23:11:05 <RRSAgent> RRSAgent has joined #wpwg
23:11:05 <RRSAgent> logging to http://www.w3.org/2015/10/28-wpwg-irc
23:11:27 <adrianba> adrianba has joined #wpwg
23:11:30 <MattSaxon> MattSaxon has joined #wpwg
23:16:11 <jungkees> jungkees has joined #wpwg
23:20:24 <Rouslan> Rouslan has joined #wpwg
23:20:44 <Rouslan> Present+ Rouslan_Solomakhin
23:24:25 <ShaneM> ShaneM has joined #wpwg
23:25:00 <ShaneM> rrsagent, this meeting spans midnight
23:25:12 <nicktr> present+ nicktr
23:26:31 <lbolstad> lbolstad has joined #wpwg
23:27:19 <zephyr> zephyr has joined #wpwg
23:27:30 <MattSaxon> present+ MattSaxon
23:27:35 <zephyr> present+ zephyr
23:27:58 <zephyr> zephyr has joined #wpwg
23:28:14 <zephyr> present+ zephyr
23:28:47 <Ian> Ian has joined #wpwg
23:29:02 <padler> padler has joined #wpwg
23:29:09 <padler> present+ padler
23:29:10 <m4nu> m4nu has joined #wpwg
23:31:46 <Ian> agenda: https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Oct2015#Detailed_2
23:31:51 <Ian> Chair: NIckTR
23:31:55 <Ian> Scribe: Ian
23:34:12 <CyrilV> CyrilV has joined #wpwg
23:34:33 <Ian> Topic: Welcome
23:34:38 <AdrianHB> AdrianHB has joined #wpwg
23:34:45 <Ian> Nick: Welcome to the inaugural WG meeting!
23:34:58 <dezell> dezell has joined #wpwg
23:35:08 <Ian> ...my inestimably charming co-Chair is Adrian Hope-Bailie
23:35:11 <MattPisut> MattPisut has joined #wpwg
23:35:28 <Ryladog> Ryladog has joined #wpwg
23:35:52 <CyrilV> Present+ Cyril Vignet
23:36:10 <Ian> present+ Kris_Ketels
23:36:19 <Ian> present+ Jean-Yves_Rossi
23:36:21 <ShaneM> Present+ ShaneM
23:36:24 <Ian> present+ Cyril_Vignet
23:36:36 <Ian> present+ Zach_Koch
23:36:38 <mountie> mountie has joined #wpwg
23:36:49 <jyrossi> jyrossi has joined #wpwg
23:37:27 <Jiangtao> Jiangtao has joined #wpwg
23:38:48 <Rouslan> https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Oct2015#Detailed_2
23:38:58 <nicktr> https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Oct2015#Thursday.2C_29_October
23:39:02 <zkoch> zkoch has joined #wpwg
23:41:35 <m4nu> scribe: manu
23:41:50 <adrianba> Present+ Adrian_Bateman
23:41:51 <m4nu> Lars: Hi lars from Opera, interested in integrating payments into our browser
23:41:59 <zkoch> Present+ zkoch
23:42:01 <Ryladog> Present+ Katie Haritos-Shea
23:42:02 <dezell> Present+ dezell
23:42:05 <kris> kris has joined #wpwg
23:42:10 <shepazu> shepazu has joined #wpwg
23:42:10 <m4nu> Matt: Hi Matt from Worldpay, we're a payment service provider
23:42:12 <yaso> yaso has joined #wpwg
23:42:14 <dwim_> dwim_ has joined #wpwg
23:42:36 <m4nu> Adrian: Hi Adrian from Microsoft, on Edge team, interested in shipping a payment solution quickly
23:43:09 <m4nu> Matt: Hi Matt, at Microsoft, lead development team for Microsoft payment services - we're exploring consumer payment scenarios, want to use a standards-based approach.
23:43:31 <m4nu> Nick: Is this a cross-org effort, like mobile?
23:43:50 <m4nu> Matt: I'm on product engineering side - all money that flows through Windows Store flow through our services
23:43:53 <Jiangtao> present+ Jiangtao
23:44:17 <adrianba> s/a payment solution/a payment API for the browser/
23:44:21 <m4nu> Mountie: Mountie from Paygate, interest from payments and settlement standpoint.
23:44:31 <shepazu> present+ shepazu
23:44:48 <m4nu> AdrianHB: Adrian Hope-Bailie from Ripple, co-chair of this group - focusing on technical work and spec editing, driving more technical side of things.
23:45:18 <m4nu> Nick: Hi Nick, work in technology and innovation at Worldpay, one of the co-chairs of this group - focusing on operational side of this group.
23:45:54 <m4nu> Shane: Hi Shane McCarron, wearing Digital Bazaar hat, assisting w/ spec authoring/editing, I have 30 years of standards experience and Q/A experience, trying to help w/ test development.
