web payments Face-to-face meeting - day 1 -- 27 Oct 2014

<steph> starting

<steph> Steph: welcome

<steph> david: intro

<steph> Participants: stephaneB, David Ezell, Erik Anderson, Glen wiley, Virginie Galindo, Evert Fekkes, Joerg Heuer, Dave Raggett, Jean-Yves Rossi, Pat Adler, Dave McDermitt

<steph> screbenick: steph

<steph> scribenick: steph

David: describing the vision

Topc: admnistrivia

admnistrivia

David: 3 mailing-lists: public-webpayments-ig: public for the group
... 3 mailing-lists: public-webpayments-comments: public for all, everyone can comment
... member-webpayments-ig: adminstrivia list member only
... we use IRC on #wpay

you can use http://irc.w3.org or a native client

david: chairs are just here to drive the discussions, but the content is up ot the group members
... going over the agenda
... sysaps and nfc.

sysapps very important about how to access device capabilities

Manu: general idea: we see how the first day goes, and then we change in case it needs?

Joerg: I have a demo for after 6 in case you are interested

David: let's see nw if we need to change

Introduction

glen: from verisign, not used to W3C, but with ietf. interested in crypto currency+online identity

let's see overlap with ietf

pat: fed from chicago. working on payments+identity

interested in interaction with the Web, interoperability is key

dave: from the fed in atlanta.

worked with PCI

interested in the whole area

Virginie: from gemalto

following the web payments activity since the beginning

key for us

interested in the wallet

DanSyung: from verizon

Bernard: W3C staff in busdev

s/Syng/Sun/g

Mountie: working in korea and south-east asia providing payment

manu: representing few org.: chair of web payments cg, credential cg (identity )

working also for the open payment foundation

Manu: in W3C for quite long time, working on json-ld

excited by the diversity of pple in the room

Manu: hope we will also cover the unbanked and the underbanked

Jean-Yves: working for a consultancy i founded focus on business compliance

formerly with bank on hte regulatory side

Evert: from rabobank, first bank at W3C
... actively developing wallet and nfc payment for the retail sector

interested to see how national standard can fit with internation web standards

thoams: from WB, part fo the WB payment team

doing lots of support on banking sector in client countries

also interested in interoperability, access to payment

inclusion is essential for us

I'm new to W3C, first time joining W3C

working with Harish who was in march in paris

Joerg: deutsch telekom, new to W3C since march

involved with AAA authorization, Authentication,etc

interested in identity and also wallet

Dave: w3c staff

with the web since its creation

have been invomlved in launching this work

interested in value-added services around payments

payments for WoT too (paymetns for services

Dan: W3C since 99, working on vxml and related spec

representing aspect

working on web rtc

creator of voicexml

Angel: w3C staff in china

Francis: coming from china, created internet wallet.

we want ot bring our ideas to W3C

jeff: ceo of W3C
... embarassed that we haven't taken up on web payments, vrey glad this group starting. extremly important to W3C mission

Erik: part of accreditrust specialized in web credentials, identity

useful for all sectors

Istvan: from GSMA interested in wallet and web payment

<bgidon> Istvan Lajtos from GSMA

interested to see what value we can bring to the group

Bill: from educational testing service

interested in credentials & identity

been with W3C at the early day

<bgidon> Dan Druta

brian: open payment foundation, developer first W3C meeting

API deszign for retailer

Bill: paypal/ebay

<bgidon> Telenor

Lars erik: opera

Karen: from ISOC, interested

Dieter: deutzch telekom

<manu> scribenick: manu

Charter review

dezell: We're going to review the charter now, let's see how this charter can help us w/ our mission.

<jeff> Link to charter?

erik: Has everyone had a chance to review the charter yet?

<steph> http://www.w3.org/2014/04/payments/webpayments_charter.html

Some nods, some sheepish downward glances.

<steph> charter uri: http://www.w3.org/2014/04/payments/webpayments_charter.html

erik: We're trying to build a platform that will be applicable to those on the Web. We want to support past payment mechanisms (ACH, Credit Card, etc.)
... We also want to support future payment mechanisms (cryptocurrencies, etc.)

