14:01:25 RRSAgent has joined #wpay 14:01:25 logging to http://www.w3.org/2017/06/05-wpay-irc 14:01:27 weiler has joined #wpay 14:01:31 zakim, agenda? 14:01:31 I see 1 item remaining on the agenda: 14:01:32 1. Next meeting [from Ian] 14:01:35 zakim, bye 14:01:35 leaving. As of this point the attendees have been dezell, Ian, MarkT, ltoth, Ken, Jean-Yves, Michel, (CC), Manu 14:01:35 Zakim has left #wpay 14:01:37 Zakim has joined #wpay 14:01:45 Meeting: Web Payments IG 14:01:49 Chair: David 14:01:53 Scribe: Ian 14:02:07 agenda: https://lists.w3.org/Archives/Public/public-webpayments-ig/2017May/0020.html 14:04:32 padler has joined #wpay 14:04:35 present+ Manu 14:04:47 present+ padler 14:05:25 present+ 14:05:26 present+ Erik 14:05:28 present+ Ken 14:05:56 present+ Pat 14:07:50 zakim, who is on the call? 14:07:50 Present: Manu, padler, Ian, Erik, Ken, Pat 14:08:05 present- padler 14:08:59 present+ dezell 14:09:14 Chair: Ian 14:09:25 Topic: Draft Charter 14:09:27 scribe: manu 14:09:30 https://www.w3.org/2017/03/commerce-charter.html 14:10:06 https://www.w3.org/Payments/IG/wiki/Main_Page/Charter2017 14:10:06 Ian: The IGs charter expires at the end of September. We started drafting a new one in March. The revised charter is linked to above. 14:10:15 Ian: The question is how to get this charter supported and through the W3C process. 14:11:03 Ian: I've started to write down a timeline for getting the charter through the process. The Charter attempts to be a more lightweight charter than the previous IGs charter. It calls out 5 activities. 14:11:47 Ian: For example, Ken falls into the review work of others category. My concrete proposal for timeline for this charter - after today's discussion - tomorrow, send advance notice to AC. We have a process piece in W3C where we give people a heads up for charters in development. 14:12:12 Ian: So, I will notify AC that this is a charter in development. A week from then, we trigger a Call for Consensus to request that W3C sends the charter for membership for review. 14:12:53 present+ weiler 14:13:02 Ian: Then another week for review... 19th of May, if there is support from W3M... in mid-July with some suggested changes, they'll make a decision, want to get it done... AC Review starts later in July, ends in late August, and we can launch new group by mid-September. 14:13:12 q? 14:13:13 present- weiler 14:13:13 q+ 14:13:16 ack manu 14:13:31 Manu: I looked at the charter. Looks great. I couldn't find anything to criticize 14:14:09 regrets+ weiler 14:14:35 q+ to ask about other groups 14:14:51 dezell: Timeline sounds fine 14:14:52 ack pad 14:14:53 padler, you wanted to ask about other groups 14:15:31 padler: We may want to list some examples of other groups in the consumer space 14:15:32 Pat: We may want to think about other consumer groups that affect other folks in the standards space. 14:15:41 Pat: We may be able to get a different mindset in the group as well. 14:16:00 Ken has joined #wpay 14:16:25 ian: Very intentionally, this list is a list of examples, not a firm list. Having said that, your suggestion is useful, if you think that having folks in the list of examples would be helpful (to get their attention), feel free to send in suggestions to the list. 14:16:48 pat: categories 14:16:54 "consumer interest organizations" 14:16:57 Pat: Thinking about, in the Fed, we grouped organizations to provide categories rather than specific examples. Otherwise, you can say "Consumer Interest Organizations" instead of saying something specific. 14:17:17 Pat: If we can stick to more categories than examples, that might be helpful. 14:17:48 Ian: In the participation section... 14:18:25 ian: There is also a connection there... 14:18:47 Pat: If we want to draw people to W3C TPAC, it might be good to highlight desired participants there. 14:18:49 +1 to thinking about (1) who in the group (2) who for liaisons 14:18:52 q? 14:19:06 +q 14:19:09 ack ken 14:19:31 Ian: I'll work with MarCom team after the meeting since I'm hearing no objections on moving forward. 14:19:50 Ken: Do we need to officially agree to anything for this to proceed? 14:20:26 Ken: +1 to advance notice 14:20:31 Ian: There are several steps in the process, demonstrating increasing levels of support as the charter progresses. 14:20:37 dezell: +1 to advance notice 14:20:46 +1 14:20:53 manu: +1 to notify AC of charter in progress 14:20:53 ACTION: Ian to prepare with the marcomm team advance notice of the commerce charter to the AC 14:20:54 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs). 