07:58:39 RRSAgent has joined #wpwg 07:58:39 logging to http://www.w3.org/2016/09/20-wpwg-irc 07:58:41 RRSAgent, make logs public 07:58:41 Zakim has joined #wpwg 07:58:43 Zakim, this will be 07:58:43 I don't understand 'this will be', trackbot 07:58:44 Meeting: Web Payments Working Group Teleconference 07:58:44 Date: 20 September 2016 07:58:55 rrsagent, this meeting spans midnight 08:00:29 Chair: NickTR 08:00:57 mountie has joined #wpwg 08:03:43 adamR has joined #wpwg 08:05:12 MaheshK has joined #wpwg 08:05:29 lilin has joined #wpwg 08:07:48 Day 2 proposed agenda -> https://github.com/w3c/webpayments/wiki/FTF-Sep2016 08:08:43 Jaewan has joined #wpwg 08:08:50 MattS has joined #wpwg 08:10:08 bensmith has joined #wpwg 08:10:19 rrsagent, this meeting spans midnight 08:10:28 zakim, who's here? 08:10:28 Present: (no one) 08:10:30 On IRC I see bensmith, MattS, Jaewan, lilin, MaheshK, adamR, mountie, Zakim, RRSAgent, sam_, lbolstad_, zkoch, chunming, pascal_bazin, jungkees, shepazu, weinig, rouslan, pirouz, 08:10:30 ... hyojin, Mike5, JakeA, collier-matthew, mkwst, adrianba, emschwartz, davidillsley_, slightlyoff, Dongwoo, AdrianHB, nicktr, hober, ShaneM, schuki, dlongley, manu, dlehn, Ian, 08:10:30 ... wseltzer, trackbot 08:10:36 present+ AdamR 08:10:38 present+ zkoch 08:10:38 present+ MattS 08:10:42 present+ BenSmith 08:10:44 present+ Manu 08:10:44 present+ nicktr 08:10:50 present 08:10:51 = 08:10:52 present+ MaheshK 08:10:54 present+ Dongwoo 08:10:55 rrsagent, make minutes 08:10:55 I have made the request to generate http://www.w3.org/2016/09/20-wpwg-minutes.html manu 08:10:56 present+ dezell 08:10:58 present+ Roy 08:11:00 present+ Shane 08:11:02 present+ Rouslan 08:11:04 present+ Dongwoo 08:11:04 present+ ShaneM 08:11:08 present+ Max 08:11:12 present+ JiaJia 08:11:14 present+ Mountie 08:11:18 present+ evgeny 08:11:22 scribe: Ian 08:11:24 present+ Ian 08:11:30 Max has joined #wpwg 08:11:32 present+ AdrianHB 08:11:36 present+ NickTR 08:11:42 present+ LarsErik 08:11:44 present+ William 08:11:52 Topic: WG teleconf 08:12:14 AdrianHB: Are folks okay with the call times 08:12:23 AdrianHB: Any challenges to current call? Weekly too often? 08:13:06 present+ Laurent 08:13:08 present+ MattP 08:13:09 angel has joined #wpwg 08:13:14 olivexu has joined #wpwg 08:13:25 AdrianHB: Would like to make it easier for people to provide input to the agenda 08:13:45 topic: Web Payments HTTP API Next Steps 08:13:53 https://docs.google.com/presentation/d/1MobW3X6vH0MP9SpTE37tDlOnM5hgx3-DgQT1xDWs40U/edit#slide=id.p 08:13:54 Web Payments HTTP API Next Steps 08:14:22 dezell has joined #wpwg 08:14:29 betehess has joined #wpwg 08:14:40 Manu: We recently published the two specs. They are designed to mirror payment request API 08:14:55 nick has joined #wpwg 08:15:01 ...the HTTP API is about how you execute the current browser flow using purely HTTP 08:15:11 ...Digital Bazaar and Worldpay have done basic implementations 08:15:33 Laurent_ has joined #wpwg 08:15:35 ...the orgs didn't chat about their implementations but we are off to a good start 08:15:54 ...three categories of questions arose around the specs: 08:15:59 1) Do they reflect existing practice? 08:16:04 2) What are the use cases? 08:16:11 3) Who do we get relevant parties involved? 08:16:20 MattPi has joined #wpwg 08:16:35 present+ NickS 08:17:17 ...the HTTP API works like this: 08:17:24 * You try to get something and are told you have to pay 08:17:33 * You are told where to send a payment request, which is shipped via HTTP 08:17:46 * You get a payment response and you get access to a resource 08:18:12 present+ AdrianHB 08:18:21 ...on the question of whether the API reflects current practice - the flow we are trying to enable is the SAME flow that we are talking about in the browser API, just out of a browser. 