23:46:28 <m4nu> Katie: Hi Katie Haritos-Shea, worked w/ JP Morgan Chase for last couple of years but moving on from that, working w. regulators - focusing on accessibility. Liason from WAI and PF WGs
23:47:31 <Ian> q?
23:47:39 <m4nu> DavidE: David Ezell from NACS, I chair the Web Payments IG - when I started in 1999 we were working in XML - store operators had to spend 5,000 USD on hardware to support EDI processing... XML changed all of that - we want to remove unnecessary stickiness out of the system. We want to enable people to make payments w/o paying a great deal for that.
23:48:05 <m4nu> Doug: Hi, Doug from W3C, staff contact - newbie to payments, but very involved in W3C.
23:48:30 <Ian> m4nu: Chair a number of CGs and initiatives at W3C. Digital Bazaar hopes to take a number of standards from this group to market
23:48:36 <Ian> ...for retailers and financial services orgs
23:48:58 <Ian> pat: I am here from the US Fed. Am interested in how web techs can help faster payments
23:49:06 <m4nu> Pat: Pat from US Fed, US Fed has undertaken a movement to go to more real-time payment system - interested in standardization and Web technologies - we want to go much faster/safer for payments.
23:49:23 <Ian> scribe: Ian
23:49:31 <Ian> Brett: Am here from Google;
23:49:40 <Ian> Zach: Google chrome team...improve user experience
23:49:50 <Ian> Cyril: I work for BPCE innovation dept
23:50:11 <Ian> ...I have worked in payment system since 1987...SET...card payments...project manager for SEPA project for my company
23:50:23 <Ian> ...I am interested in direct debit and credit transfer issues
23:50:36 <Ian> ...interested in how we manage flows
23:50:52 <Ian> ...also related to merchant accounting relationship to payments
23:51:06 <Ian> Jean-Yves Rossi: I have a consultancy...we help people design new payment services
23:51:18 <Ian> ....help people manage regulatory/supervisory matters in Europe
23:51:38 <Ian> ...I have been involved in French banking groups and re-engineering of banking oversight in Europe
23:51:47 <CyrilV> contribution to the Group : SCAI worflow
23:51:47 <Ian> Kris: From SWIFT representing ISO20022...standards for 20 years
23:52:04 <Ian> ...I see this as an extension to ISO20022 realm
23:52:05 <wseltzer> wseltzer has joined #wpwg
23:52:23 <wseltzer> wseltzer has changed the topic to: Web Payments WG: https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_Oct2015#Detailed_2
23:52:25 <Ian> ...am here to help with interop of this work and ISO20022
23:52:47 <Ian> ...Also Vincent Kuntz will be the primary WG participant (and I will be the primary IG contact)
23:53:01 <Ian> Rouslan: I work on Chrome team
23:53:12 <Ian> Jiangtao: I am from Huawei
23:53:29 <Ian> Zephyr: From Alibaba...hope to contribute from PSP perspective in China
23:53:45 <Ian> Yaso: I I wear 2 hats...W3C Brazil Office and also representing NIC.br
23:53:54 <Ian> ....steering committee of internet in Brazil
23:54:10 <Ian> ...I want to help contribute to the standard and also its deployment in Brazil.
23:54:27 <Ian> @@: Am here from Samsung Pay
23:54:47 <dwim_> s/@@/Dongwoo/
23:54:52 <Ian> @@: Also observing from Samsung.
23:54:57 <dwim_> and, work for Samsung browser team
23:55:05 <Ian> ...we'll discuss with the payments team
23:55:18 <nick> nick has joined #wpwg
23:55:18 <dwim_> s/@@/Jungkee/
23:55:31 <Ian> Laurent_Castilo: Gemalto...we are interested in standardizing APIs for easier payment instrument integration
23:55:40 <Ian> Nick_S: I am from Apple.
23:55:54 <Laurent> Laurent has joined #wpwg
23:56:09 <Ian> NickTR: Over the next couple of days we will be looking for volunteer editors, test lead
23:56:17 <Ian> ...think about that as we go along.
23:56:23 <Ian> ...Dinner tonight?
23:57:23 <nicktr> http://www.w3.org/Payments/WG/charter-201510.html
23:58:40 <Ian> Nick: Good to recall from our charter that we are standardizing API not UI
23:58:59 <jyrossi> s/oversight in Europe/oversight in France
23:59:04 <Ian> ...having said that, it is reasonable to hope for a more consistent user experience for users
23:59:18 <Ian> ...and also good to remember we are not defining a digital payment scheme.
23:59:36 <Ian> Charter deliverables:
23:59:38 <Ian>  http://www.w3.org/Payments/WG/charter-201510.html#deliverables
23:59:44 <Ian> FPWD expected in March 2016
23:59:59 <Ian> q+
00:00:07 <Ian> ack me
00:00:19 <MattPisut> q+ Deliverable question around registration
00:00:36 <MattPisut> q+
00:00:49 <m4nu> q+ on expectations on implementation
00:01:09 <Ian> IJ: Is "early implementations one year from now" reasonable?
