web

Speakeuse à #shake16 : une expérience !

TL;DR – cette semaine, j’ai passé deux jours à Aix en Provence à l’occasion de #shake16, et c’était cool.

shake16

La conférence Shake c’est un rendez-vous pour les professionnels du e-commerce. La formule est excellente : un mixte de conférences plénières avec les grands du business sur le web (la Poste, Price Minister, Facebook, nan, mais il y en a trop, regardez la liste); des ateliers pointus avec les pro; des stands pour les éditeurs, asso et gens créatifs; des  podium de startups; et des rendez-vous d’affaire (pas moins de 500, de quoi signer des deals ou nouer de belles relations).

Le thème du e-commerce est évidemment passionnant et propice à se décliner sous différents angles : la transformation numérique, la transformation du travail, le rôle de la technologie dans nos vies, les problèmes de logistique, de magasin physique, virtuel, de cross-canal et omni-client (ou l’inverse). Cette année l’accent était mis sur le Pourquoi (pourquoi est-on entrepreneur, e-commercant …) et la relation client, qui se doit au XXIème siècle, d’être bienveillante, bichonnée, respectueuse, pertinente. Bref, #shake16 était une belle promesse pour les visiteurs et les visiteuses.

Et cette année, j’étais speakeuse. Ouaip, la classe (merci à Hervé Bourdon et Jacques Froissant de m’avoir fait confiance). Mais être speakeuse à Shake cette annnée, c’était pas *que* la classe. C’était aussi une expérience toute particulière. Pourquoi ? Parceque l’esprit de Shake (entre autres choses) et de donner et partager, de rouler sur l’énergie de la communauté. Et la team de Shake a fait le choix de traiter les personnes présentes sur les stands (help sémantique, des standistes ?) et les speakers comme des *utilisateurs* de l’événément. Nous étions donc des accompagnés, avec bienveillance. Et ça a fonctionné du tonnerre.

Pourquoi c’était si spécial ? Parceque les speakers et les standistes, en plus des petit fours et de la salle de repos, avaient accès à un boostcamp d’une demi-journée, organisée par Marie Aurélie, avec l’aide de gentils accompagnateurs avec un programme très enrichissant. Voyez-donc.

Dans un premier temps, assemblés par groupe de 6, nous avons eu la chance de nous détendre avec un escape game taillé sur mesure (le code pour sortir, c’etait 176, sachez-le).

Ensuite nous avons passé du temps avec des professionnels de la relation, de l’entreprise et du corps. L’équipe 5, la mienne, encadrée par la fantastique Delphine Foviaux, a suivi le programme suivant  :

  • un atelier sur le marketing emotionnel avec Patrice Laubignat. Absolument éclairant pour revisiter sa relation à l’autre, le regard que l’on porte sur soi et sur ses interlocuteurs, pour enterrer les peurs qui freinent les échanges libres et fructueux.
  •  une dose d’entreprise libéré avec Nicolas Trossat. Ici, on apprenait les clés pour penser autrement le travail, avec des notions de  responsabilité collective, de transparence et de confiance. Un shoot d’utopie qui permettait de repenser sa relation au travail.
  • et pour finir, avec Daria Kucevalova, nous avons chanté (mal, mais on s’en foutait, c’était harmonieux). On a joué de la voix et du corps. Il s’agissait donc d’un exercice, ancré dans le présent et le sol, et qui permettait indéniablement de libérer quelques tensions.

A la fin de la journée de préparation, nous étions détendus, un peu soudés, un peu amis, et prêts à donner le meilleur de nous même sur les stands et la scène. Voilà, ça n’était pas que de l’amusement. Shake nous a donné les moyens d’être plus à l’aise et meilleur, de tirer profit de notre présence et de participer à l’énergie (déjà impressionnante) de cet événement. C’était sympa et généreux, suffisament rare pour le soulignere, et le faire savoir au reste du monde.

D’année en année, Shake grandit, et on a grande hâte d’assister à la prochaine édition #shake17.