Daniel: What do you mean by "legal" payment mechanisms?
... Was that meant to exclude any payment mechanism in particular?

erik: What's legal in US, doesn't mean it's legal elsewhere or vice versa.
... We aren't going to say what's legal not legal, we want the system to support things that are legal somewhere

Joerg: We want to support gray areas.

thomas: What about fiat vs. non-fiat?

Harold: We need to understand what's legal/not legal...

dezell: We were just trying to say "we don't want to support illegal activity".

glen: It's a relevant point, what about Bitcoin? It's illegal in somewhere...

erik: Ecquador made it illegal, but only because they're releasing their own.

dezell: Because this charter has been approved, it is what it is.
... This language is vague, we don't intend to not talk about Bitcoin because Ecuador said it's illegal. In the same point, we can't /just/ talk about Bitcoin.

jeff: The overall scope of the IG charter is broad, and probably doesn't need to be changed at this point. This gives plenty of room to work in it. We'll want to focus down, far much more in there than can be done in the first few months.

erik: It's hard to guess how long this will take.
... New front-end payment initiation systems.
... Other value transfer systems - loyalty, payments, etc. p2p payments.
... Web-mediated business-to-customer, business to business, etc.
... We are here to identify barriers, such as 'card not present'.

thomas: Is there a reason government-to-person payments isn't covered?

dezell: we say 'including', we don't exclude that.

erik: Identify ways to increase stability, make payments work better across web.
... use privacy/protection

dezell: We want to work with Web Crypto WG, etc. wrt. security.

erik: This group does not have solo understanding wrt. Web Crypto, we will work with Web Crypto group.
... Identify role of regulations in payment process... regs have big impact on this work. There's been a lot of talk about putting regulations in the code itself.
... prioritization of the work - self explanatory.
... Review deliverables by other W3C groups that impact our work here.
... Web Crypto, hardware tokens, etc.
... Liason w/ other organizations to get more interoperability.

joerg: Would it be important to talk to companies that could or should use Web Payments? That plays into hand of bizdev in a way.

erik: i can see that web technologies could be different front-ends into backend systems.

joerg: For example, XML has been used for a while, but we reused it in GSMA for some technologies.

dezell: The way the thing blooms, if you've done your REST Web Service correctly, there is a lot of power there... these technologies can be self-defining.
... I personally happen to be a fan of REST - it accepts in either JSON or XML, we can content negotiate.
... There are three bullets in here that are important - "identify missing pieces, missing gaps, identify role of regulations"

erik: Development of technical standards is not in scope for the group.
... We have to consider security/privacy/implications.
... Success criteria - we need participation.
... We're here for you.
... members of the IG will drive work of work items.
... We need constructive feedback on w3C deliverables.
... This is a new process for most of us, we need to ensure interoperability, work with other organizations.
... We need to iron out what we think of the road map, meet regularly.
... Primary deliverable is use cases, requirments, identification of technical specs, gaps.
... We'd ideally specify use cases and requirements and take it to other groups that exist out there.
... We will identify where W3C will need new groups. We want to focus on Web Wallet - that's the good one on there.
... So, work items
... First item is the roadmap - what is the roadmap going to be - identify, identify, identify.
... This is all about interoperability between old and new systems. Enable a level playing field, hard to stress how important that is - no vendor lock in. W3C patent policy is great.
... We want to reduce burden on vendors and payees to support multiple payment providers. Let them pay w/ what they want. Increase user protection.
... increase fraud protection, provide more transparency/choice
... What fees are provided. Identify other services that are relevant, invoices, digital receipts.
... next work item - web payments terminology - make sure we're speaking the same language.
... make sure we're talking about the same thing. Everyone speaking english, nobody understanding each other.

dezell: The transparency aspect - it's a big part of the work, alphabet soup for standards - transparency is not the point of the ISO specs. W3C transparency has a lot to do w/ accessibility.
... One of the core values of W3C is accessibility. It's hard to get accessibility if you don't have a fundamental view that TV Raman (from Google, who is blind) should be able to pay for something when he wants to.
... UX is important.

erik: You want people to innovate, but you want it to be generally accessible.
... wrt. terminology - adopt as much as possible.
... next topic wallet and wallet API
... we're going to be talking about this quite a bit over the next day or two.
... transaction messaging - lots of ISO stuff out there, identify requirements/constraints for merchants.
... requirements for payment service providers - messaging, most of this exists already.

joerg: The word 'token' here might be confusing.
... We may want to avoid that word, or explain what that means.