00:01:16 <Ian> (Some nodding)
00:01:17 <Ian> ack MattP
00:01:32 <Ian> Matt: There is not specified in the charter that there is not a way to register a payment instrument
00:01:42 <Ian> (Charter says " Registration: A payment provider requests to register a digital payment instrument for use by the payer.")
00:01:48 <Ian> q?
00:02:09 <Ian> AdrianHB: I think we are going to have to have registration (but not only through a browser)
00:02:31 <Ian> MattPisut: There won't be a way for a DEVELOPER to add a payment instrument
00:02:59 <Ian> Mountie: Data flow will be different depending on whether wallet is on client or server side
00:03:10 <Ian> ...we'll need to be able to talk about registration both client-side and server-side
00:03:24 <nicktr> ack manu
00:03:31 <Ian> m4nu: I think the timeline has a high chance of being unrealistic.
00:03:35 <nicktr> ack M4nu
00:03:35 <Zakim> m4nu, you wanted to comment on expectations on implementation
00:03:44 <Ian> ...given something as complex as payment
00:04:06 <adrianba> q+
00:04:07 <Ian> ...Microsoft is saying we want to ship quickly, and that's great, but we don't want to hinder the viability of the Web Platform for doing payments
00:04:21 <Ian> ...for developed and developing economies
00:04:28 <nicktr> q?
00:04:31 <Ian> ...I want us to be sure to take into account the long-term future
00:04:44 <dezell> q+ to talk about use case structure for "agile"
00:04:52 <Ian> ...so I think the timeline is aggressive, but let's be sure we make good long-term decisions for the platform
00:04:59 <nicktr> ack Adrianba
00:05:23 <Ian> adrianba: Our goal is to iterate. We want to make progress on something useful and expand scope over time
00:05:24 <zkoch> +1
00:05:43 <Ian> NickTR: The scope is deliberately narrow.
00:05:52 <Ian> ...scope increase would involve recharter
00:06:08 <Ian> q?
00:06:17 <nicktr> ack dezell
00:06:17 <Zakim> dezell, you wanted to talk about use case structure for "agile"
00:06:19 <Ian> ack dezell
00:07:01 <jmr> jmr has joined #wpwg
00:07:10 <Ian> dezell: We may need to restructure the use cases to ensure we can shed use cases if we want in order to ship sooner
00:07:22 <Ian> zakim, close the queue
00:07:22 <Zakim> ok, Ian, the speaker queue is closed
00:07:39 <Ian> shepazu: I would not like this WG to spend a lot of time discussing use cases
00:08:50 <Ian> Topic: Capabilites
00:08:55 <Ian> zakim, open the queue
00:08:55 <Zakim> ok, Ian, the speaker queue is open
00:09:31 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/W3C_TPAC_Web_Payments%20Capabilities_IG.pdf
00:10:36 <Ian> padler: I'd like to review the flow and also the thing we are going to work on
00:11:37 <Ian> Quick summary of categories of "capabilities"
00:11:43 <Ian> * Core/security
00:12:00 <Ian> * Identity/Credentials
00:12:41 <Ian> * Accounts and ownership
00:12:44 <Ian> * Clearing and settlement
00:12:46 <Ian> * Commerce
00:12:58 <Ian> padler: We think this framing is important to coordinate work and prevent redundancy
00:13:05 <Ian> ...and reuse of materials that are related to payments in a variety of ways
00:13:24 <Ian> ...e.g., payments may require security or credentials
00:13:34 <Ian> ...I think we will encounter accounts and ownership
00:13:49 <Ian> ...I'm going to send a payment request, where do I get details about accounts and assets in those accounts?
00:13:59 <Ian> ...clearing and settlement is about messages and movement of funds
00:14:09 <Ian> ...last bucket is commerce (discounts, coupons, rewards, invoicing)
00:14:19 <Ian> ...those are more "relationship based" and not directly about transfer of funds
00:14:46 <Ian> Doug: Is this an agreed upon delineation?
00:15:06 <Ian> Pat: Generally, though there may be additional (e.g., UI) or refinement, but generally agreed upon that these are part of the problem space
00:15:18 <Ian> Matt: Cross section of capabilities in the IG and what the WG says
00:15:41 <Ian> ...how will we keep focus?
00:16:00 <Ian> padler: Understanding that the IG is wrestling with other topics and we are also looking at the scope of this WG
00:16:35 <Ian> ...the WG may find it needs something (e.g., related to identity) and can raise the question with the IG to find out who is working on the topic
00:16:57 <nicktr> q?
00:17:30 <m4nu> Ian: One way the IG was coordinating their work - what exists today, what doesn't exist - who should work on it - that's Roadmap, what is capabilities, use cases help refine everything.
00:17:44 <m4nu> Ian: Capabilities help us talk about big vision for Web Payments
00:17:56 <m4nu> Ian: From time to time, we will propose WG charters for gaps in functionality.
