Ordering an orange juice at W3C bar

ordering at the bar

Little tiny things that would make my W3C life better…

Those who contribute to W3C know that it is a real experience, mixing technical, human and procedural aspects. Trying to think about a better W3C, there a few things I’d like to share, hoping the next W3C Advisory Board will fix it –with or without me. As this requires several posts, here is the episode 1 season 1 on little tiny things that would make our W3C life better. And it is named ‘Ordering an orange juice at W3C bar’

Bars. We all know what it is to enter the first time in a bar, lets say in a new town, or even an unknown country. If this place is really really new, you don’t know what are the customs. You may wonder how to get your orange juice (or beer, or wine, or sake, or tomato juice, whatever you drink in bars). Can you get a table on your own, or will someone allocate you one ? Do you get served by a kind waiter, do you need to order at the bar, or do you place order from the electronic table itself ? Do you need to pay directly, or later. It may not be the most natural thing to shout ‘call me the director of this bar, I need to understand how things are ruling here’. In that case you may look at the others, try to read announcement, observing the ambiance. And that is part of the discovery adventure.

W3C. If you want to contribute in W3C, you may enjoy the same experience. When rambling from one working group to another, you discover different spirits (more or less rock and roll) but also different tools. Example. You wanna track bugs on a spec ? Several options. Use W3C tracker, suitable for issue, action. Use W3C bugzilla for bugs. Use github for everything. WABTC ! What a barrier to contributors. If you combine this with the fact that survival kit is not always provided, contributor may spend a lots of time understanding the working rules of a specific working group. They may call the director to get explanation about how things are ruling. But W3C should also help them to enter smoothly in the working group.

What to do to make W3C a place you naturally order your orange juice? I would not wish to have all W3C working group adopting the same tools. People want freedom there. But what would help would be.

–          When creating a new working group, train the team (chair and editors) to the entire set of tools, with a rationale for their specific advantage. This should include the github platform, which is widely used in W3C, popular to some developers, but not the usual framework for all of them (and I don’t even talk about non-developers, like me who are also reasonable part of the working force and contributors in W3C). But it could also include platforms such as Discourse that some poeple like Robin Berjon is experiencing.

–          Document accurately working group customs and working methods, including some of the process to follow up on the specifications. How to open a bug (who, when, where), how to contribute to a bug (who, when, where), how to close a bug (who, when, where). This should be made in an easy place to find, with cool design… And if all answers to those questions is ‘it depends’, then the working group team should revise its working method.

Lets make W3C a cool place to contribute, lets make contributors life easier !


Note : picture by Mista Boos in Creative Commons https://www.flickr.com/photos/mistaboos/

More web developers in W3C !


W3C Advisory Board elections are getting lots of traction from W3C members. Questions, suggestions, initiatives are multiplied and when being part of the candidates, you need to take position, agreeing disagreeing… For example voting system discussion (see the W3C public process mailing list thread). But there is behind this voting question, the question of W3C participants. Who are they ? Do they really represent the web ? Do they really represent the web developer comunity.

But first, why would we need more web developers ? Actually, we do have some smart and brilliant ones. But most of the time, the ones working for big companies, big structures or universities. But they might not represent the actual developer who will be torturing the features and APIs embedded in browsers. Some of them are present, but a majority is not.

As a tourist. Since I entered the web community, I am going into web developers conferences to learn, meet people, evangelize also security. And each time I am explaining I am representing my company in W3C, I can see stars in the eyes of my interlocutor. “Such a great job, so lucky to be there ?”. And I am always thinking. “Well, if I can do it, you should be able to do it, especially because you have already designed a super-nice-smart-cool web app, something I have never done in my life, but which is on my to do list “.

As a chair. In the working group I am chairing, we are in theory 50 people, but 10 of them are driving the work. They are mainly browser vendors and there is one service provider. Off course all those guys are educated and connected with web developers community. But it happens that W3C needs also to design APIs which is not going to be used by the 3 or 4 use cases that group participants are thinking about, for them, and for their own developer community. And it happens also that sometimes we miss a feedback from the real life (as an example, in the web crypto API, we asked, please mister or mrs web dev, give me your opinion on the best design, but reviews are always hard to get).

