W3C : rambling in W3C TPAC as a tech person

Being also a tech person, in the W3C TPAC week, I had the chance to visit different groups or brainstorming session and I am sharing here with you the result of me jumping from one room to another.

The Web Payment is a reality. The web payment activity is one of the most dynamic ones in W3C those months. The quest initiated here is to ease the access to payment means from a browser. Making sure that a one click button would allow a user to pay with means which is accepted by the merchants, available in the user context. The use case and priorities of the group have been discussed in the Web Payment Interest Group, but the more operational steps has happened in TPAC : the Web Payment WG kicked off. That Working Group will design an architecture and some APIs to make that payment feature in browser a reality. Let’s wish them success…

WebRTC is close to be closed. WebRTC is *suffering* from a large number of implementations (see is WebRTC ready yet ?) and the specification was late compared to market expectation. but the good news is that most of the technical problems have been answered. And the Web RTC group is now thinking about WebRTC Next Generation. The specification will go to CR soon (see for details by Dom on

Sensor is progressing. Internet of things is something (buzz, trends, de facto, golden quest…), and it is also present in W3C. The sensor spec is about exposing to web apps sensor’s data. The spec is on its way, in the capable hands of (Intel Corporation) and Rick Waldron (jQuery Foundation). If you wanna have a look at that API, the spec is here and some more context about it can be found in the discussions held during TPAC between the sensor team and the Web of Thing team reported here

What about blockchain in the web ? Some may get nervous that everyone is talking about blockchain. And even TPAC breakout sessions deal about it. During an interesting session, NTTDoCoMo exposed the rationale for letting blockchain used by web apps, for use cases such as tracking peer to peer rights transfer or signing legal documents… This long term work may land in W3C, some days…

I could not attend all the Working Groups meeting and Breakout sessions that were held during W3C TPAC, but if you wanna have a taste of what is discussed in W3C, have a look at this report, and read minutes, issues and participants…

About the very simple question of identity, security and privacy in Web Payment

w3c web Payment_small.jpg

Again, about the W3C Web Payment Workshop in Paris. Two weeks ago, discussion went on the definition of payment, the notion of user experience, the architecture of back end systems and the end to end picture. The main objective for such workshop was to identify web related topics on which all parties (merchants, banks, payment schemes, regulating government, payment service processors, ….) would agree to get more standard. This will take time as I already mentionned in a previous post. The conversation was structured, but it happened that for each of the scheduled sessions, after one hour of talk, the questions related to identity, security was systematically raised. How can you garantee that the payee is the one he pretends to be ? How can you you garantee that the money is safely transferred, stored ?  As moderator of the Identity, Security and Privacy, I felt like my panel would be an interesting piece of the workshop.

Throwing the question ‘how can you garantee your system is secure ?’ is a little bit unfair.  Obviously, no one can garantee a system to be 100% secure (at a certain point of time, someone will break it), so you have to think about risk evaluation, tools to help implementing security, indicators to monitor trust… And this is what the poeple from the panel shared : good practices, feedbacks and valuable advices to build a common solution to bring with payment some notion of identity, security and privacy. Here is my take away from the discussions.

Identity, what is it ? With Louise from British Computer Science and Tim from Microsoft, we explored the notion of identity with two different perspective. Tim, involved in the e-commerce platform of Microsoft shared with the participants a notion of commerce identity, that would encompass our usual personal information, but also our friend, our relatives, our payment means, our interactions, our reputation. The idea suggested here was to build one identity, based on the principle of aggregating our identities and make it available to services providers via APIs. The direct consumers of this meta-identity could be banks, merchants, but also anti fraud banking system,  government, locally or international. Obviously the question of user control and privacy was raised. And this is where Louise made a great speech about the way identity, privacy, anonymity, traceability were major topics that companies, citizen and regulation should take care of. The rationale for this special care was the coming explosion of peer to peer financial transaction enabled by the web. This use case would multiply the needs to protect peers, regulates fraud and balance privacy aspects.

Identity, who should manage it ? Several participants gave a view on that notion of handling identity. Natasha Rooney, from GSMA mentioned in her  contribution that they had a program named GSMA Mobile Connect, which would allow service providers to use mobile network operators users database and trust the identify of those users. This offer completed with a strategy of direct billing on subscribers bills would position them as ideal identity providers in mobile commerce. Another view, Ripple Labs, the ones maintaining Ripple Network, mentioned that identity should be managed in a decentralized way. What does it mean ? Ripple Network is a network payment solution, which relies on a network of Ripple Gateways. Those gateways are disseminated all around the world, and this is where each user willing to transfer money should register, providing with email and banking details. Choosing a gateway suiting his constraints in terms of currency, transaction operation … Each Ripple Gateway implements the Ripple Transaction Protocol which allows to transfer money from any currency from one user to another, provided that this one owns a Ripple Wallet. In that case, identity is managed by registering to Gateways. The case of Facebook and Google managing the user’s identity was not directly discussed but raised on a regular basis. One could conclude that several identity provider profiles could be defined, from traditional kinda official (MNO) to decentralized email based (Ripple network).