08:18:28 q+ to suggest we discuss use cases first 08:18:34 q+ 08:18:55 ..the question arose - isn't this about communication between the payee and the payment service provider? That's not what the API is about, but we could do that if the group thinks that's a priority 08:18:56 q? 08:19:05 adrianhb: Let's talk about use cases first 08:19:14 ack AdrianHB 08:19:14 AdrianHB, you wanted to suggest we discuss use cases first 08:19:19 q- 08:19:20 ..if the use cases are things that don't exist, then the other questions would be moot 08:19:23 ...so let's start with the use cases 08:19:36 Evgeny has joined #wpwg 08:19:49 Manu: I think there was a misconception that the HTTP API is for internet of things use cases 08:20:05 ...while in theory that could work, that's not our focus. 08:20:12 ...the primary focus is automatic payments. 08:20:26 ...e.g., your bank software makes monthly payments 08:20:39 ...or you want to use an app (not in the browser) to make a payment 08:20:57 ...software running in kiosks...so it's non-interactive but it's not IOT 08:21:21 ...think of paying a utility bill...today you give your payment instrument information to the utility company....if your card changes you have to set it up again 08:21:27 q+ 08:21:41 ...the other thing with utility payments is that they occur regularly, but you don't know what you have to pay until the end of the month 08:21:45 q+ to note some similarities with PSD2 08:22:35 ...what you could do is having wallet or banking software where you set up a payment endpoint with your electricity provider, and your banking software will ping the provider to get a total. That results in a payment request. The utility company says "you owe this much this month". Your wallet software responds to the payment request (using some payment method) and the utility processes the payment. 08:23:02 ...there are various benefits (e.g., your wallet can pay with your updated card) 08:23:07 ack zk 08:23:21 zkoch: Is the idea that once it's set up it's automated? 08:23:23 Manu: Yes. 08:24:00 zkoch: It's hard for me to imagine automatically switching underlying form of payment without user consent. I'm having a hard time understanding the line between HTTP/Browser because of the user connect that's likely 08:24:05 s/connect/consent 08:24:10 rouslan has joined #wpwg 08:24:28 Manu: The scenario goes like this: there is prior consent to use different payment methods. 08:24:35 q? 08:25:05 zkoch: So is a key use case that you are delegating to the wallet authority to make decisions on how to pay. 08:25:12 Manu: That is a use case, not the primary use case. 08:25:16 pascal_bazin has joined #wpwg 08:25:22 q? 08:25:23 q+ 08:25:27 ...the primary use case is "some piece of software other than the browser" that you have configured to make payments on your behalf. 08:25:39 Manu: Another use case is a large corporation that wants to pay vendors automatically 08:26:04 ...e.g., a gov agency could ping different suppliers each month where automatically they ping the vendor for the amount owed, 08:26:21 ...and the system determines whether the value is within an acceptable range, and if so payment happens automatically 08:26:30 q+ 08:26:32 ack AdrianHB 08:26:32 AdrianHB, you wanted to note some similarities with PSD2 08:26:33 ...so the primary focus is "smart payment agents making payments on your behalf" 08:26:51 AdrianHB: Understanding the actors has made it clearer to me parallels to the PSD2 architecture 08:27:11 ...you are describing an actor that is authorized to initiate payments...PISP in PSD2 08:27:14 q? 08:27:44 manu: Yes, the PISP could be using HTTP API 08:27:49 ack pascal_bazin 08:27:49 ack pas 08:27:50 pascal_bazin_ has joined #wpwg 08:28:15 pascal_bazin: Could the HTTP API be used to introduce third party payment methods not managed by the browser? 