What I think. I think that W3C needs to interact more with the web developers community, not only during events and conferences (which is already something great, see http://www.w3.org/Talks/), but also *in* W3C. We need fresh blood. To review and challenge the spec. To make sure the feature designed will be actually widely used, wider than initially thought. To help in prioritizing the features we want to develop (we may call our mate, our mum, our brother to decide which feature is the most urgent, but they may have exactly the same opinion as ours). To edit specifications (see the very good post from Robin Berjon explaining how it is difficult to have editors). To beta-test API prior it is shipped. To counter balance the opinion of the super-hyper-expert who maybe lost his or her freshness.

How to have more web developers ?

With a 2 steps approach.

One. Make sure that all working group participants, chairs, editors are always ambassadors of the W3C. Getting traction from web developers they meet, convincing them to look at the spec, comment, be involved. This is very easy for popular specifications like EME (everyone has something to say about EME, right ?), WebRTC (which is so powerfull that it pulls entire conferences), Service Workers (which is promoted by charismatic people). This can only happen if all W3C participants are educated on a regular basis on what is going on, by receiving training, regular reviews on domain activities. The quest here is information for all,…

Two. Make sure there is a structure to welcome the web developers. W3C has different members status. You can be a startup, you can be an invited expert, but the individual membership is not yet available. When Brian Kardell pointed me on a group of people in W3C setting up the basis of a web developer individual membership, I realized that it was exactly the missing piece. This ‘webizen’ task force https://www.w3.org/wiki/Webizen will share the result of its thinking in June 2014, during the W3C Advisory Council meeting, where all W3C members representatives meet. Webizen brainstorming is open to anyone, so if you feel you have ideas, do not hesitate. The quest here is W3C membership for all.

I really hope that W3C and its current members will succeed in lowering the entry barrier to W3C and benefit from having all players around the table, including web developers. Integration of web developers into W3C circles, getting them more involved in discussions and decisions, as candidate to AB election, I support that !


Note : picture ‘Gamme’ by Romain https://www.flickr.com/photos/xyotiogyo/


Running for W3C Advisory Board, again…

W3C dancer and runner by Clau Tom

May is the season where W3C organizes election for its Advisory Board, the group of 10 people representing W3C members and helping improving W3C process and advising W3C management on strategy. My regular readers know that last year I was part of the candidates, and they may be happy to know that I’ll try again this year. Talking with my colleagues from gemalto, they were challenging me.

Why are you doing that ? Representing gemalto in different W3C working groups may be enough, isn’t it ?” Well. Yes. And no.

That is true that I am spending more than half of my time supporting W3C activities. That includes my chairmanship position in web crypto and web security IG (a public security experts community), monitoring W3C deliverable to report to my colleagues when there is something interesting happening, supporting W3C workshops (automotive, payment and soon security related). Believe me, that job is not always easy, especially in a company which is not directly getting revenues from web applications and services, yet. In other words, if you don’t like that job, you can’t make it.

So that is said, I like W3C. Why ?

I have been in standard for a while now, experiencing different governance, different group size, involved with different positions (observer, contributor, editor, chair), always in technology and international contexts. And after all those years I must confess that W3C has been the most welcoming house, with a goal and framework that really makes sense to me. Supporting W3C development and helping to transform the open web platform into a widely adopted platform, suitable to any services is a great objective, to my opinion. Process and governance questions are part of that challenge, as more and more members are joining, and more an more members are needed to make that platform relevant.

And I want to be part of that move.

Well, once you say ‘I wanna join the party’, you have to think about your own value proposition. Who am I to run for AB ? Well. I am experienced in standards. I am a hard working person. I am a consensual person, listening to problem, looking for advice and conflicting opinion, and always targeting decision making (I hate vague and unknown status and I know it’s sometimes terrible for my relatives and colleagues).