Note : d’autres que moi disent que shake16 était fantastique, visitez donc

  • le blog du coach Will Roy là,
  • ou celui de biz200 pour un rapport business ici ,
  • ou encore chez Patrice Laubignat pour une vue émotionnelle là ,
  • chez Annie Lichtner et My Digital Week pour un point de vu pro du e-commerce
  • ou enfin sur le blog de Shake ou Marie Aurélie partage sa vision du boostcamp
  • du côté de chez Henri Kaufman pour grappiller les bonnes idées en deux épisodes : un, deux
  • la vision de Pierre, qui était aussi dans l’équipe 5, de chez Web et Solution, sponsor de l’événement ici
  • et l’angle de Mélanie Pin, de Primasee, en charge de la mise en scène et des vidéo
  • Marie Aurélie, encore, mais cette fois avec sa casquette de psy, qui explore la question du pourquoi ici
  • le tour photo et impression rapide de Seb
  • et pour vous donner envie d’y aller l’année prochaine, la vidéo sumup de primasee
  • ou encore la story de #shake par ses deux fondateurs

 

Tech, Web and Society in W3C

Blowball II - M.C. Escher

It has been several years I have been involved in W3C.The ten thousands of hours of discussions I had with some of my W3C colleagues, mates, folks, peers, were deadly interesting. We were covering the technical web, but all the stuff coming with it. The web and the society. The technology as a tool, that anyone can handle and use, following its own rules, follow its own goal. We discussed about the reliable and equal web. But. What does it mean to maintain a reliable web, for all ? What does it mean when a group of people decides to develop technologies to break it ? What does it mean to break the web ? You know, all those questions that do not directly fall in the basket of W3C – after all, it is only a technical standardization body ! Since one year, I was convinced that this was  a missing dimension in W3C. And something happened. Slowly by slowly, this idea came on the table. Why not creating a place for the W3C members to exchange on the potential impact of the technology developed in W3C ? Why not keeping an eye on the way the web is used today, and debate on the potential impact on policies ?

The Advisory Board and the W3C team have been working on the creation of the Technology & Policy Interest Group. A group which will be open to W3C members, a group which will gather state of the art on topics such as deep linking (or can we forbid to reference a resource), DMCA-like challenges (or how to allow researcher to stay on the legal side, while researching on the web, and thus potentially hacking it) and Surveillance (you know, government and companies monitoring all and everything). And this is, as a starter. The Tech & Pol  Interest Group, chaired by Jean François Abramatic, ex W3C CEO, will work in a W3C-member-only mode and will deliver some Analysis. Analysis is a new format, to avoid saying the group will deliver Note or normative Recommendation. First, those Analysis may be only a collection of problem, a list of solutions, and it will be up to the directors, with members consultation to do something from that.

That Interest Group is a fantastic chance to have a place to discuss those important topics, to have the craftsmen and craftswomen of the web, exchanging on technology impact, all together, and potentially raising the question on which type of web we want for all.

The creation of the Interest Group depends on the support it will gain in the W3C membership, and on the number of objection its review will collect. So, if you think this group is a good idea, and if your company is W3C member, I can only encourage you to ping your AC rep and tell him/her what you think…

 

Illustration: Blowball II – M.C. Escher

 

 

Web developers, you want to use Web Crypto ? let the world know !
Dear web developer, web technologist, web curious,
If you have a plan. And if you your plan is about integrating more security in your web development. And if you have been expecting an interoperable library in browsers for managing secret keys, ciphering your users sensitive data, signing a set of data.
This is your time ! This is the time for you to speak loud. 
The W3C standardization work is in the last miles – despite our Cartesian principles, we all know those are usually the longest.
What do we have up to now ? We have :
But we are still missing :
  • some bug review and resolutions on the implementer’s side,
  • Some decision making to clarify bug features in the specification,
  • Some complete set of tests.
So, if you want to have a chance to play with RSA or AES in your web app one day, and if you already have some pending development or experiment, just let us know.
Help to demonstrate some traction from the web developers community. This will definitely motivate browser makers to maintain their efforts on the development and maintenance of the W3C Web Crypto API.
Please, send reference to your projects, crypto wish list, or offer to support the WG operations to the W3C Web Crypto WG public mailing list:public-webcrypto@w3.org.
The open web platform will definitely need you !
arbeitsschema_f