14:20:59 RRSAgent, make minutes 14:20:59 I have made the request to generate http://www.w3.org/2017/06/05-wpay-minutes.html Ian 14:21:03 RRSAgent, set logs public 14:21:19 topic: Security Update from Ken 14:21:37 Ken: I've sent out a draft version of the deck. 14:21:41 scribe: Ian 14:21:56 zakim, who's here? 14:21:56 Present: Manu, Ian, Erik, Ken, Pat, dezell 14:21:58 On IRC I see Ken, padler, Zakim, weiler, RRSAgent, Erik, dlehn, ShaneM, dlongley, robert, manu, adam, mkwst, Dongwoo, cwilso, trackbot, schuki, csarven, ted, Ian, dveditz, 14:21:58 ... oyiptong, nicktr 14:23:31 mtiggas has joined #wpay 14:23:40 present+ 14:24:14 -> http://www.w3.org/2017/06/ken-mealey-sec.pdf Ken's presentation 14:25:15 Ken: I spoke about this task force in March 14:25:31 ...gave perspective on why we were advocating to increase the focus around security. 14:25:53 ...next steps is to kick of evaluations 14:26:21 ...would like feedback on content of presentation; all thoughts welcome 14:27:19 ....we are thinking of doing a security evaluation, followed by good practices and also potential security fixes for the spec 14:27:38 ...clarification on scope of the TF - deliverables of the Web Payments WG 14:27:54 ...not the more general scope of "making the Web more secure" 14:28:56 ...mobile raises usability issues. What are the security consequences of increasing usability? 14:30:22 ...there are a lot of pressures and influences that play a role in determining "what is adequate security" 14:30:45 ...from regulatory (which is increasing exponentially, and happens at many levels of jurisdiction) 14:30:52 ...to other standards bodies and rule-making bodies 14:31:03 ...as well as each company's internal policies 14:31:13 present+ Weiler 14:31:33 ...and all this is changing constantly as new technology arises, and as fraudsters come up with new attacks 14:32:09 present+ Erik 14:32:53 [Slide 6] 14:33:13 ...to Slide 9 14:33:20 Ken: How Amex looks at security topics 14:35:48 q+ 14:36:57 q+ to ask about analysis document and areas for every system in the lifecycle - e.g. How is data protected at rest, in transit, how do you protect against info tampering, etc. 14:36:59 ack Erik 14:37:11 q+ increase in fraud? 14:37:18 Erik: Having been talking about security for 3 years and gotten nowhere in the IG, I appreciate your wokr. 14:37:20 q+ to ask re: increase in fraud? 14:37:34 Erik: My experience is that W3C groups look at own work, not overall flow. 14:37:35 q+ 14:38:00 ack manu 14:38:00 manu, you wanted to ask about analysis document and areas for every system in the lifecycle - e.g. How is data protected at rest, in transit, how do you protect against info 14:38:03 ... tampering, etc. 14:38:11 manu: what is the output of the task force? 14:38:29 (IJ thinks the answer is "fixes to specs + good practices") 14:38:36 q+ to ask re: non-repudiation 14:38:42 Manu: W3C specs only address part of ecosystem. 14:38:57 ...focusing on what W3C is doing and how they map to your ecosystem 14:39:05 ...and how those specs protect data in each subsystem 14:39:54 ...what is deliverable. 14:40:11 ...e.g., here is the environment, here is who is involved, here is how W3C is addressing these 14:40:51 Ken: First next step is recruiting subject matter experts in security for this work 14:41:23 ...e.g., Amex is likely to contribute a security expert to the discussion 14:41:29 ...I would like to ask other orgs in the WG to do the same 14:41:48 q- 14:42:14 ...I think we are not likely to get the WG participants directly...but rather their colleagues in security 14:42:25 ...Ian and I have spoken about different forms of output 14:42:32 ...could be best practices, spec fixes 14:42:45 ...regarding expertise we could also hire a firm that has expertise in security evaluations 14:43:02 q+ to ask if there is any sort of precedent for this in W3C? 14:43:11 q+ David 14:43:13 q+ dezell 14:43:14 ack me 14:43:52 Ian: I like the idea of a focused effort on the security portion of the WPWG deliverables... 14:44:24 Ian: Ken has suggested some ways to address that - it goes beyond what has been suggested before. Even if we were to hire security experts, it's no guarantee, but it's a good backstop. 14:44:49 Ian: To Manu's question, the obvious deliverables are identification of bugs in the spec that need fixing, and security suggestions for developers using the API. 14:44:49 q+ 14:46:22 +q 14:46:23 q+ to suggest adding privacy review to the scope (e.g. recognizing that there might be anonymous/pseudonymous payments and that linkability of transactions is an issue for users) 14:46:27 Ian: We may not want to have general statements on security models, we may want to say concretely what this API does to create a new security challenge, or a new security benefit. We want to motivate security around this API. For example, because of this API ... or "did you understand by doing tokenization, that would really benefit end users". So, let's stay away from broad statements. 14:46:33 API is standardizing fraud. Implementers of the API enter the fraud chain. 