And I have a plan.

Based on what I have seen those last two years and half in W3C, I have drafted a kind of program, things I believe would benefit from my energy. Like everyone, I want a better world, but more precisely, I ‘d like to :

(1) Increase visibility of W3C deliverables for members and non-members, by supporting the creation of dashboard (I wrote about it, yet)

(2) Improve web developers community feedback, involvement and representation in W3C (leveraging openness of W3C with public event and webizen-like project)

(3) Maintain motivation of contributors, including education and supporting tools, with a specific focus on editors and chairs.

(4) Ensure that securing the web sits at the core of the evolution of the consortium, as required by device manufacturers and security-sensitive companies

All is said. Let’s see if this plan looks good enough for the 389 W3C members to vote for me and help me to get one of the 5 open seats in the W3C Advisory Board. The voting period is all May and results are in June. If you know some of the voters, and like the idea to see me elected, just tell them.

If you just want to encourage me, you can advert that post or leave comments, suggestions …

I will keep you informed about the results, for sure.


Update: some others are also campaigning, you can read the posts from Brian and Boaz.

Update : other porst related to that W3C AB election on my blog : More web developers in W3C and all other posts related to W3C

Note : picture Runner and Dancer by Claus Tom, under creative common license https://www.flickr.com/photos/claustom/




About the very simple question of identity, security and privacy in Web Payment

w3c web Payment_small.jpg

Again, about the W3C Web Payment Workshop in Paris. Two weeks ago, discussion went on the definition of payment, the notion of user experience, the architecture of back end systems and the end to end picture. The main objective for such workshop was to identify web related topics on which all parties (merchants, banks, payment schemes, regulating government, payment service processors, ….) would agree to get more standard. This will take time as I already mentionned in a previous post. The conversation was structured, but it happened that for each of the scheduled sessions, after one hour of talk, the questions related to identity, security was systematically raised. How can you garantee that the payee is the one he pretends to be ? How can you you garantee that the money is safely transferred, stored ?  As moderator of the Identity, Security and Privacy, I felt like my panel would be an interesting piece of the workshop.

Throwing the question ‘how can you garantee your system is secure ?’ is a little bit unfair.  Obviously, no one can garantee a system to be 100% secure (at a certain point of time, someone will break it), so you have to think about risk evaluation, tools to help implementing security, indicators to monitor trust… And this is what the poeple from the panel shared : good practices, feedbacks and valuable advices to build a common solution to bring with payment some notion of identity, security and privacy. Here is my take away from the discussions.

Identity, what is it ? With Louise from British Computer Science and Tim from Microsoft, we explored the notion of identity with two different perspective. Tim, involved in the e-commerce platform of Microsoft shared with the participants a notion of commerce identity, that would encompass our usual personal information, but also our friend, our relatives, our payment means, our interactions, our reputation. The idea suggested here was to build one identity, based on the principle of aggregating our identities and make it available to services providers via APIs. The direct consumers of this meta-identity could be banks, merchants, but also anti fraud banking system,  government, locally or international. Obviously the question of user control and privacy was raised. And this is where Louise made a great speech about the way identity, privacy, anonymity, traceability were major topics that companies, citizen and regulation should take care of. The rationale for this special care was the coming explosion of peer to peer financial transaction enabled by the web. This use case would multiply the needs to protect peers, regulates fraud and balance privacy aspects.