W3C : about security activities (gossips, new work and strategy)

This post is the third one, reporting about W3C TPAC activities. Previous ones were related to advisory board discussion and general technical topic. That one focus on my fav topic, security.

People following me know I am a promoter of security in W3C. And having done that in the last 4 years, I must confess I had some good surprise during last W3C TPAC week (which is the yearly big W3C party). Here is what I collected, going into official and unofficial meeting, coffee breaks and bars…

When Vint Cerf, Jun Murai, and Tim Berners Lee advocate for security. W3C TPAC day started with a 3 stars raw on stage, exchanging with W3C CEO Jeff Jaffe. (Note for the youngest ones, Vint Cerf invented the internet and is working for Google, Jun Murai has been contributing on that eco-system, being one of the most powerful japanese representative in the internet, Tim Berners Lee, is Tim…). Reading the minutes of that conversation, one could realize that security was at the heart of the exchanges. About making security in everything, about security being transparent, about strong authentication, about making the web a trusted place… While those gentlemen did not draw the technical solutions on any white board, but rather exchanged on such needed effort, this gave an indication about their next challenge for the web.

W3C security strategy is here. In order to answer to W3C members request about having a security strategy, the security strategic plan for W3C has been issued. The Technology and Society domain considers two aspects for securing the open web platform : the user security (including web crypto API, web authentication and HTTPS migration), the web app security (including CSP, sandboxing and HTTPS, again). Another track is about making sure that the development of the open web platform takes care about the security, and this implies having security reviews, handling with care the migration to HTTPS, and liaising with the rest of the world thanks to liaison and wide communication. See more about that security strategic plan here :  https://github.com/w3c/websec/blob/master/security-roadmap.md

The migration towards an HTTPS world. A very interesting session was held during TPAC about trying to find the best path to make the web an HTTPS place. HTTPS is good says the W3C Technical Architecture Group. We all know that (well, kind of). But the path from HTTP to HTTPS may raise some serious challenges that Brad Hill explained very well in that document. The problem is about mixed content. How to make sure, once your website is mandating HTTPS, to still get content from website only running in HTTP ? What security measure should be taken when this situation happens ? Would not that be the weakest link that would kill the entire security promise… No conclusion was drawn from that discussion, but some solutions were excluding (for instance a 2 steps migration path that would be highly insecure for all the web).

W3C seeks for a security geek. Based on that ambitious plan, W3C has opened a position for strengthening the team, on security aspects. For more information, you should contact wendy from W3C (wseltzer at w3 dot org).

Web App Sec business as usual. Working hard and quietly, the Web App Sec is rolling out its plan. I have already mentioned the main topics being dealt in this Working Group, made of best security experts of major browser vendors. One may note that little by little, Web App Sec is providing developers with a tool box allowing to check integrity of a ressource (SRI), filter or log access to external ressources (CSP), access to specific API only in secure context (privileged Context) … Nevertheless, some recent activities are worth (re)mentioning, completing this intention :

  • COWL : is about Confinement with Origin Web Labels. In other words, this is a mean to lable some code and execute it carefully (because you dont trust it, because you want to allocate him less permission…). That work is in first public working draft (early stage of a spec) and is available here : http://www.w3.org/TR/cowl
  • Clear site data : is about allowing web app to kindly ask browsers to delete data related to itself. The spec is available here : http://www.w3.org/TR/clear-site-data/
  • Upgrade unsecured data : is about allowing web app dev to instruct browser to upgrade all interactions between client and server on HTTPS. the spec is available here : http://www.w3.org/TR/upgrade-insecure-requests/

You can have a look at the complete status of the Working Group deliverables edited by its co-chair Brad Hill.