08:28:37 Manu: The goal is to use any payment method that the browser supports.... 08:28:48 pascal_bazin: Could you use the HTTP API implement a new payment method? 08:28:55 Manu: Maybe; that's a general answer 08:29:05 ack dezell 08:29:07 ack dezell 08:29:36 dezell: NACS is interested in not forcing merchants to use apps. 08:29:50 ...I like the HTTP API and the separation of concerns it represents. 08:30:12 ...it enables us to decompose problems 08:30:23 jyrossi has joined #wpwg 08:30:35 ...in my day job at Verifone we push some L2 processing into an outside web server 08:30:39 present+ Jean-Yves 08:31:18 ...that's the sort of thing that the HTTP API would enable us to do 08:31:31 present+ AlexandreB 08:32:04 Laurent_ has joined #wpwg 08:32:06 q? 08:32:13 dezell: I also think that conexxus could make use of this 08:32:14 Nicolas_A_ has joined #wpwg 08:32:48 manu: Some addition use cases (but not an area of focus): in-vehicle, electronic receipts 08:33:08 MattS has joined #wpwg 08:33:13 MattPi has joined #wpwg 08:33:21 Manu: On the question of "do we have the right people in the group to work on this?" 08:34:04 ...we have a healthy list of payment app providers (10), merchants or merchant reps (6) 08:34:12 betehess has joined #wpwg 08:34:43 ...if we wanted to do the new connection between payment app / PSP we only have about 3 PSPs in the group and we'd need to do more outreach 08:35:40 q+ 08:36:11 Manu: So the question if we have limited resources, should we focus on "enabling the same browser flow in other software" or "PSP communication"? 08:36:15 ack 08:36:19 ack Ian 08:36:27 ian: thinking about who is in the group 08:36:48 ... if I understand the use cases it's focusing on automated payments 08:37:22 ... the value of interop for the browser api is small number of implementations and wide user base 08:37:45 ... what is the interop gain for http api and therefor who do we need involved in the work? 08:37:51 q? 08:38:01 lilin has joined #wpwg 08:38:43 Laurent__ has joined #wpwg 08:38:56 RRSAgent, make minutes 08:38:56 I have made the request to generate http://www.w3.org/2016/09/20-wpwg-minutes.html Mike5 08:39:03 Manu: Interop is that app providers have common format. 08:39:59 ian: whow are the companies that would be payment app providers? 08:40:01 IJ: I have not figured out the economic / interop incentives yet. 08:40:15 manu: Anyone who is doing a wallet app wants to do automatic payments... 08:40:39 ...so the incentive for wallet providers is that users stay in their wallet for all payments 08:40:58 q? 08:41:47 Manu: There is no way today for a wallet provider to hit a service and get a payment request in a universal format 08:42:13 q? 08:42:55 Shane: Manu mentioned not being able to hit an endpoint. One thing you can't do today as an automated service provider... 08:43:07 ...there are proprietary ways to do things...but there's no standard way to do thing 08:43:14 ..I can pay mortgage monthly today 08:43:41 q? 08:43:42 ...if my wallet had a way to talk to the electric company, get the amount, and pay them, it would improve user experience and improve interop for all wallet providers 08:44:33 sangchul has joined #wpwg 08:44:55 IJ: Who are the service providers who want to come together to do this? 08:45:04 ...I apologize I am not understanding the incentives yet 08:45:31 Manu: We want to work on a primer and clarify the benefits, then reach out to parties to determine whether this is a compelling use case for them 08:45:37 AjaySR has joined #WPWG 08:45:44 IJ: +1 to talking to key parties to determine what the interop needs are 08:46:17 Manu: Are org is very interest in this level of interop...we don't hear enough orgs in the WG today so we want to go out there and talk with them. If we go out and find out that this is not something that is broadly desired, we'll need to change direction. 