14:46:41 q? 14:46:49 Ryladog has joined #wpay 14:46:54 ack pad 14:46:54 padler, you wanted to ask if there is any sort of precedent for this in W3C? 14:46:56 Ian: If you feel that's true, Erik - send specifics about how the APi does that. 14:47:05 Present+ Katie_Haritos-Shea 14:47:12 padler: Thanks, Ken. I think this is important. 14:47:28 Pat, there is stuff like this - specs have privacy and security considerations sections: https://w3c.github.io/vc-data-model/#privacy-considerations 14:47:35 ...one question I have: is there precedent at W3C for a dedicated security assessment of a specification? 14:48:12 ...here's why I ask - do you make recommendations about security and how to implement, or do you identify vulnerabilities? 14:48:31 ...what liabilities are there for recommending security approaches 14:49:00 ...the form factor for how to surface the issues may be important even in recruiting talent 14:49:20 Ian: At a very soft level, W3C does these things at the spec level rather than the flow level. 14:49:54 Ian: The group identifies security and privacy considerations and then decides how to express those in the specs. There are evaluations coming from organizations implementing. 14:50:14 Ian: We have a Security IG, they are invited to do reviews of our specs... I know Sam is trying to energize that activity. 14:50:44 Ian: That's not as formal as Ken is looking to do, but there is soft precedent for this. There is a general desire to do more. 14:51:20 padler: If the goal is to build a team to do detailed assessments, make that front and center 14:51:27 ..and maybe be clearer about the outcomes 14:51:27 Pat: The desire to do more is great, I'm hearing everyone say we want to do more here - is there a way to focus on that, so that if the goal is to provide a team that does detailed assessments, make that front-and-center, and then say what we want deliverables to look like. 14:51:43 ...right now it's a bit more about "why there is fraud" rather than "what we are going to do" 14:51:48 (IJ agrees with Pat's comment) 14:52:06 ...I would focus on what the group will do and who should participate 14:52:06 q? 14:52:09 ack david 14:52:13 ack de 14:52:30 dezell: I think the security experts will tell us what we need to do 14:53:19 ack wei 14:53:19 weiler, you wanted to suggest adding privacy review to the scope (e.g. recognizing that there might be anonymous/pseudonymous payments and that linkability of transactions is an 14:53:22 ... issue for users) 14:53:26 weiler: Thanks, Ken! 14:53:51 weiler: I suggest adding privacy review to the scope of what the task force will do 14:54:13 ....things like "unlinkability of transactions" or "leakages of personally identifying information" 14:54:26 ...I think that many of the experts will be able to consider those at the same time 14:54:39 ...there was a comment about the scope of the presentation 14:54:53 ..I got distracted by the details of the presentation 14:54:58 zakim, who is on the call? 14:54:58 Present: Manu, Ian, Erik, Ken, Pat, dezell, mtiggas, Weiler, Katie_Haritos-Shea 14:55:14 Ken: I will add privacy review and think about how to make it less distracting 14:55:15 Privacy Review = Boil the ocean even more 14:55:36 privacy review = take the end users' need into account. 14:56:18 IJ: I am hearing perhaps tailor the presentation to the SMEs 14:56:18 q? 14:56:20 ack ken 14:56:30 Ken: Thank you for the input 14:56:42 ...the initial version of the deck was directed to addressing some earlier feedback 14:56:48 zakim, who is making noise? 14:56:48 I am sorry, Ryladog; I don't have the necessary resources to track talkers right now 14:57:16 ken: I think the more concise we get about audience the more successful we will be 14:57:20 ...I will incorporate today's input 14:57:32 ...agree next version should target recruiting support we need 14:57:37 q? 14:57:49 Topic: Next meeting 14:58:50 +1 14:58:53 IJ: For me, 19 June sounds good 14:58:58 ..after charter CfC 14:58:58 +1 on June 19 14:59:11 RESOLVED: Next meeting is 19 June at 10-11am ET 14:59:22 +1 14:59:23 RRSAgent, make minutes 14:59:23 I have made the request to generate http://www.w3.org/2017/06/05-wpay-minutes.html Ian 14:59:53 I am still not convinced the Browser can be a secure initiation environment for Payments. With an App you get fine grained control, with the Browser you get full market penetration but it doesnt do any 1 thing as good as an App. 14:59:55 zakim, who's here? 14:59:55 Present: Manu, Ian, Erik, Ken, Pat, dezell, mtiggas, Weiler, Katie_Haritos-Shea 14:59:58 On IRC I see Ryladog, Ken, padler, Zakim, weiler, RRSAgent, Erik, dlehn, ShaneM, dlongley, robert, manu, adam, mkwst, Dongwoo, cwilso, trackbot, schuki, csarven, ted, Ian, dveditz, 14:59:58 ... oyiptong, nicktr 15:00:16 RRSAgent, make minutes 15:00:16 I have made the request to generate http://www.w3.org/2017/06/05-wpay-minutes.html Ian 15:00:22 RRSAgent, set logs public 17:03:02 Zakim has left #wpay 17:22:18 weiler has left #wpay