the idea *clearly enough*
Daniel Appelquist: There has been a lot of talk of the primitives / building blocks - clear technical work that is going on right now, or may need to start.
... The second category is more strategic, prioritization of requirements, perhaps by splitting off a new WG?
... There are different kinds of groups that W3C can create - technical deliverable groups, interest groups (places to generate requirements / prioritize)
... There might be a call for a more strategic interest group.

Topic: Existing Work/Short-term at W3C

Daniel Appelquist: Work that's already going on - webapps, security, other, etc.
... the payto: URI scheme was an interesting proposal.
Charles McCathie Nevile: Outside the payments CG, there isn't work in this area. There used to be Web Intents work
... There was work on intents, which has gone to sleep.
... The CG might be the place to develop that further?
Charles McCathie Nevile: For WebApps, our charter is being rewritten right now in a final draft. if there is stuff that should be in there, right now would be a good time to propose it. There will be a face-to-face meeting in April.
Daniel Appelquist: How do we influence that?
Charles McCathie Nevile: You tell us you want to work on something, if we have consensus, we add it.
... We'll work on new pieces of web stuff to support stuff. If it's in scope, we can add it.
... it could be that we tell folks to do it in a different group - WebApps is a big group, lots of important players involved already. Disadvantage is that its a big group, if you don't have people actively working on something, it'll disappear.
Ricardo Varela: I think we should also keep in mind work done in other related areas that got mentioned... eg RFC 2801 (IOTP), paypal express button code (similarities with payto: link schema suggested)..
Dave Raggett: There are several other W3C groups of interest, e.g. System Applications, Web Crypto, NFC, Geolocation, etc.
Ricardo Varela: And keep payment providers involved so they can share whether discussions fit with their current APIs or not
Daniel Appelquist: Request Autocomplete is going on in WebApps, so good example of piece of work that I strongly recommend that people read.
Charles McCathie Nevile: What webapps is currently working on and where it is up to: http://www.w3.org/2008/webapps/wiki/PubStatus
Ricardo Varela: (Eg: we have netm in the room and I'm pretty sure any links to pay with credit card but not mobile billing can be raised by them, same with bitcoin processors)
Prakash Hariramani: RequestAutoComplete was announced by Google last May - it's something that's a payments template. There is a chromium dev. post, we'll put that in IRC.
Olivier Maas: What does PCI have to say about this?
Prakash Hariramani: RequestAutoComplete details are here: http://www.chromium.org/developers/using-requestautocomplete#id.befidh5t7x8d
Daniel Appelquist: That's exactly the type of feedback that should go into that group.
... WebApps is via a public mailing list, you can give feedback there. W3C groups MUST respond to public feedback.
Daniel Appelquist: Going back up - lots of conversation about digital receiving - payment requests, digital receipts. Relate to schema.org - JSON-LD format. - description of goods machine/human readable.
Charles McCathie Nevile: A draft proposal for the new webapps charter: http://afbarstow.github.io/WebApps/charter.html
Dave Raggett: This is likely to need to be an extensible format rather than a closed one
Daniel Appelquist: There isn't work going on in here at W3C - payment requests, digital receipts, - this could be a new work item for W3C, possibly for a new WG.
Daniel Appelquist: This is clearly something that's important.
David Ezell: Should we check outside W3C too? IFCSF has a card vocabulary - card request, card response, we should look at what they've done.
Charles McCathie Nevile: Let's talk to the group that is working on digital items - EME work, HTML WG task force - let's see if that group is interested in digital receipts.
Daniel Appelquist: We might want to think more about the Trusted UI stuff - is there work going on on this? I don't think there is.
Bryan Sullivan: I was going to comment that schema.org seems to be less viable a resource for W3C given ongoing difficulties getting them to allow W3C to leverage / align / influence their work.
Daniel Appelquist: There is the Secure UI
Charles McCathie Nevile: WebApps Sec might be interested in Trusted UI
Marie-Claire Forgue: More information on the WebAppSec group: http://www.w3.org/2011/webappsec/
Marie-Claire Forgue: And the security IG: https://www.w3.org/Security/wiki/IG
Marie-Claire Forgue: ... And the STRINT workshop papers: https://www.w3.org/2014/strint/
Wendy Seltzer: Web Security IG, Web Apps Sec WG is doing XSS protection, site protection, Web Security IG, STRINT workshop (W3C and IETF IAB), interest - how do we help users to deal w/ plethora of choices, right context for making security decisions.
Harry Halpin: This may be confusing for people that don't know about W3C. Here's some background - Interest Groups have high-level strategic role, communications, roadmaps, kick out requirements for future Working Groups.
Harry Halpin: Interest Groups kick stuff out to Working Groups - who then do implementations.
Harry Halpin: Community Groups also feed data into IGs and WGs. Anyone can start a grass-roots community group, they work on pre-standards stuff.
Mountie Lee: What are the requirements for the user environment - none of the working groups were accepted for specs - there is still a question about that.
Dan shows what the STRINT website looks like, what came out of it.
Joseph Potvin: Relationship between IGs and other IGs - can groups be created where they provide input to other IGs?
David Ezell: International Forecourt Standards Forum Information, IFSFI might be interested in this stuff - http://www.ifsf.org/