manu: I think we should stay away from the word "token" or "wallet" right now, could be a permathread.

joerg: We can't stop the use of the word, but we can't monopolize its use.

erfekkes_: We need to specify terms and reference to other terms.

dezell: We should discuss terminology.
... Maybe a Terminological Task Force

laughing in the group

dezell: but seriously, we need a common vocabulary.

thomas: A glossary might develop over time, to have a common set of terms.

erik: we should take into account mobile payments / proximity payments.

miguel: Here from intel - interested from Web Payments, we're in mobile space.

daniel: Before I was Chief Architect of PayPal, now CEO of GRIN.
... Know quite a bit about payments.

erik: Next up - identity, authentication, security
... identify, identify, identify - hot space right now
... ensure secure authentication, FIDO alliance, etc.
... Review existing identification methods and whether they fit in w/ what we're doing here - privacy, security, transaction privacy/security.

daniel: The purpose of FIDO is to generate docs/standardization around this stuff.

erik: identify user protection, data privacy, put the regulations in the code (as a suggestion)
... Access basic user and payment provider information in a way that's easy to synchronize between people. Wallet/SIM chip on telephone - how do you synchronize devices.
... minimize risk - build on top of Web Crypto - don't re-invent the wheel.
... U2F is coming out, various biometric devices - ekg / heartrate - lots of new technology that we can use.
... explore mechanisms for trusted UI - make sure rogue app in browser isn't authorized to make transactions on your behalf.

billGebert: From an education/governmental side, commercial hiring practices, identity is very, very important to us. Our experience at ETS in providing assessments to 200+ countries, and accepting payments, having the right person show up if they're hired/tested. Proficiency is important, that's where we're focused.
... That's what we want to see succeed in this group.

erik: The person taking the GRE, was that really that person taking the GRE.

billGebert: yes workforce, how much money is being wasted because of fraud that occurs. If the wrong person shows up to take the job, or shows up to a university - the cost there is well in the hundreds of millions.

erik: A lot of the problems we're working on here are important to both education and financial technology.
... There are many relevant groups working on this stuff.
... Too early to talk about a timeline for this work. We need short term deliverable focus on this. We don't want open ended tasks.
... Dependencies and liasons - there is a lot more out there that's important.
... participation is important - open to W3C members and invited experts.
... Let's bring those IEs in
... Communication happens over IRC, mailing list, phone calls. Every now and then, face to face meeting.
... Patent disclosures - disclose patents. We have a chance of success at this because of W3C patent policy.

mountie: The charter is trying to cover everything.

erik: There is a lot, we'll have to find things to stay focused on.
... Move what exists into a Web Payment scope.
... There will be new challenges, but most of the stuff exists today.

dezell: We can discuss all this stuff, but we are not the ones that do the technical work.
... We may create use cases, requirements to feed into other work. For example, security - summarize what the requirements are - send them over to WebCrypto group.
... We don't want to lose our way down the security rabbit hole.

mountie: one more comment - wrt. other W3C working groups - this is a convergence of other W3C group work... the group is similar to Web and TV, Web and Automotive... we have to take a different type of approach wrt. what needs to be standardized.
... Web Payments IG is very different from regular W3C groups - it's more high-level.

dezell: That's true - web and tv are parallel... this group is unique at W3C...

erik: There are a lot of different verticals that are going to be interested in this, we need to get involved in those other groups... how does that fit back into Web Payments.
... Get involved in other groups that interest you.

bernard: it's part of the IG to tell which groups should coordinate with whom.
... This is what we're working on - welcome.

dezell: important to show progress in the right areas.
... I hope everyone is thinking about what they want to see come out of the meeting.
... This isn't a spectator sport.

Pat: Is the payment work looking at the non-human actors in payments - 3D printing, manufacturing, authentication of embedded web agents to facilitate payments.
... It's implied up here, is that another set of use cases?

dezell: That brings up another deep rathole - once you start selling things, and complying w/ regulations - merchant has responsibility - are you automating the sale of illegal goods? or legal goods in illegal ways?
... For example, people of certain ages won't be able to use certain crypto currencies.

joerg: Requirements for some work - depends on where you are, your perspective. I hope that we can say: This is how W3C work complies w/ the charter. Close the loop. Ok to talk about wide scope, but we need to boil it down so we can deliver on what we're going to deliver.

dezell: We need to bring people working on this here - we are good at removing walls.
... Tim Berners-Lee said: secret to standards is to get people that don't get along into the same room in a strange place... they start working toward common goal.
... There is a human factor to this - Bloomberg just joined X9, etc... we can create stuff at W3C and send those to X9 and ISO.

stephane: We have a session where we talk about outreach.
... think about this... who should be here and isn't... we'll talk about that tomorrow.