08:46:38 ...so we need more data to find out whether this is a compelling thing for merchants and payment service providers 08:46:47 q+ 08:46:49 MattS_ has joined #wpwg 08:46:54 Roy has joined #wpwg 08:46:54 q- 08:47:20 AdrianHB: My feeling is that it's too early to say what direction to pursue. I think people are still thinking about the use cases. 08:47:36 Nicolas_A__ has joined #wpwg 08:47:46 ...I can understand the question Ian is asking...it's not about technical benefits of interop...what are the incentives for the players in the ecosystem to implement the standard? 08:47:51 Laurent_ has joined #wpwg 08:48:25 Ben: I think you need to show what this displaces in the current processing chain. More work on that would be useful 08:48:27 q+ 08:48:52 AdrianHB: I think we need to figure out the commercial incentives... 08:50:43 ack nicktr 08:51:19 q? 08:52:12 Nicolas_A_ has joined #wpwg 08:52:13 adamR has joined #wpwg 08:52:24 …And we seem to be back. 08:52:33 ian: I like the idea of doing outreach 08:52:46 mountie has joined #wpwg 08:52:47 ... support that as a next step 08:53:11 q+ 08:53:14 Intuit (Quicken), LastPass, Fitpay 08:53:40 micropayments / paywall access 08:54:54 Laurent__ has joined #wpwg 08:55:11 q? 08:56:34 q? 08:56:41 ack dezell 08:57:26 q? 08:57:33 zakim, close the queue 08:57:33 ok, AdrianHB, the speaker queue is closed 08:57:38 hwlee has joined #wpwg 08:58:06 zakim, open the queue 08:58:06 ok, AdrianHB, the speaker queue is open 08:58:39 betehess has joined #wpwg 09:00:17 q? 09:00:53 IJ: +1 to getting feedback from potential implementers on value of the spec and interop. 09:00:55 Ben: I think that users would like the additional automation, what I don't 09:00:56 adamR_ has joined #wpwg 09:00:57 understand is the relationship to current processing and stakeholder roles. 09:00:59 AdrianHB: So Manu, you are driving the work and can continue. I would plan 09:01:01 to get more involved once we've addressed other priorities in the WG. 09:01:03 ...also the Interledger CG is setting up a micropayments breakout tomorrow. 09:01:05 Evgeny: From a PSP perspective. I had not understood previously that 09:01:07 HTTP API is for automated payments; I agree that is useful. It would 09:01:09 be useful to simplify the API as a starting point. E.g., 2 calls to make 09:01:11 a payment. 09:01:13 DavidE: On your point of people who would like this: zipline and @@ 09:01:15 are two companies that come to mind. They are the kinds of NACS members 09:01:19 who want to innovate in the wallet space. 09:01:21 I have made the request to generate http://www.w3.org/2016/09/20-wpwg-minutes.html Ian 09:01:45 topic: Push payments 09:01:47 Roy: See my write-up of the problem statement. Failures in card 09:01:51 payment scenario are not that harmful. But for Alipay, SEPA pay, etc. 09:01:53 where funds are changing hands before you get the response, there 09:01:55 are many failure points in the flow where failure is more harmfil 09:02:13 ...one previous idea to address this would be (1) mediator generated identifier (e.g., UUID) in combination with (2) discovery service 09:04:43 MattS has joined #wpwg 09:04:48 mountie has joined #wpwg 09:06:43 q? 09:07:19 lbolstad has joined #wpwg 09:07:23 present+ lbolstad 09:09:31 zkoch has joined #wpwg 09:10:12 Jaewan has joined #wpwg 09:12:35 q? 09:12:38 chunming has joined #wpwg 09:13:51 mountie has joined #wpwg 09:15:57 Evgeny has joined #wpwg 09:18:13 lbolstad_ has joined #wpwg 09:19:36 q? 09:28:13 mountie has joined #wpwg 09:28:31 weinig has joined #wpwg 09:28:54 Laurent_ has joined #wpwg 09:32:33 zkoch has