Last but not Least. Some new work is being introduced in W3C.

Web Authentication. Is about allowing strong authentication from a web app. That working group will certainly be the place holder for W3C receiving FIDO Alliance specifications which are defining an API for authentication, attestation of a authentication device and signature. The draft charter is under construction here https://w3c.github.io/websec/web-authentication-charter

Hardware Security. Is about allowing web app to access secure services made available thanks to hardware based token (like secure chips, smart card, trusted execution environement). the ones knowing my everydays job will definitely recognize the usual technology I am playing with, and may understand the reason why I have offered to chair that working group, together with David Rogers, a mobile security expert. The draft charter is available here : https://w3c.github.io/websec/hasec-charter.html

Those two new pieces in W3C still have to go through the W3C member review before being actually up and running. Again, here, I will keep you informed.

W3C : rambling in W3C TPAC as a tech person

Being also a tech person, in the W3C TPAC week, I had the chance to visit different groups or brainstorming session and I am sharing here with you the result of me jumping from one room to another.

The Web Payment is a reality. The web payment activity is one of the most dynamic ones in W3C those months. The quest initiated here is to ease the access to payment means from a browser. Making sure that a one click button would allow a user to pay with means which is accepted by the merchants, available in the user context. The use case and priorities of the group have been discussed in the Web Payment Interest Group, but the more operational steps has happened in TPAC : the Web Payment WG kicked off. That Working Group will design an architecture and some APIs to make that payment feature in browser a reality. Let’s wish them success…

WebRTC is close to be closed. WebRTC is *suffering* from a large number of implementations (see is WebRTC ready yet ?) and the specification was late compared to market expectation. but the good news is that most of the technical problems have been answered. And the Web RTC group is now thinking about WebRTC Next Generation. The specification will go to CR soon (see for details by Dom on http://www.w3.org/2015/Talks/dhm-webrtc-ac/)

Sensor is progressing. Internet of things is something (buzz, trends, de facto, golden quest…), and it is also present in W3C. The sensor spec is about exposing to web apps sensor’s data. The spec is on its way, in the capable hands of (Intel Corporation) and Rick Waldron (jQuery Foundation). If you wanna have a look at that API, the spec is here https://w3c.github.io/sensors/ and some more context about it can be found in the discussions held during TPAC between the sensor team and the Web of Thing team reported here

What about blockchain in the web ? Some may get nervous that everyone is talking about blockchain. And even TPAC breakout sessions deal about it. During an interesting session, NTTDoCoMo exposed the rationale for letting blockchain used by web apps, for use cases such as tracking peer to peer rights transfer or signing legal documents… This long term work may land in W3C, some days…

I could not attend all the Working Groups meeting and Breakout sessions that were held during W3C TPAC, but if you wanna have a taste of what is discussed in W3C, have a look at this report, and read minutes, issues and participants…

W3C : about being an Advisory Board Member

One of the important moment for W3C, the World Wide Web Consortium is TPAC. This is the week where all W3C members and W3C tech contributors all meet. Dozens of Working Group have their face to face meeting, and in parallel the Advisory Committee (AC) meets. AC is a room full of delegate (one per W3C member), meaning any company or university or startup having paid their W3C membership. This year, the big party was scheduled in Sapporo (Japan) and more then 550 people registered, more then last year where the location was the crowded Silicon Valley. Thus, a lots of people, a lots of amazing topics and discussions.

I have been participating there with several hats, as a tech person, as an advisory board member of w3c, as an AC rep, as a chair of a technical group, and finally as a general citizen of the web. I wanted to share with you all the goodness that came out of this crazy week. This post is the first on several, reporting about my experience, focusing on the Advisory Board aspects.