00:18:14 <m4nu> Matt: ok, that makes sense - how do we manage the overhead?
00:18:33 <m4nu> Ian: That's the Web Payments IGs job - I don't want IG work to be a burden for the WG. That's not our job here.
00:19:01 <m4nu> NickTR: So, there's a task for the IG to say how capabilities map to Web Payments WG
00:19:15 <m4nu> Ian: Yes, we should figure that out - there is some coordination role.
00:19:49 <m4nu> Matt: So, can we update the charter?
00:19:50 <m4nu> Shane: No
00:20:10 <m4nu> Ian: We will have to adapt how we talk about things in this group based on IG identification of capabilities.
00:20:19 <Ian> IJ: I expect that the WG experience will flow back to the IG to shape our thinking
00:20:34 <nicktr> q?
00:21:16 <Ian> padler: When you think about payments and commerce, the reality is that I may start a transaction in a store and then complete it at home in my browser.
00:21:17 <m4nu> Pat: Series of messages between parties - There are lots of cases where you walk into store, get offer, then leave the store. When I get home, I log into browser, I complete transaction.
00:21:25 <Ian> ...when you think about payments and commerce it's a series of interactions between parties
00:21:37 <Ian> ...I think it's valuable to think about capabilities in terms of communications between 2 parties
00:21:39 <MattPisut> q+
00:21:53 <Ian> ...the WG may have an easier job if we can decompose the flow into smaller 2-party interactions
00:22:06 <Ian> ....and how they fit together...and then we compose them into broader functionality
00:22:26 <Ian> ...so rather than look at use cases end to end (as we do today in the use cases) we want to break down into atomic pieces
00:22:53 <MattPisut> q-
00:23:02 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/paygent_connect.svg
00:23:18 <Ian> (Some diagrams)
00:23:31 <Ian> pat: We have wrestled with what to call the "thing we are focused on"
00:23:36 <Ian> ...payment agent, user payment agent, wallet
00:24:13 <Ian> ...originally we thought of a payment agent as an abstract thing that exchange data with other entities (and could be a browser)
00:24:29 <Ian> pat: A wallet is just a specific type of payment agent. So is a car.
00:24:34 <nicktr> q+
00:24:50 <Ian> ...but we could call this "the payer's user agent" or the "PSP's user agent"
00:25:00 <Ian> ...that's useful where you are dealing with things like loyalty coupons
00:25:02 <Ian> ack nick
00:26:12 <nick_s> q+
00:26:22 <mountie> q+
00:26:34 <Ian> pat: I think wallet is not useful for some use cases....think we should have another term but that includes wallet use cases
00:26:35 <Laurent> q+
00:26:38 <CyrilV> q+
00:26:40 <Ian> ...e.g., point of sale terminal.
00:26:55 <m4nu> q+ to stop terminology discussion until we get further along.
00:26:59 <Ian> pat: I think when we are writing specs it becomes more useful....I'm just exchanging point it's not a payment or my wallet, it's a loyalty dialog
00:27:16 <CyrilV> +1 to avoid wallet which is a confusing term
00:27:20 <Ian> IJ: I don't think we are far enough along to motivate this change from our charter
00:27:32 <nick_s> we can’t avoid wallet, it’s *in the charter*
00:27:39 <Ian> AdrianHB: Today is a level-setting day and definitions are part of that...but we have "wallet" in our charter.
00:27:57 <adrianba> q?
00:27:58 <nick_s> q-, adrian has basically addressed what I wanted to say
00:28:03 <nick_s> q-
00:28:11 <Ian> AdrianHB: we are defining things by what they do
00:28:26 <Ian> ...we may decide that there are other functions that wallets have, but not sure that in this WG we need to do more
00:28:27 <nicktr> ack mountie
00:29:08 <Ian> mountie: I don't understand clearly some uses of wallet
00:29:11 <Ian> ...client or server side
00:29:21 <Ian> ...does payment scheme belong to the wallet? to the instrument?
00:29:26 <Ian> ...I think we need some pictures to help
00:29:32 <Ian> q?
00:29:42 <nicktr> ack Laurent
00:29:44 <Ian> ack Laurent
00:30:25 <nicktr> ack CyrilV
00:31:00 <padler> q?
00:31:43 <Ian> CyrilV: we need to be sure to be explicit about different actors
00:32:05 <m4nu> q-
00:32:05 <nicktr> ack m4nu
00:32:11 <Ian> NickTR: I hear that we need more work to agree on terminology
00:32:16 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/paygentbase.svg
00:32:37 <Ian> pat: the IG worked early on on functionality
00:32:40 <Ian> ...payer/payee/psp
00:33:18 <Ian> ....we did this categorization
00:33:20 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/model_1A_user_agent_pass_thru.svg
00:33:28 <Ian> ...in order to be able to talk about flows in a consistent way
00:33:50 <Ian> (Pat walks through flow diagram)
00:34:42 <CyrilV> q+
00:36:00 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/model_1B_out_of_band_proof_of_payment.svg
00:36:57 <Ian> (Different routing option for payment response)
00:37:19 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/model_3_P2P_Payment_Proximity.svg
00:37:24 <Ian> (person-to-person)
00:39:18 <m4nu> q+ to focus on simple flows first, then more complex
00:39:41 <m4nu> q+ to focus on minimum viable payment flow, but not loose focus on more complex flows.