Identity, who should manage it ? Several participants gave a view on that notion of handling identity. Natasha Rooney, from GSMA mentioned in her  contribution that they had a program named GSMA Mobile Connect, which would allow service providers to use mobile network operators users database and trust the identify of those users. This offer completed with a strategy of direct billing on subscribers bills would position them as ideal identity providers in mobile commerce. Another view, Ripple Labs, the ones maintaining Ripple Network, mentioned that identity should be managed in a decentralized way. What does it mean ? Ripple Network is a network payment solution, which relies on a network of Ripple Gateways. Those gateways are disseminated all around the world, and this is where each user willing to transfer money should register, providing with email and banking details. Choosing a gateway suiting his constraints in terms of currency, transaction operation … Each Ripple Gateway implements the Ripple Transaction Protocol which allows to transfer money from any currency from one user to another, provided that this one owns a Ripple Wallet. In that case, identity is managed by registering to Gateways. The case of Facebook and Google managing the user’s identity was not directly discussed but raised on a regular basis. One could conclude that several identity provider profiles could be defined, from traditional kinda official (MNO) to decentralized email based (Ripple network).

Identity, how to convey it ? Lets say you are an identity provider. You need to offer services to consume your user’s identity to service providers. The next questions you would have to answer would be : which protocol should support exchange of identity related information? which piece of the identity should be shared ? how to make sure that the user agrees with sharing his identity ? Most of the presenters mentioned the recently published Open ID Connect as the technology that makes the job. First, it relies on the recent version of OAuth, an authorization protocol that Hannes Tschofenif, co-chair or IETF OAuth WG exposed to the audience. Hannes concluded saying that OAuth was a good enabler for identity scheme, provided that security recommendations were implemented and that proprietary plug-in were not killing the interoperable nature of it. Second, Open ID Connect includes an flexible authentication mechanism (how do you make sure the user authorizing access is the right user). Stefan from Ripple Labs confirmed, adding that Ripple Network was using it, allowing a good granularity in rights and flexibility in user authentication. Ripple made password and game with cryptography, but one could imagine to have the FIDO Alliance UAF technology used for such authentication.

Payment, identity and security, what promise ? About the actual enablers for security in web payment, we heard several voices promoting different types of perspectives. On the device side, Giri from Qualcom said that mobile payment security scheme could get benefit of user’s contextual information, combined with trusted enablers, listing technologies the web payment could benefit from : geolocalization, multiple factor authentication, hardware token and fingerprinting. On the protocol side, Hannes recalled the audience that state of the art in security as promoted in IETF should be implemented to avoid failure. There was a consensus on the fact that cryptography was a great enablers of trust and security (trusting someone could be translated as sharing a cryptography secret with him). This is what Harry Halpin from W3C promoted the recent Web Crypto API (that my readers all know went to Last Call last week). This API will allow developers to manage and use keys in their web applications. Last but not least, Gregory from Lyra Network among other good feedbacks for promoting a decentralized web traffic to increase trust, reminded that users were to be educated in order to have a better control on their identity data and data in general. He also highlighted the idea of building identity of users on multiple devices, including the ones belonging to the wearable IoT wave, feeding the *what you have* factor to authenticate users.

This session did not bring any direct conclusion on the complex problem of identity, security and privacy, but drove the audience on different perspectives. The excellent minutes and presentations from that session are available on http://www.w3.org/2013/10/payments/minutes/2014-03-25-s6/ . All the web community is now waiting for the W3C report on that workshop, which will sum up and prioritize the possible actions that could happen in W3C.


Two days of W3C workshop about web and payment

w3c web Payment_small.jpgThis week W3C Web Payment workshop was amazing: one hundred registered people, representing all the chain of web payment. From merchants to banks, including payment system providers, from established financial institutions to challenging startupers, from browser makers to mobile network operators. All those delegates agreed to spend 2 days in Palais Brongniard in Paris, to discuss how standardization should be driven in W3C, to improve the integration of web payment in the open web platform. During two days, the audience tried to identify the minimum common agreement to ease end user experience when buying something on the web, and imagine how payment systems could be more efficiently integrated in the the web. In addition to the usual suspects (Google, Mozilla, GSMA, Yandex), the lucky attendees could hear opinion from less talkative companies such as : PCI (payment security certification), BPCE (french bank), SWIFT (Society for Worldwide Interbank Financial Telecommunication), Federal US Reserve (the big us wallet), BCS, Rabobank, EU delegate, Ripple Labs, HubCulture pomoting Ven, NACS US merchants. New faces giving their opinion, to usual suspects from W3C.