What is it to be an Advisory Board member ? The role of the AB is to give guidance to W3C management for W3C directions. That 2 years mandate is obtained thanks  to election by W3C members. Basically, you campaign, and you are elected. The AB is made of 9 elected person, a chair, Jeff Jaffe CEO of W3C, and two magic supports (Coralie and Ralph). The team is playing well, with a lots of exchanges, different profiles and conflicting interests – which, I believe, guarantees that most interests will be preserved… W3C members and AB can continuously talk, but there are 2 occasions where the W3C members can formally express if they are happy or not, at TPAC and at a spring meeting, for a 2 days general assembly.

What are be the immediate tasks of the Advisory Board ? The AB had to treat a large number of topic which covers process management (which includes specification lifecycle but also governance rules), strategy of different W3C domains, priorities of the consortium, development of new activties or working methods and solving any question/problem raised by the membership … And here is the team to handle that !

How to achieve that as an Advisory Board member ? After one year of exercising such mandate, it came to me that it is a difficult balance between taking initiative on behalf of W3C members versus spending time listening and gathering feedback…This week in TPAC, the dialog with the W3C membership was very quiet. Few interactions during the official meeting. Discussing in the corridor with a lot of members and my AB mates, it appeared to me some principles that we should always have in mind in order to be maintain basics of democracy in such organization.

  • Create real dialog with members – allowing them to influence the general assembly agenda and opening mic sessions
  • Clarify the pieces of discord and put them on the table, it will make sure all arguments pro and cons will be heard. When you have in the same room the media and ad industry and the EFF, there is some chances that you hear completely opposite vision of a single situation and thus can make your mind…
  • Leave some space uncontrolled, where all technical and strategic outcome are driven by few, not under the pressure to represent all opinion, but allowing to get straw man proposals (aka, the W3C Technical Architecture Group, lead by Tim Berners Lee, plays that role today),
  • Clarify priorities of the consortium, by vote, by any means, to make sure that you do not address all requests, but only the important ones,
  • Roll out pragmatic plan, with a unique champion to question and congratulate, adapted to your resources – and fine tune as you walk,
  • Listen to the silence and act when it is too loud (relooping…)

What is next for the AB ? In addition to the business as usual, I believe that W3C is facing some interesting challenges that I am committed to support:

  • modern tooling (aka including github and modern edition methods in working groups),
  • caring about the chairs and editors community
  • improve visibility of W3C activities to the public (thanks to the magic of Web APIs)
  • clarifying strategic plans (accessibility, security, HtML5 next, …),
  • kicking off a new group dedicated to discuss potential policy in W3C (like, taking position on topics where technology and society overlap).

Definitely only interesting and great challenges ! Will keep the web informed as long as the things progress !

Paris Web : de la sécu et de la qualité

logo-parisweb-2015

L’été bat son plein. Cigales et soleil (enfin, pour moi). Je me penche sur le programme Paris-Web, la conf du web programmée en Octobre (oui, déjà, je sais, certains disent que je suis très prévoyante), et joie, bonheur, extase : de la sécu, il y en aura à gogo chez Paris Web cette année. Rendez-vous compte, pas moins de 6 interventions relatives au sujet.

– Votre cauchemar ressemble peut-être à une invasion de script malicieux sur vos sites, Nicolas Hoffman vous racontera que CSP est un anti dote pour ce genre de situation embarrassante.

– Vous avez envie de rendre un peu plus robustes vos applications web ? Il existe des outils pour cela. Mathias Dugué partagera son retour d’expérience sur l’usage de ces outils obscurs de sécurité et de la Web Crypto API.

– Une bonne authentification est la garantie d’un service deployé sûrement. L’administration française l’a compris. Francois Petitit partagera son retour d’expérience sur le déploiement de FranceConnect, de OpenID, de l’OAuth2, du bonheur…

– Les bots sur le net générèrent du traffic, et vous embêtent probablement en tant que webmaster, François Hodierne vous expliquera comment gérer ce petit détail, et comment reconnaître les bons des mauvais robots.