00:39:45 <Ian> MattS: The diagrams are helpful...it's important that we as quickly as possible have flows to focus on
00:39:56 <nicktr> ack CyrilV
00:41:50 <zkoch> q+
00:42:21 <m4nu> ack m4nu
00:42:21 <Zakim> m4nu, you wanted to focus on simple flows first, then more complex and to focus on minimum viable payment flow, but not loose focus on more complex flows.
00:42:23 <Ian> ack m4nu
00:42:36 <Ian> m4nu: The flows are helpful but too abstract for me
00:42:42 <Ian> ...I think we should focus on the minimal flow
00:42:52 <Ian> ...understand how it maps to browser API will be helpful
00:42:57 <Ian> ...we should not find every single flow
00:43:07 <Ian> ...we should start on a simple well-known flow like a card payment online
00:43:18 <Ian> ...we should get comfortable with that.
00:43:28 <Ian> ...then people who know other flows (e.g., ACH) works with the API we are coming up with
00:43:31 <kris> q+
00:43:46 <Ian> ack zkoch
00:43:47 <nicktr> ack zkoch
00:44:01 <Ian> zkoch: The flows are nice as test cases.
00:44:13 <Ian> ...I think they are useful and send a signal when the designs don't work with the flows
00:44:17 <padler> q+ to clarify intent of flows..
00:44:37 <Ian> ...also would be useful for our colleagues from Aliababa, CIPO, etc. to let us know about local flows that we are not yet addressing
00:44:51 <Ian> ack kris
00:45:42 <nick_s> q+
00:45:54 <Ian> kris: I agree with Manu..the best way is to come up with our flows and then see if our term wallet still works across these scenarios
00:46:02 <nicktr> ack padler
00:46:02 <Zakim> padler, you wanted to clarify intent of flows..
00:46:30 <Ian> padler: The reason to work on the flows originally was to come up with a consistent taxonomy
00:46:48 <Ian> ...we wanted to be able to focus on specific messages
00:47:21 <Ian> ...it was important to me to have a consistent way to talk about flows
00:47:26 <nicktr> ack nick_s
00:47:28 <Ian> ack nick_s
00:47:48 <Ian> nick_s: We did define what wallet means in the charter; I'm wary about changing those definitions
00:48:47 <Ian> (Review charter goals)
00:49:04 <padler> q+ to comment on slide..
00:49:14 <Ian> (Review of benefits we expect as well from the solution)
00:50:04 <Ian> AdrianHB: A payment instrument is a thing with an API, that has execution logic.
00:50:19 <Ian> ...it may store credentials....but it can be communicated with
00:50:24 <Ian> ..it is a front for a payment service provider
00:50:36 <CyrilV> q+
00:51:15 <nicktr> ack padler
00:51:15 <Zakim> padler, you wanted to comment on slide..
00:51:44 <nick_s> nick_s has left #wpwg
00:51:48 <nick_s> nick_s has joined #wpwg
00:52:17 <Ian> AdrianHB: "Roles" rather than actors. So "role of wallet" may be taken on by various actors
00:52:45 <nicktr> ack CyrilV
00:52:50 <wonsuk> wonsuk has joined #wpwg
00:53:14 <Ryladog> +1 to Adrian's point
00:53:18 <nick_s> q+
00:53:19 <Ian> Cyril: W3C should not revisit 20 years of terminology in the financial services industry
00:53:38 <Ian> ...payment schemes include rules
00:53:52 <jyrossi> q+
00:53:59 <Ian> ...I strongly disagree with the definitions that Adrian has in his slides
00:54:08 <Ian> ...people will look at us and say "They don't understand payments"
00:54:14 <Ian> ..and people will look at the work and not understand it.
00:54:34 <m4nu> q+ we're in a terminology discussion again, we should stop and move on
00:54:47 <m4nu> q+ to say we're in a terminology discussion again, we should stop and move on
00:54:52 <Ian> AdrianHB: We need definitions for the roles of components in our system
00:56:22 <Ian> NickTR: There is still work to do on terminology
00:56:28 <nicktr> ack nick_s
00:56:33 <Ian> Cyril: I'm ok with the definitions in the charter; not Adrian's paraphrasing
00:56:41 <mountie> q+
00:56:50 <nicktr> zakim, close the queue
00:56:50 <Zakim> ok, nicktr, the speaker queue is closed
00:56:52 <Ian> nick_s: the end goal is to define standards for users, which here is end users of the web, developers, financial institutions.
00:57:02 <Ian> ...they all have differing definitions...and I think it will be difficult to satisfy everyone.