What can we expect from such event ?
First. Build a tribe. And I think that the workshop was a success. Interaction was key, breaks and dinner also helped people to meet and understand each other. Second. Decide where the tribe wants to go. This is less straightforward. Once everyone understood that it was quite complex to find the right balance between standard and competition, the key mission that became natural to everyone was to understand the roles and concepts handled in the story of a payment transaction. Questions : what is the ideal user experience, what are merchant roles and boundaries, what characteristics define a payment service provider, do intermediaries count, is payment a single service, or does it include quotation management… Understanding the payment steps and splitting that journey into a reliable description. This is for the business and flow side. Another domain identified to be explored collaboratively was related to the technology. When one asked ‘what is a token for you’, depending where you come from, the token answer could have different taste (actualy four different definitions were found). Same for the wallet… So in the end, it was obvious that the tribe needed to build a common understanding.

The necessary consensus.
Lets be clear. Any payment standardization work will not happen if disruptive Ripple Labs promoting decentralized network, does not understand mobile network operators, if Microsoft promoting an e-commerce identity does not listen to EU on privacy, or if merchants are not making their mind clear on virtualized money advantages (a la bitcoin). Off course the matrix of mutual understanding is infinite. But one should note that extreme should carefully listen each other. And this will be a challenge that may take some time. At the same time, it was highlighted that neither Visa or Mastercard or MCX merchants were present, and their voice should definitely be heard, there.

The coming battles.
When covering such a large topic as the payment is, involving so much actors, and when you increase the complexity by taking into account new comers such as bitcoin promoters, decentralized network designers, you can easily identify the big, big, blockers on which this community may fight. The following words sound to me like burning the brains: system interconnection and fee harmonization (right, this could be kept away from W3C landscape), user convenience versus security, user data owner (ouch, that one is the business basement, right ?), privacy by design, identity scheme (fragmented and contradictory visions here).

Where could the tribe start ? small pieces of technology.
During the discussion, it appeared that it would not be possible to build a complete standard solution, to leave a room to existing models and integrate the disruptive ones. So the opposite view was considered: why not designing very small pieces of enablers, such as transaction definition, a transaction flow and related states, a simple intent to pay framework, some auto-filling functions, … This primary list are just ideas, and will definitely enrich during the coming discussions.

Where do we meet next ?
That recently born web payment tribe must follow up. It could gather again either re-using the Web payment community group chaired by Manu Sporny, attached to (but not belonging to) W3C. Or a new group could be created. That plan will be made in the coming weeks, once all the W3C staff had brainstormed on the minutes of the workshop (slides and minutes). Lets wait the official take away from W3C.


You can also read my post related to the Identity, Security and Privacy session, that i moderated here : https://poulpita.com/2014/04/04/about-the-very-simple-question-of-identity-security-and-privacy-in-web-payment/



The W3C Needs a Dashboard


I recently had some discussions with mozillians on ways they could contribute to the W3C working group I am chairing [1]. This question made me rethink about the magic path individuals have to go through to contribute to W3C work.

W3C is a place where contributions are welcome, free, easy to do. For my readers not familiar with the W3C process, most working groups, interest groups, business groups have public mailing lists for member contributions, but also mailing list dedicated to comments – the lists managed by W3C can be found here : http://lists.w3.org/. In addition, there always are contacts given for editors, chairs, W3C staff, aiming to ease the direct exchange.

But. If you wish to contribute, it means that you have to solve another bigger problem. It means that you have to be able to identify that something is going on in W3C, expecting your review, expertise and nasty comments.