La sécurité du web et des internets, c’est un sujet sérieux, que les organismes de standardization discutent, je viendrai vous raconter les avancées faites dans ces consortiums d’industriels au W3C, à l’IETF, et à FIDO.

– La sécurité, c’est aussi une question sous-jacente dans les enjeux de la liberté des usagers du web. Adrienne Charmet, de la Quadrature du Net, viendra plaider pour un engagement des acteurs du numériques en plénière d’ouverture..

On se croise donc à Paris-Web les 1/2/3 Octobre ! #bisous

Digital art exists, there is a trading place for that

Interesting conference this week in Mozilla office in Paris. Chris Messina @chrismessina stopped by, invited by FivebyFive, to share his current hobby. Digital art.

He discussed several aspects of digital art : what is it, what does it look like, how could it be tomorrow, provided that the technology evolve. And the essential question behind : in the era of pixels and beats being multiplied in one click at no (visible) cost, how could digital artist survive and get paid for their creations.

Well. First it is a matter of faith and value. Either you don’t care, and you copy like hell. Or you believe that artists have a special role to play in our society, and deserve your support. Second, you need to have a place where digital artists are offering their work to a public. Reproducing the principles of commercial gallery. Third, to refrain the hacking, you may enable a versioning of the art pieces. Versioning will create scarcity, which is a fundamental for value creation for art.

Let’s say. I am a fan of unicorn drawing, I buy a digital drawing on the internet, I get a place to store it and a certificate. When I get bored owning it, I can sell it to another unicorn addict. Chris Messina presented to us a platform which enables that scenario. It is named Neonmob https://www.neonmob.com/ and is in beta version. With Neonmob, you acquire art piece, for free or for money, it comes with a certificate – limited editions are stamped, thanks to a bitcoin-like crypto operation. The platform allows you to track if your art piece is extremely rare, or very common, which helps you to define a value to your collection.

 

Note that @marklor reminded his friends that ‘deviant art’ http://www.deviantart.com/ is also a platform allowing to do more or less the same. I let you benchmarking both solutions.

That evening was really interesting cause it covered at the same time the question of what is digital art (a drawing, an animated GIF, a programmable image, a piece of music created with movement sensors, an image animated via wind sensor, …), why is it necessary to create scarcity in digital art, how to collect and enjoy your digital art… This is certainly just the beginning of the questions technologist and art lovers will have to think about and share.

About the very simple question of identity, security and privacy in Web Payment

w3c web Payment_small.jpg

Again, about the W3C Web Payment Workshop in Paris. Two weeks ago, discussion went on the definition of payment, the notion of user experience, the architecture of back end systems and the end to end picture. The main objective for such workshop was to identify web related topics on which all parties (merchants, banks, payment schemes, regulating government, payment service processors, ….) would agree to get more standard. This will take time as I already mentionned in a previous post. The conversation was structured, but it happened that for each of the scheduled sessions, after one hour of talk, the questions related to identity, security was systematically raised. How can you garantee that the payee is the one he pretends to be ? How can you you garantee that the money is safely transferred, stored ?  As moderator of the Identity, Security and Privacy, I felt like my panel would be an interesting piece of the workshop.

Throwing the question ‘how can you garantee your system is secure ?’ is a little bit unfair.  Obviously, no one can garantee a system to be 100% secure (at a certain point of time, someone will break it), so you have to think about risk evaluation, tools to help implementing security, indicators to monitor trust… And this is what the poeple from the panel shared : good practices, feedbacks and valuable advices to build a common solution to bring with payment some notion of identity, security and privacy. Here is my take away from the discussions.

Identity, what is it ? With Louise from British Computer Science and Tim from Microsoft, we explored the notion of identity with two different perspective. Tim, involved in the e-commerce platform of Microsoft shared with the participants a notion of commerce identity, that would encompass our usual personal information, but also our friend, our relatives, our payment means, our interactions, our reputation. The idea suggested here was to build one identity, based on the principle of aggregating our identities and make it available to services providers via APIs. The direct consumers of this meta-identity could be banks, merchants, but also anti fraud banking system,  government, locally or international. Obviously the question of user control and privacy was raised. And this is where Louise made a great speech about the way identity, privacy, anonymity, traceability were major topics that companies, citizen and regulation should take care of. The rationale for this special care was the coming explosion of peer to peer financial transaction enabled by the web. This use case would multiply the needs to protect peers, regulates fraud and balance privacy aspects.