<steph> bill smith from paypal has left the room

<dsr> scribenick: dsr

Related Working Groups: Web Crypto

Virginie presents the web crypto WG (link to slides to follow)

In last 2 years, we have collected use cases. We have an API which is now quite mature and about to exit Last Call.

We're starting to think about next steps and the potential overlap with web payments, e.g. improved authentication using multi-factor techiques.

We had a workshop recently, see http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/

We have started to look at the potential role of trusted UI. as well as secure elements, etc. The new charter will begin next year.

Just keep in mind that there are groups that could help the Web Payments IG, e.g. Web Security IG, Web Crypto WG, WebAppSec WG. The latter is kicking off work on a credential API.

Questions?

Manu: when is rechartering happening?

Virginie: January 2015

To effect the WebCrypto Charter we need input by then

Manu asks about the credential API.

Virginie: we felt it would be a good fit for the WebAppSec WG which is rechartering at the same time as WebCrypto.

Some discussion about W3C domains. Dave Raggett notes that these are part if the way W3C staff are organized, and it is more important to focus on coordination by group members across groups.

Need to establish good communications across groups. Stephane adds that the Web payment IG charter lists groups or relevance. Having people who are participating in both the Web Payments IG and other groups is a particularly effective way to coordinate.

<virginie> FYI : credential management google proposal here http://mikewest.github.io/credentialmanagement/spec/

Manu: Google is leading work on credential API with support from Mozilla, which is very positive on behalf of browser vendors.

Dan: let's not tie what we're doing to specific browsers

Interoperability is the key.

What kind of credentials?

Manu: primarily relating to authentication to web sites.

<virginie> FYI : discussions related to next steps of web crypto is happening on the Web Security IG http://lists.w3.org/Archives/Public/public-web-security/

David: it is good for us to be engaged and we can discuss this further tomorrow in relation to plans for outreach.

Manu: a good way is to volunteer to perform spec reviews.

Virginie: the Web Security IG are more interested in reviewing specifcations and may not be effective at reviewing use cases.
... first spec from WebCrypto WG is mainly focused on widely deployed crypto algorithms.

Coordination between W3C and IETF on crypto e.g. in relation to HTTP.

Is multi-signature support on their radar? This is important for web payments.

<virginie> FYI : algorithms considered in the web crypto are listed here : https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#algorithm-recommendations

David: one challenge is whether we trust the devices the apps run on?

Answer: you can't trust the devices in general.

Dan: you don't want to confuse encryption with security.

Joerg: is the security good enough for protecting the brand behind the solutions.

David: there are a lot of warning flags, so we need to be vigilant.

Related Groups: Web Payments CG (Manu Sporny)

see https://web-payments.org/slides/2014/tpac-wpig-wpcg/

David invites a couple of people who just stepped in to introduce themselves.

<steph> Matt: from walmart

Manu starts with his introduction to the web payments community group and invites questions

<steph> uri slides:https://web-payments.org/slides/2014/tpac-wpig-wpcg/

He explains that community groups are unofficial and exist to incubate work. The web payment CG has 184 registered members.

We're an incubator for ideas we think may have potential and expect to pass ideas to the Interest Group for review. The CG is open to anyone, and our work is open, inclusive and transparent.

The CG is collaborating with a range of other groups. These include technical groups as well as policy, regulatory and legal groups.

Manu mentions the Open Payments Foundation which focuses on open source implementations

He recounts the timelime that has led to the Web Payments IG. Want to encourage good coordination between the CG and IG.

Lists the web platform's current failures: no standards for credentials, payment initiation and digital receipts.

Web Payments CG considers the following to be important: civic - strong identity is central to ownership, democracy, privacy and prosperity

The fact that 2.5 billion adults lack access to financial infrastructure.

The opportunity for the Internet to provide a more agile and vibrant global economy. Why does money transfer take much much longer than sending an email?