joined #wpwg 09:33:31 mountie has joined #wpwg 09:33:41 MattPi has joined #wpwg 09:34:10 zkoch has joined #wpwg 09:34:19 sam has joined #wpwg 09:34:28 shepazu has joined #wpwg 09:34:35 mountie has joined #wpwg 09:34:55 chunming has joined #wpwg 09:36:07 adamR_ has joined #wpwg 09:36:08 weinig has joined #wpwg 09:36:21 MattS has joined #wpwg 09:57:54 nick has joined #wpwg 10:00:27 betehess has joined #wpwg 10:05:23 Jaewan has joined #wpwg 10:05:33 q? 10:14:40 adamR has joined #wpwg 10:14:50 nick has joined #wpwg 10:16:48 rouslan has joined #wpwg 10:19:11 MaheshK has joined #wpwg 10:19:59 olivexu has joined #wpwg 10:21:28 10:21:36 I have made the request to generate http://www.w3.org/2016/09/20-wpwg-minutes.html Ian 10:21:48 topic: Payment Method Identifiers 10:22:03 olivexu has joined #wpwg 10:22:10 adamR_ has joined #wpwg 10:22:13 AdrianHB: I think we have agreement that PMIs are URLs that refer to web payment manifests 10:22:27 ...data about how an origin plays in the ecosystem 10:23:11 zkoch: I want to be able to finish the PMI spec. 10:23:18 Roy has joined #wpwg 10:23:30 zkoch: There are a few high level use cases we want to support 10:23:48 1) For a given payment method ,we want to make security assertions about apps 10:23:52 lilin has joined #wpwg 10:24:44 Max has joined #wpwg 10:24:58 2) Browser wants reliable information about where to get an app 10:25:28 zkoch: I want to get agreement that there will be a manifest file, and secondarily (later) we can discuss what goes in it. 10:26:03 PROPOSED: An identifier is an absolute URL composed of the schema, origin, path. No query string params and no fragments. 10:26:27 ...these URLs could be used by users to get web pages 10:26:49 PROPOSED #2: At that URL you can append payment-manifest.json which has data describing that payment method. 10:27:06 zkoch: There is precedence for this in Android 10:27:34 Laurent_ has joined #wpwg 10:27:45 q+ to propose something alternate to that 10:27:46 q? 10:28:22 jeff has joined #wpwg 10:28:22 q+ 10:28:32 ack Shane 10:28:32 ShaneM, you wanted to propose something alternate to that 10:28:44 lbolstad has joined #wpwg 10:28:51 present+ lbolstad 10:28:52 ShaneM: I don't object to the hard-coded path, but there are other ways to do this like HTTP headers 10:29:06 ...that gives us the ability to more easily extend in the future. 10:29:17 ..that does imply two round trips. 10:29:19 rouslan has joined #wpwg 10:29:21 AdamR: That's not the case for HTTP 2 10:29:43 AdrianHB: So if I visit the site of the PMI I get back an HTTP header? 10:29:55 Shane: Probably multiple headers (e.g., here's information about the payment app, etc.) 10:30:03 ack ShaneM 10:30:09 q+ to ask what other technologies use link header in similar wat 10:30:21 AdamR: I get a little heartburn from a hard-coded path 10:30:24 jyrossi has joined #wpwg 10:30:48 zkoch: There are a couple of reasons I like the hard-coded URL but I am open to other approaches. 10:31:04 ...one advantage is it's very easy for merchants to implement....it's harder for merchants to manage headers 10:31:35 q+ to emphasize when this happens 10:31:51 ...this proposal also lets me do things in a single request 10:32:21 ..it's costly to download a page and parse it to get more information. This is particularly costly on low-end devices 10:32:34 pascal_bazin has joined #wpwg 10:32:38 AdamR: If it were a common operation that would be compelling, but IMO this will happen rarely for a given payment method 10:32:48 ack AdrianHB 10:32:48 AdrianHB, you wanted to emphasize when this happens 10:32:53 AdrianHB: This will happen every time a browser encounters a payment method they haven't seen before 10:32:59 zkoch: Or if they want to refresh. 10:33:13 AdrianHB: This may be happening int he background and therefore needs to happen quickly. 