Re: [Payments Architecture] A vision statement for the web payments architecture work from Melvin Carvalho on 2015-05-19 (public-webpayments@w3.org from May 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 19 May 2015 22:14:50 +0200
To: Ian Jacobs <ij@w3.org>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments IG <public-webpayments-ig@w3.org>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <CAKaEYhJ2SHn2kcWy2dTP2cGCuUnCKEGVzPnrE55kbBUUHOhzbQ@mail.gmail.com>

On 19 May 2015 at 22:02, Ian Jacobs <ij@w3.org> wrote:

>
> > On May 19, 2015, at 1:17 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
> >
> > On 05/19/2015 02:02 PM, Adrian Hope-Bailie wrote:
> >> Personally I think some mention of security is necessary but if there
> >> is a consensus that it is not I'll happily drop it.
> >
> > I'm strongly in favor of keeping the statement about security in the
> > vision document.
> >
> > I understand what Melvin is getting at, but I don't think we can get
> > away with saying nothing about security in the vision primarily because
> > most other people won't understand the nuances of decentralized systems
> > scaling security up as their size grows (e.g. Bitcoin).
>
> Although I am satisfied with "Being secure by design” here’s another
> perspective: security is
> SO important to payments it deserves a bullet in the list that follows.
> For example, something like:
>
>   * Supports a wide spectrum of security needs to meet industry and
> regulatory expectations.
>     To meet regulatory requirements and give people enough confidence to
> use the Web for
>     payments, the architecture must support a wide spectrum of security
> requirements and
>     solutions. This includes the ability to encrypt strongly both
> sensitive information and the
>     channels used to exchange the information, as well as supporting an
> evolving variety of
>     authentication techniques (multifactor, biometric, etc.). Trust in the
> Web of payments
>     is critical to its success.
>

I like security, and I like all these features.

However at an architectural level there's a continuum between connected and
highly connected, and secure and highly secure.  There's an inverse
correlation between security and connectivity.

So on the web you're going to get security evangelists, and connectivity
evangelists.  I'm in the latter camp because I think it adds significantly
more value.  Security evangelists are invited to back up their arguments,
which might be quite valid, with value creation metrics.

It seems that security evangelists outnumber connectivity evangelists, tho
the web has a habit of turning traditional assumptions on their head.

I can certainly live with the language used, but I do see the danger of
packing security into the spec to the extent that it struggles to get
traction.  It's easy enough to vote stuff and make any of these
requirements a *must*.

I dont have any motives here apart from me personal mission which is
maximize value creation.  I personally love all these security features on
offer, and have great admiration for the work that's been done to
facilitate them.  So, as an implementer I guess I'm spoilt to be able to
hand pick the best parts from the spec, and just wanted to register my
thoughts.

>
> Ian
>
> --
> Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
> Tel:                       +1 718 260 9447
>
>
>
>

Received on Tuesday, 19 May 2015 20:15:25 UTC