Role of phones and increasing penetration of smart phones across the globe.

Some discussion around MPESA for mobile payments.

David: the time for completing payments is related to maintaining control and business models for payment infrastructure.

Competition will drive innovation, e.g. for faster payments.

Daniel Austin: if we can make it profitable for companies to complete payments quickly, that is what will happen.

Experience with Rabobank in the Netherlands. We are trying to encourage card payments over cash payments and looking at the incentives to make that happen.

Moving money internationally involves many parties, and interoperability will stream line this.

Manu introduces the Web Payments CG use cases. We took these from the Paris workshop. They include push payments,subscriptions, digital receipts, pseudo anonymity, wallet portability, account portability, etc.

The design criteria include supporting existing payment instruments, emerging instruments, digital/physical receipts, smart contracts, etc.

David: the IG should review the CG use cases document.

Dan: this shouldn't be considered to be exhaustive
... but is awesome work and will definitely be helpful

Stephane: is this a static finished document, or a living document?

Manu: it is continuing to evolve

We don't have any input into the use cases document from external groups as yet

(cites a list of organizations we would like to hear from)

Dan: it would be interesting to pick all the use cases with validity and pick some for detailed examination

Stephane: as well as selecting use cases, we need to prioritize them, and to ensure that they have sufficient coverage of the challenges we want to address

We have a technology stack (see diagram).

The Web Payment CG considers itself to be in a supporting role to the IG and will continue to experiment with pre-standardization payment technology. Likewise to continue outreach and collection of review input for the IG

Dan: we need to have a clear position when it comes to crypto currencies that we can communicate easily.

Disruptive technologies occur regularly. Things are going to shift in response. We need to keep an open mind and build standards that aren't too attached to current regulation and payment solutions.

Manu: the CG is very happy to take on things that would be impractical for the IG to address without being disrupted.

Some discussion on ensuring the messaging of the relationship between the IG and CG is really clear. We need to avoid mixed messages.

Dan: the W3C name on the CG is confusing.

Stephane: we are aware of this and want to help

Joerg: is there a picture that makes the differences between the various kinds of groups clear?

Stephane: not as far as I am aware, but it is a good idea

Dan Burnett: this is work for the W3C to make the distinction clearer

Manu: there are links on futher background from the slides

The slides are at https://web-payments.org/slides/2014/tpac-wpig-wpcg/

Joerg: I have the feeling that we are touching identity now. We are missing entitlements as an instrument that avoids the need for tracing all transactions back to the payee.

Related groups: Credentials CG (Manu Sporny)

Slides: http://opencreds.org/presentations/2014/tpac-wpig-ccg/

This spun out of the web payments CG. People felt that work on credentials should be split off to avoid it being tied to closely to payments.

Manu presents the credential CG's definition of the term "credential".

One of the groups participating in the CG is the Badge Alliance, a spin off from Mozilla.

Manu plays a video

The video mentions credentials relating to educational achievements.

Manu: mostly relating to K through 12 age groups

The problem this is addressing is to be able to prove to employers that job applicants have the qualifications they claim to have.

This very much ties to identity. When you take an exam you need to prove your identity.

This requires high stakes credentials. We've been working on addressing this using JSON-LD and digital signatures.

We want to avoid the need for use name and passwords, date of birth and so forth which are subject to fraud.

High stake credentials may be formed from credentials that may or may not be high stakes.

You shouldn't need to distinguish whether these contributory credentials are high stakes.

Dan: these credentials may not be the same as needed for payments, right?
... We need to keep these separate.

Joerg: credible signatures generally speaking involve a cost and a globally recognized signature is likely to cost more.

Mountie describes the situation in Korea

Manu: this is not a centralized solution. We need to look at what do we need to get people on board, and separately to address the technical issues.

Privacy and tracking are important issues to address.

Some discussion about the relationship to payments, and the role of standards for credentials.

scribe: and the relationship to business models.

Multiple credentials can help to reduce risk.

Open standards would be valuable.

Discussion around tokens and EMV.

David: this group (web payment IG) will need to be proactive and surf on current efforts.

Manu asks for 15 minutes to wrap up after we resume from lunch.

- DRAFT -

web payments Face-to-face meeting - day 1

27 Oct 2014

Attendees

Contents