00:57:19 <Ian> ...in Apple pay we expose the term "payment instrument" but it can be confusing for some
00:57:39 <rbarnes> rbarnes has joined #wpwg
00:57:45 <nicktr> ack jyrossi
00:57:47 <padler> +1 to Nicks point
00:57:58 <Ian> jyrossi: I am wary of Adrian's definitions...can be misleading
00:58:13 <Ian> jyrossi: payment scheme implies rules
00:58:47 <Ian> AdrianHB: Let me explain how I got to these points...in the charter we talk about a payment request that comes from the merchant, and lists the payment schemes that are accepted by the merchant.
00:59:14 <Ian> ...I am trying to simplify for some audiences (perhaps oversimplifying)
00:59:22 <Ian> q?
00:59:26 <nicktr> ack m4nu
00:59:26 <Zakim> m4nu, you wanted to say we're in a terminology discussion again, we should stop and move on
00:59:43 <nicktr> ack
01:00:23 <nick_s> I am not totally sure we can suspend disbelief of definitions for the next two days if we plan to discuss messaging and architecture in those two days, they seem rather intertwined
01:00:31 <nick_s> …as loathe as I am to spend any more time discussing it
01:00:43 <MattPisut> q+
01:01:00 <MattSaxon> +1 to Nicks point
01:01:13 <Ian> <Break>
01:01:14 <Ian> q?
01:01:17 <Ian> ack mountie
01:01:25 <Ian> zakim, open the queue
01:01:25 <Zakim> ok, Ian, the speaker queue is open
01:03:06 <wonsuk> wonsuk has joined #wpwg
01:06:46 <AdrianHB> AdrianHB has joined #wpwg
01:08:07 <wonsuk> wonsuk has joined #wpwg
01:27:38 <wonsuk> wonsuk has left #wpwg
01:29:30 <I> I has joined #wpwg
01:30:11 <lbolstad> lbolstad has joined #wpwg
01:31:39 <padler> padler has joined #wpwg
01:32:00 <nick> nick has joined #wpwg
01:32:16 <zkoch> zkoch has joined #wpwg
01:33:00 <rbarnes> rbarnes has joined #wpwg
01:33:46 <Jiangtao> Jiangtao has joined #wpwg
01:37:18 <AdrianHB> AdrianHB has joined #wpwg
01:37:30 <wonsuk> wonsuk has joined #wpwg
01:38:10 <Ian> topic: Proposal from Zach
01:38:40 <zkoch> https://drive.google.com/a/google.com/file/d/0B6Su47MQXuKZdVhwd0sta1NBaE0/view
01:38:53 <rouslan> rouslan has joined #wpwg
01:39:58 <Ian> Zach: I will talk about payment instruments.
01:40:07 <Ian> ...I will talk about them the way users think about them
01:40:12 <Ian> ...I will avoid the word wallet
01:40:19 <Ian> ...I think there are two big goals
01:40:26 <Ian> a) Easier and faster to buy things on the (mobile) web
01:40:31 <CyrilV> could we have the link in the IRC ?
01:40:35 <Ian> b) Bring better, more secure payments to the web platform
01:40:41 <AdrianHB> https://drive.google.com/a/google.com/file/d/0B6Su47MQXuKZdVhwd0sta1NBaE0/view
01:40:41 <Rouslan> one minute
01:41:38 <Rouslan> discourse.wicg.io/t/rfc-proposal-for-new-web-payments-api
01:42:44 <Ian> (Ian note for later based on discussion with MattP on two ways to identify instruments: by name or by class)
01:45:08 <Ian> Zach: This example assumes we will define "visa" as a payment instrument.
01:45:15 <Ian> ...we link payment instruments by domain
01:45:33 <Ian> ...but for some well-deployed schemes we may have shorter strings (e.g., a card network name such as "visa")
01:46:40 <Ian> Kris: I think what you have shown is great,t and the relation to ISO20022 is that the information is already described
01:46:51 <Ian> ...if we don't have these things yet in ISO20022 we can add/extend
01:47:31 <Ian> Cyril: You need a reference to the transaction
01:47:56 <Ian> ...data we don't need to describe here, but is important so that the merchant can map the money they receive to a transaction
01:48:04 <AdrianHB> q+ to make an observation about parameter names
01:48:07 <padler> q+ to clarify remittance data..
01:48:13 <nick> q+
01:48:15 <Laurent> q+
01:48:31 <Ian> ack padler
01:48:31 <Zakim> padler, you wanted to clarify remittance data..
01:48:35 <zkoch> zkoch has joined #wpwg
01:49:07 <Ian> padler: Remittance data about the payment...it's where a lot of legacy systems don't allow passing that payment...it turns out to be critical to pass it along with the payment
01:49:46 <padler> correction.. remittance data is information about the payment and what it is for... not the payment itself..