Identity, who should manage it ? Several participants gave a view on that notion of handling identity. Natasha Rooney, from GSMA mentioned in her  contribution that they had a program named GSMA Mobile Connect, which would allow service providers to use mobile network operators users database and trust the identify of those users. This offer completed with a strategy of direct billing on subscribers bills would position them as ideal identity providers in mobile commerce. Another view, Ripple Labs, the ones maintaining Ripple Network, mentioned that identity should be managed in a decentralized way. What does it mean ? Ripple Network is a network payment solution, which relies on a network of Ripple Gateways. Those gateways are disseminated all around the world, and this is where each user willing to transfer money should register, providing with email and banking details. Choosing a gateway suiting his constraints in terms of currency, transaction operation … Each Ripple Gateway implements the Ripple Transaction Protocol which allows to transfer money from any currency from one user to another, provided that this one owns a Ripple Wallet. In that case, identity is managed by registering to Gateways. The case of Facebook and Google managing the user’s identity was not directly discussed but raised on a regular basis. One could conclude that several identity provider profiles could be defined, from traditional kinda official (MNO) to decentralized email based (Ripple network).

Identity, how to convey it ? Lets say you are an identity provider. You need to offer services to consume your user’s identity to service providers. The next questions you would have to answer would be : which protocol should support exchange of identity related information? which piece of the identity should be shared ? how to make sure that the user agrees with sharing his identity ? Most of the presenters mentioned the recently published Open ID Connect as the technology that makes the job. First, it relies on the recent version of OAuth, an authorization protocol that Hannes Tschofenif, co-chair or IETF OAuth WG exposed to the audience. Hannes concluded saying that OAuth was a good enabler for identity scheme, provided that security recommendations were implemented and that proprietary plug-in were not killing the interoperable nature of it. Second, Open ID Connect includes an flexible authentication mechanism (how do you make sure the user authorizing access is the right user). Stefan from Ripple Labs confirmed, adding that Ripple Network was using it, allowing a good granularity in rights and flexibility in user authentication. Ripple made password and game with cryptography, but one could imagine to have the FIDO Alliance UAF technology used for such authentication.

Payment, identity and security, what promise ? About the actual enablers for security in web payment, we heard several voices promoting different types of perspectives. On the device side, Giri from Qualcom said that mobile payment security scheme could get benefit of user’s contextual information, combined with trusted enablers, listing technologies the web payment could benefit from : geolocalization, multiple factor authentication, hardware token and fingerprinting. On the protocol side, Hannes recalled the audience that state of the art in security as promoted in IETF should be implemented to avoid failure. There was a consensus on the fact that cryptography was a great enablers of trust and security (trusting someone could be translated as sharing a cryptography secret with him). This is what Harry Halpin from W3C promoted the recent Web Crypto API (that my readers all know went to Last Call last week). This API will allow developers to manage and use keys in their web applications. Last but not least, Gregory from Lyra Network among other good feedbacks for promoting a decentralized web traffic to increase trust, reminded that users were to be educated in order to have a better control on their identity data and data in general. He also highlighted the idea of building identity of users on multiple devices, including the ones belonging to the wearable IoT wave, feeding the *what you have* factor to authenticate users.

This session did not bring any direct conclusion on the complex problem of identity, security and privacy, but drove the audience on different perspectives. The excellent minutes and presentations from that session are available on http://www.w3.org/2013/10/payments/minutes/2014-03-25-s6/ . All the web community is now waiting for the W3C report on that workshop, which will sum up and prioritize the possible actions that could happen in W3C.