Identity, how to convey it ? Lets say you are an identity provider. You need to offer services to consume your user’s identity to service providers. The next questions you would have to answer would be : which protocol should support exchange of identity related information? which piece of the identity should be shared ? how to make sure that the user agrees with sharing his identity ? Most of the presenters mentioned the recently published Open ID Connect as the technology that makes the job. First, it relies on the recent version of OAuth, an authorization protocol that Hannes Tschofenif, co-chair or IETF OAuth WG exposed to the audience. Hannes concluded saying that OAuth was a good enabler for identity scheme, provided that security recommendations were implemented and that proprietary plug-in were not killing the interoperable nature of it. Second, Open ID Connect includes an flexible authentication mechanism (how do you make sure the user authorizing access is the right user). Stefan from Ripple Labs confirmed, adding that Ripple Network was using it, allowing a good granularity in rights and flexibility in user authentication. Ripple made password and game with cryptography, but one could imagine to have the FIDO Alliance UAF technology used for such authentication.

Payment, identity and security, what promise ? About the actual enablers for security in web payment, we heard several voices promoting different types of perspectives. On the device side, Giri from Qualcom said that mobile payment security scheme could get benefit of user’s contextual information, combined with trusted enablers, listing technologies the web payment could benefit from : geolocalization, multiple factor authentication, hardware token and fingerprinting. On the protocol side, Hannes recalled the audience that state of the art in security as promoted in IETF should be implemented to avoid failure. There was a consensus on the fact that cryptography was a great enablers of trust and security (trusting someone could be translated as sharing a cryptography secret with him). This is what Harry Halpin from W3C promoted the recent Web Crypto API (that my readers all know went to Last Call last week). This API will allow developers to manage and use keys in their web applications. Last but not least, Gregory from Lyra Network among other good feedbacks for promoting a decentralized web traffic to increase trust, reminded that users were to be educated in order to have a better control on their identity data and data in general. He also highlighted the idea of building identity of users on multiple devices, including the ones belonging to the wearable IoT wave, feeding the *what you have* factor to authenticate users.

This session did not bring any direct conclusion on the complex problem of identity, security and privacy, but drove the audience on different perspectives. The excellent minutes and presentations from that session are available on . All the web community is now waiting for the W3C report on that workshop, which will sum up and prioritize the possible actions that could happen in W3C.


Two days of W3C workshop about web and payment

w3c web Payment_small.jpgThis week W3C Web Payment workshop was amazing: one hundred registered people, representing all the chain of web payment. From merchants to banks, including payment system providers, from established financial institutions to challenging startupers, from browser makers to mobile network operators. All those delegates agreed to spend 2 days in Palais Brongniard in Paris, to discuss how standardization should be driven in W3C, to improve the integration of web payment in the open web platform. During two days, the audience tried to identify the minimum common agreement to ease end user experience when buying something on the web, and imagine how payment systems could be more efficiently integrated in the the web. In addition to the usual suspects (Google, Mozilla, GSMA, Yandex), the lucky attendees could hear opinion from less talkative companies such as : PCI (payment security certification), BPCE (french bank), SWIFT (Society for Worldwide Interbank Financial Telecommunication), Federal US Reserve (the big us wallet), BCS, Rabobank, EU delegate, Ripple Labs, HubCulture pomoting Ven, NACS US merchants. New faces giving their opinion, to usual suspects from W3C.

What can we expect from such event ?
First. Build a tribe. And I think that the workshop was a success. Interaction was key, breaks and dinner also helped people to meet and understand each other. Second. Decide where the tribe wants to go. This is less straightforward. Once everyone understood that it was quite complex to find the right balance between standard and competition, the key mission that became natural to everyone was to understand the roles and concepts handled in the story of a payment transaction. Questions : what is the ideal user experience, what are merchant roles and boundaries, what characteristics define a payment service provider, do intermediaries count, is payment a single service, or does it include quotation management… Understanding the payment steps and splitting that journey into a reliable description. This is for the business and flow side. Another domain identified to be explored collaboratively was related to the technology. When one asked ‘what is a token for you’, depending where you come from, the token answer could have different taste (actualy four different definitions were found). Same for the wallet… So in the end, it was obvious that the tribe needed to build a common understanding.

The necessary consensus.
Lets be clear. Any payment standardization work will not happen if disruptive Ripple Labs promoting decentralized network, does not understand mobile network operators, if Microsoft promoting an e-commerce identity does not listen to EU on privacy, or if merchants are not making their mind clear on virtualized money advantages (a la bitcoin). Off course the matrix of mutual understanding is infinite. But one should note that extreme should carefully listen each other. And this will be a challenge that may take some time. At the same time, it was highlighted that neither Visa or Mastercard or MCX merchants were present, and their voice should definitely be heard, there.

The coming battles.
When covering such a large topic as the payment is, involving so much actors, and when you increase the complexity by taking into account new comers such as bitcoin promoters, decentralized network designers, you can easily identify the big, big, blockers on which this community may fight. The following words sound to me like burning the brains: system interconnection and fee harmonization (right, this could be kept away from W3C landscape), user convenience versus security, user data owner (ouch, that one is the business basement, right ?), privacy by design, identity scheme (fragmented and contradictory visions here).

Where could the tribe start ? small pieces of technology.
During the discussion, it appeared that it would not be possible to build a complete standard solution, to leave a room to existing models and integrate the disruptive ones. So the opposite view was considered: why not designing very small pieces of enablers, such as transaction definition, a transaction flow and related states, a simple intent to pay framework, some auto-filling functions, … This primary list are just ideas, and will definitely enrich during the coming discussions.

Where do we meet next ?
That recently born web payment tribe must follow up. It could gather again either re-using the Web payment community group chaired by Manu Sporny, attached to (but not belonging to) W3C. Or a new group could be created. That plan will be made in the coming weeks, once all the W3C staff had brainstormed on the minutes of the workshop (slides and minutes). Lets wait the official take away from W3C.


You can also read my post related to the Identity, Security and Privacy session, that i moderated here :