For individuals belonging to W3C member companies, that is relatively easy. Members are represented by Advisory Committee representatives. All AC reps gather twice a year, in nice places, where the W3C staff share both status and hugs. The meeting content is tailor-made for members, with overviews, and focus on specific topics. And this is usually ok. So, if the AC rep attends that meeting, if the AC rep reports to his team(s), that is the perfect situation. But if not…

For non-W3C members, curious individuals, start-ups, geeks, this is another story. They must monitor the W3C’s activities on their own. They can make sure they register to the excellent newsletter that the W3C team issues on a weekly basis. Press, blog and actual publication or specification transitions are collected here http://lists.w3.org/Archives/Public/public-w3c-digest/. They can visit all working groups blogs, wikis, githubs praying that they are maintained. They can also subscribe to the public mailing lists and read (thousands of emails). If they have time. But who has that time ?

I am paid to be an AC rep’, I love W3C; as chair, I am trying as much as possible to spread the word to the public. I am also reporting inside my company, making status updates, consolidating information I am grabbing on different media, creating dashboards, explaining trends, mentioning implementations… This takes time. This costs money to small companies.

This is why I think it would be worth having nice and structured dashboards for each domain handled by W3C, made available to anyone, contributors, developers, but also decision makers. Giving a global view on what is going on in W3C, what are the current priorities. Something like for the mobile area here : http://www.w3.org/Mobile/mobile-web-app-state/ but for all the domains.

I know. This is easy to ask, less easy to deploy. But I’d be happy to help, to make sure all the potential contributors can actually be aware of what is going on in the W3C kitchen.


[1] initial conversation about contribution blockers in W3C : https://twitter.com/annevk/status/444069161321242624
Note : photo credit: Jodaur via photopin cc

Web Security : a snapshot from W3C


For the past few months the web has been in the headlines for bad reasons (but also for good reasons such as its 25th anniversary). The bad side pointed out a regular basis concerns broken servers, denial of service attacks, leaking connected-apps, massive internet monitoring… Everyone’s wondering what are we doing so wrong? Well. First, people have to eat, so business does go on. But once given food, and this is the good news, people are talking about security problems. Realizing they must change something. Alone. Together. Against. But they must move. And organizations such as the W3C are fostering those discussions. People exchange views, make alliances, start thinking about solutions. After all, this is what standardization bodies like the W3C are made for. Find collective solutions, serve both business and social interests. Let me share with you few interesting evolutions:

* Strong web apps, strong internet

Prior to the last IETF meeting, the STRINT workshop took place, the tag line of which was ‘strengthening the internet against pervasive monitoring’. From both W3C and the IETF, attendees discussed how to bind the existing internet specs to make them stronger, but also discussed new features to think about, to avoid facing more governmental invasion in the internet flow. While waiting for the report, one can read the minutes.


Talking with the architects of the web

Meet the tag by Romain Huet

I was in London this week, and attended the Meet The TAG session in Google campus, closed to the Silicon Roundabout. This was an opportunity to have a conversation happening between the architects of the web and some londonien developers. On stage were present Tim Berners Lee @timberners_lee, Yehuda Katz @wycats, Alex Russel @slightlylate, Dan Appelquist @torgo, Anne van Kesteren @annevk and hidden in the crowd were Jeni Tennison @jeniT, Peter Linss @plinss, Sergey Konstantinov and Henry Thomson.

Anne started with a short presentation of TAG prerogative, in duo with Tim – the old school and the new generation, hand in hand. It was explained that the major difficulty in the TAG task was to synchronize between the different W3C working groups deliverable, making sure appropriate technologies were harmoniously available to web developers. Tim even mentioned that the objective of W3C was to make all platform features available to developers. (more…)

W3C security roadmap needs you !

W3C security sessionTwo weeks ago, W3C held its yearly event, named TPAC, gathering most W3C Working Groups, all official W3C members and most of the W3C team. This impressive stack of geeks, combined with the fact that the venue was great, and lunch and dinners were also organized by W3C, lead to an impressive density of interesting conversation. While having spied a lot, I am reporting here things related to security, which was one of my drivers to be there (in addition to friends, curiosity, and spending one week on the other side of the globe). (more…)