David Ezell: Electronic Payment Server overview: http://ifsf.org/archive.aspx ... search for "Part 3-19 IFSF POS to EPS Interface Specification"
Joseph Potvin: Should there be a parallel community group - Web Payments CG - could this other group be an interest group?
Charles McCathie Nevile: I don't think it makes sense to have parallel groups - we may want an IG instead of the CG.
Charles McCathie Nevile: The process differences can be different - there is a different IPR policy, different set of rules.
... One of the things that happens when you get into regulation - how do you define competition, open processes are important. I would be happy for the Web Payments CG to continue - the one thing I would be concerned about are that big players don't like IPR policies of CGs.
Jeff Jaffe: I want to clarify - within the W3C, we have the official process of W3C, and then we have the less formal processes - official process has W3C WGs that work on next generation standards.
... IGs work on use cases / requirements to feed recommendation track.
... Web and TV IG are trying to figure out what we need for entertainment.
... CGs are not an official part of the process, but we make it available so we can capture the innovation of the Web community, which is far broader than official process. To give you some sizing, our CG group is 3x the size of our WGs.
Jeff Jaffe: We probably need an IG for payments. The Web and TV IG, in addition to feeding WGs, they adopted several CGs that they want to work on prestandardization work.
Joseph Potvin: Thanks for the guidance - asked by Central Banker publications to see what parts of this events should be interesting to them. Then next step is how they provide input.
Charles McCathie Nevile: Note also that Interest Groups get dedicated W3C resources, Community Groups do not.
Joseph Potvin: In the case of Bitcoin, China, Finland, they do not consider Bitcoin not currency - sounds theoretical, but it invokes a whole different set of laws - for reg ulators that's crucially important. So we need to get this messaging right - who is working on what, what is the timeline?
Joseph Potvin: Where should these legal/regulatory issues go?
Jeff Jaffe: We don't make comments on laws - maybe an IG?
Charles McCathie Nevile: More about the W3C Process: http://www.w3.org/Consortium/Process/ ... see chapters 3 and 6
Daniel Appelquist: This is what I'm trying to get across - there may be an IG to get across these issues. Other answer to your question is things like - what are these other building block elements?
Daniel Appelquist: Out-of-band authentication, NFC APIs, banking community could engage there.
Dave Raggett: We're looking for companies to become involved in NFC.
Harry Halpin: To build off of what Jeff said - grass roots community groups are good for ideas. If you want something like hardware tokens to work across all browsers you have to send that to a technical WG, you should join W3C.
Harry Halpin: IG to WG is the generally effective way to get technical work done and implemented. Web Crypto is a good example of best way to approach these problems.
Bryan Sullivan: Very briefly - push API has been under work for a little more than a year. wallet apps - could plumb that right to the browser - watch it. All ideas are welcome.
Building Blocks for Payments
Daniel Appelquist: Talking about fundamental building block APIs.
Dave Raggett: In addition to NFC, other related technologies we are seeking greater involvment, include Bluetooth, e.g. BLE, and access to Secure Elements.
Ricardo Varela: Now that we have payment providers, they need to join this other work - paypal, bitcoin, etc, companies need to get involved.
... What we do might as well align with what people who are working in this already do - things like that. We keep mentioning a trusted UI, it's just a way to verify.
... Chrome-less apps needs to happen, perhaps in WebApps.
David Ezell: How do you get input from regulatory folks? I'd hate to see us take a big step back from that. We have a number of people have joined us, I want them to be approached to provide a little bit of bandwidth and input. Let's use this opportunity to reach out to them.
Wendy Seltzer: Thanks for reminding us of the invited expert individual status. We can use that to point out the importance of regulatory considerations. We welcome that input and encourage participation, e.g. in the Tracking Protection Working Group.. We need to incorporate regulatory concerns and feedback.
Daniel Appelquist: The role of cryptography, geofencing, NFC APIs, out-of-band seconday auth - all work that's going on.
... When you're within a Web environment, are there additional use cases that are payment related?
... or, could you use the existing technology to support geofencing.
Giridhar Mandyam: Geolocation WG is circulating a new charter - hardware accelerated geofencing is in the work. It doesn't solve the whole problem yet, geolocation from trusted source - that's what's needed.
Giridhar Mandyam: This could be something they could give assistance to...
Marie-Claire Forgue: Sysapps wg: http://www.w3.org/2012/sysapps/
Charles McCathie Nevile: If anyone wants a quick (and idiosyncratic) guide to W3C Process, let me know and your requests may be answered.
WonSuk Lee: SysApps create security sensitive APIs, including Secure Element for providing interface to access secure storage information in the spectre of payment. We need to save/access private key and other info for users - that item is helpful wrt. payment. We are interested in your use cases for Secure Element.
WonSuk Lee: Secure Element - we're gathering use cases, please come there and share opinions on payments
Virginie Galindo: Note : secure element unofficial draft is here : http://opoto.github.io/secure-element/
Jörg Heuer: I want secure element here, so that's my list of technical items.
Wendy Seltzer: Secure element discussion likely happen in the WebCrypto vNext workshop.
Bryan Sullivan: Need to add "Know Your Provider" (KYP)