01:50:04 <Ian> Zach: I am not sure we need it...but let's come back to it
01:50:09 <Ian> ack AdrianHB
01:50:09 <Zakim> AdrianHB, you wanted to make an observation about parameter names
01:50:26 <Ian> AdrianHB: You've got two params: supported instrument and also "scheme data"
01:50:34 <nick> q- later
01:50:36 <Ian> ...we are going to have to figure out which is which
01:50:42 <Ian> Zach: Point taken
01:50:43 <Ian> q?
01:51:02 <Ian> Laurent: I love the proposal but have some feedback....
01:51:12 <nick> I will wait until after the next few slides
01:51:25 <Ian> (We decide to go through the whole presentation)
01:51:46 <Ian> Zach: First example is simple but there's no communication channel between browser UI and the app
01:51:54 <Ian> ...suppose we want to include address which affects price
01:52:02 <Ian> ...we need to enable the merchant to update the request
01:52:11 <Ian> ...so in the next example we have 2 promises
01:52:31 <Ian> ...original promise returns an object...that object supports events
01:52:40 <Ian> ..the user agent can alert the merchant that something took place
01:52:51 <Ian> ...there are methods the merchant can call to update the original request
01:53:05 <Ian> ...so there is a communications channel between merchant and user agent
01:53:16 <Ian> ...where there is support for events and callbacks
01:53:33 <Ian> ...you can imagine a world where there is a paymentInstrumentChange event and the merchant could update the price based on the selection
01:53:44 <zkoch> zkoch has joined #wpwg
01:54:09 <Ian> ...the second promise is the instrument response promise
01:55:11 <Ian> IJ: So promise 1 is unlimited number of events; promise 2 is the "last thing that is really needed by the merchant"
01:55:13 <Ian> Zach: Yes
01:55:23 <Ian> (Review of flow from a high level)
01:55:53 <Ian> ....first promise has any events (not just shipping address; could be any)
01:55:57 <I> q?
01:56:05 <Ian> ...there's a thing on the diagram "scheme-specific payment auth"
01:56:07 <I> q+
01:56:29 <Ian> ...from the perspective of our API, we don't care how auth happens
01:57:59 <Ian> Zach: Assumption here that the merchant and payment instrument have a relationship and the merchant understands how to parse the response
01:58:04 <Jiangtao_> Jiangtao_ has joined #wpwg
01:58:24 <Ian> Pat: the user agent doesn't care about how the payment method is implemented behind the scene, but does need to know how information goes back and forth.
01:58:38 <Ian> ...I would use the phrase "payment method" not "payment instrument"...
01:58:47 <Ian> Zach: +1 to continued work on the terminology
01:59:27 <Ian> (nodding about term "payment method")
01:59:32 <jyrossi> q+
02:01:10 <Ian> Zach: So the merchant is waiting for the response...they have the reference to the original request....so that's why it's not clear to me that you need additional transaction data.
02:01:25 <Ian> ...since the merchant is waiting around for a response to the original request.
02:01:51 <MattPisut> q+ to hear Alibaba's response to the proposal
02:02:04 <Ian> Zach: there are methods for registering payment instruments....I propose we use a manifest file.
02:02:18 <Ian> Manifest for a web application
02:02:23 <Ian>     http://www.w3.org/TR/2015/WD-appmanifest-20150921/
02:02:32 <Ian> We could also expose registration API on the merchant's web site
02:02:36 <Ian> ...we do this all the time in user agents.
02:02:49 <Ian> ...the user agent can choose to honor or not
02:03:01 <Ian> ...the site can request to install the payment instrument and the user can say yes or no
02:03:14 <Ian> ...I think we  should standardize ubiquitous responses like credit cards
02:03:27 <Ian> ...that way merchants don't have to account for PANs in different ways
02:03:40 <Ian> ....in the base case, a payment instrument could be an embedded iframe
02:03:49 <Ian> ...works in all browsers and platforms
02:03:55 <Ian> ....Some open questions at the end of the presentation
02:04:05 <Ian> q?
02:04:07 <Ian> ack Laurent
02:04:15 <kris> q+
02:04:18 <Ian> ack nick
02:04:25 <CyrilV> q+
02:04:36 <m4nu> q+ to ask about "addresses" being credentials
02:04:50 <Ian> nick: How do we let merchants know that instruments are available before the payment request?
02:05:01 <Ian> Zach: I suppose you could return a boolean and stay privacy sensitive.
02:05:24 <Ian> Nick: Standardizing credit and debit may be interesting...but please note that some methods are ubiquitous in the west but not everywhere
02:05:51 <Ian> AdrianHB: The charter lets us focus on debit and credit cards (as a Note)
02:06:08 <Ian> Nick: Could you speak to why this is a javascript only approach rather than any markup.
02:06:17 <zkoch> zkoch has joined #wpwg
02:06:23 <ShaneM> q+ to talk about doing JS first; declarative later
02:06:27 <Ian> Zach: I think you could easily do this as a declarative approach...I don't have a strong opinion about it.