10:33:17 q? 10:33:20 ack nickt 10:33:52 nicktr; I have two practical points. I am really worried about this....what do we think the likelihood that orgs will put a manifest at a URL? 10:34:14 Nicolas_A_ has joined #wpwg 10:34:26 zkoch: We are going to use short strings for the open payment methods; this proposal about URLs is for proprietary systems 10:35:06 nicktr: My second practical question is - are you introducing a single point of failure for those payment methods? 10:35:13 ...suppose a bad actor takes over the site. 10:36:06 AdamR: You already have that problem with bobpay.com.... 10:36:06 note that it could at least be /.well-known/payment-manifest.json (that's https://tools.ietf.org/html/rfc5785 ) 10:36:47 betehess: That only works if you require that each origin has at most one payment method. I don’t think that’s a reasonable restriction. 10:36:58 zkoch: I am open to discussing headers; need to understand more how they work 10:37:05 adamR: I see 10:38:24 q? 10:38:45 IJ: Have you talked with Anne/Tab about URL matching? 10:39:06 zkoch: I think there's some discomfort but this proposal is preferable - string match on well-defined components 10:39:18 ...we'll loop back with Tab and Anne on this 10:39:42 AdamR: I believe that the constraints that zkoch is talking about addresses the points that have been raised 10:39:53 w? 10:39:54 q? 10:40:07 ben: I would like to check with our security team how they would feel about this. 10:40:16 q+ to point out that this means the URI is BOTH an identifier and a resource 10:40:19 ...from a regulatory perspective, I am pretty sure that the payment method needs to be identified 10:40:24 q? 10:40:43 zkoch: The URL has to be HTTPS 10:40:56 ..origins will control the shape of the URL 10:40:58 q? 10:41:00 ack rous 10:41:00 rouslan, you wanted to ask what other technologies use link header in similar wat 10:41:12 rouslan: I'm happy we seemed to be agreeing on constrained URLs 10:41:36 ...on the second proposal Shane mentioned headers 10:41:52 ...I'd like to hear some examples of technologies that are using header links. 10:42:10 LInk headers: https://www.w3.org/wiki/LinkHeader 10:42:12 Shane: Web annotation protocol spec specifies that link headers with certain values allow you to discover resources of various types within that ecosystem 10:42:35 lots of uses of Link in https://www.w3.org/TR/ldp/ 10:42:52 HTTP/2.0 server push: https://tools.ietf.org/html/rfc7540#section-8.2 10:42:52 Evgeny has joined #wpwg 10:44:10 Twitter API uses it too https://developer.github.com/v3/#link-header 10:44:43 AdamR: HTTP 2.0 server push...if set up correctly, will let you get a single response rather than two trips 10:45:00 ack shepazu 10:45:03 AdrianHB: So I am hearing "one less request" is not a key benefit using HTTP 2 10:45:05 ack ShaneM 10:45:05 ShaneM, you wanted to point out that this means the URI is BOTH an identifier and a resource 10:45:05 ack Sh 10:45:12 q? 10:45:33 q+ 10:46:42 RESOLVED: PMIs are constrained URLs as describe here. 10:47:06 MattS has joined #wpwg 10:47:35 zkoch: For open systems we decided short strings. I suggest that we limit those to [a-z0-9_]+ 10:47:49 [a-z0-9-] 10:48:23 SO RESOLVED (AdamR's rexexp) 10:48:31 AjaySR has joined #WPWG 10:49:06 AdamR: I suggest you talk to TAG about use of headers v. pre-defined URLs 10:49:08 q? 10:49:21 zkoch: I am ok to talk to TAG...but there is a question about ease of implementation by merchants 10:49:23 ack me 10:50:05 [We will take Proposed #2 to lunch and possibly the TAG] 10:50:10 q+ 10:50:41 AdrianHB: Are we agreeing that the PMI -- through some mechanism to be defined -- will enable someone to find a manifest 10:51:01 +1 10:51:07 +1 10:51:12 +! 10:51:16 +1 10:52:11 q+ 10:52:20