Topic: Strategic/Long-term Initiatives at W3C

Daniel Appelquist: Here's the strategic stuff: tokenization, intents, digital ID problem, authentication on mobile, digital signatures on contracts, Know your customers, multi-currency transactions, complex negotiation on payment instrument, price benchmarking.
Wendy Seltzer: Bryan, and that ties into security for the users
Bryan Sullivan: Exactly, trust is a 2-way transaction
Daniel Appelquist: PoS terminals, string authentication, digital identity, ACH, loyalty card use cases, privacy concerns, ticketing/couponing, API between wallet and browser, synchronizing data to the cloud, interface for web app to request payment and what it gets back
Joseph Potvin: To "multicurrency transactions" please add "deferred transactions", because many of the same issues arise (value of EUR today not equal to USD today; value of EUR today not equal to EUR next week)
Dave Raggett: Re: authentication -- what can W3C to to enable providers to implement the authentication procededures appropriate to their risk models.
Daniel Appelquist: Identity - long term, where are we going here. Moving away from username/password, identity and privacy social graph, web of trust.
Daniel Appelquist: Secure local storage? Should it be sync'd - does WebCrypto work affect that?
Joseph Potvin: Strategy issues should include explicit documentation of roles
Daniel Appelquist: What's missing from this?
Manu Sporny: This is a very big list. Putting all this stuff into an IG, it might not be the best place. We may want to incubate in the CG and move stuff to working groups from there. [scribe assist by Charles McCathie Nevile]
Stan Stalnaker: It's important that you don't limit what a payment should be. We shouldn't setup guard rails - it should be nodal representation - we shouldn't prevent stuff, like cryptocurrencies, from happening.
Daniel Appelquist: I didn't mean to exclude cryptocurrencies - but it's strategic long-term.
Jeff Jaffe: I wanted to first embrace Manu's concerns about boiling the ocean.
Jeff Jaffe: Digital publishing work is 1 year old - 60 distinct requirements came out for CSS WG alone - looked like boiling the ocean. When we created IG, chair and people went through prioritization activity. Any group has to get something done, so the IG defined 9 task forces, we're trying to get our arms around what we heard. There will be a significant boiling down activity on what we're talking about today and we'll only begin once we know the exact problem we're trying to solve.
Joseph Potvin: A couple of points - I'd agree that defining what a payment is comes from the legal community - there was some discussion on whether such a standard could be equally useful in handling barter. This might be Web-mediated value transactions. I don't think you list explicit documentation of the roles. Multicurrency transactions issues come up w/ subscription-type payment. Over time, relative values change.
Bryan Sullivan: +1 To "web-mediated value transactions" as the goal - given that we can keep the scope from being too wide
Daniel Appelquist: Lots more to talk about, but we have to close, Stephane is staring at me w/ daggers in his eyes. :)

Topic: Goodbye and Next Steps

Stéphane Boyera: We are going to take all of the input to the workshop, including this wrap up and all of the sessions. We'll write a wrap-up report on the Web Payments Workshop. Then we'll deliberate on whether we need to create Interest Groups to boil this information down into something focused and manageable. Then we will hand work off to other WGs that are already operating for the items that fit into that category. For items that need a new Working Group, we'll create a new Working Group for that. There is a mailing list for all people that attended this event, we'll keep in touch via that mailing list. Expect a draft report in the next couple of weeks.
Stéphane Boyera: Thank you to our sponsors, the very active program committee, the people at W3C that helped organize the logistics around the workshop, and everyone that took the time out of their busy schedules to come to the workshop.
Manu Sporny: Thanks especially to Dave Raggett and W3C Management for agreeing to put on the workshop and getting the ball rolling, and Stéphane Boyera for organizing all of the behind-the-scenes stuff at W3C to make the workshop a success.
Lots of clapping, cheering, and hugs all around! Everyone rushes off to catch flights and/or have some beers/wine across the street before their flights leave.