02:06:34 <MattSaxon> q+
02:06:41 <Ian> ...I think programmatic access will be common for developers
02:06:51 <Ian> NIck: I don't think we need to choose one or the other
02:06:53 <Ian> ack I
02:07:19 <Ian> Mountie: If the payment process takes multiple days, or if payment happens in multiple steps, then your suggest does not cover those scenarios
02:07:27 <Ian> ...do you think that the payment instrument is bound to one domain?
02:07:41 <Ian> ...not clear that binding payment instrument to domain a good idea
02:08:14 <Ian> ...third comment - you mentioned iframes. But iframe may not be enough for security (e.g., keyjacking, etc.)
02:08:41 <Ian> Zach: I think that the 3Dsecure case may not be part of this API...we should sit down and walk through the flows
02:08:58 <Ian> ...and if the approach does not accommodate flows we should adjust the proposal.
02:09:31 <Ian> ...we can also talk about iframes special cased by the browser
02:09:50 <Ian> ...regarding binding methods to domain names, a method may accept multiple schemes
02:09:56 <Ian> ...we might want to accommodate that
02:10:12 <Ian> ..as to the domains themselves, I don't know how to do this outside of domains.
02:10:18 <zkoch> zkoch has joined #wpwg
02:10:29 <Ian> Mountie: Blockchain?
02:10:37 <Ian> Zach: Please suggest this as an issue on the github page
02:10:42 <Ian> ack j
02:10:50 <ShaneM> q- ShaneM
02:10:52 <adrianba> -> https://github.com/WICG/paymentrequest/issues GitHub issues page
02:11:11 <Ian> jyrossi: I like the proposal. The only thing that makes me a bit uncomfortable has to do with trends in how merchants do payments...growing risk that payment could be revoked.
02:11:25 <Ian> ...in the drawing there is one go-and-return
02:11:41 <Ian> ...due to the growing risk that the payment could be revoked, the payment instrument is providing some kind of insurance solutions
02:11:44 <Ian> ...but they are costly
02:11:52 <Ian> ...merchants are mitigating between paying for insurance or taking risk
02:12:05 <Ian> ..if you integrate such a capability, you won't have just one round trip, you'll have two
02:12:48 <Ian> Zach: Suggest you add that to the issues list
02:12:52 <Ian> q?
02:12:57 <Ian> ack MattPisut
02:12:57 <Zakim> MattPisut, you wanted to hear Alibaba's response to the proposal
02:13:12 <Ian> Matt: Thanks, I think the proposal makes a lot of sense.
02:13:22 <mountie> mountie has joined #wpwg
02:13:26 <Ian> ...for payment providers like AliPay and PayPal where there is a redirect
02:13:47 <Ian> ...in AliPay case, the funds are captured at that point; PayPal can work that way as well
02:14:02 <Ian> ...I hear in the proposal that you say "Go do AliPay as usual" and the merchant would do that experience as today
02:14:13 <Ian> Zach: I can think of multiple ways to approach this question given this architecture
02:14:19 <Ian> ...e.,g they could transfer funds immediately
02:14:37 <padler> q+ to build on Matt's question and tie it back to the flows discussed earlier..
02:14:40 <Ian> ...they could also do something where they authorize funds, generate a key, send back to the merchant, and the merchant does something with their private key
02:14:44 <Ian> MattPisut: +1
02:16:28 <nicktr> ack kris
02:16:28 <Ian> ack Kris
02:16:55 <Ian> Kris: I would like to see whether we are going to use markup
02:17:12 <Ian> AdrianHB: The purpose of today is to put all the information we've gathered on the table ... get ideas together
02:17:23 <Ian> ...and record questions
02:17:27 <adrianba> rrsagent, make minutes
02:17:27 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html adrianba
02:17:40 <Ian> zakim, set logs public
02:17:40 <Zakim> I don't understand 'set logs public', Ian
02:17:49 <Ian> rrsagent, set logs public
02:18:53 <adrianba> Meeting: Web Payments Working Group F2F
02:19:05 <Ian> shepazu: A good thing to do is write an alternate proposal if you think you have different perspectives
02:19:07 <Ian> q?
02:19:08 <nicktr> q?
02:19:16 <evanschwartz> evanschwartz has joined #wpwg
02:19:29 <Ian> Group's mailing list -> https://lists.w3.org/Archives/Public/public-payments-wg/
02:19:42 <Ian> NickTR: We need to talk over the next couple of days about how we are going to work operationally
02:19:56 <Ian> q?
02:19:59 <Ian> ack Cyril
02:20:01 <nicktr> ack CyrilV
02:20:26 <Ian> CyrilV: We need a trace of consent to pay and consent to deliver.
02:20:33 <Ian> ...so I think we need to have transaction information
02:21:16 <Ian> ...I think we need in at least some schemes that we will need transaction information for merchants (e.g., for accounting)
02:21:20 <Laurent> q+
02:21:38 <Ian> ....I also want to see flow of credit transfer (and also direct debit)
02:23:22 <nicktr> ack m4nu
02:23:22 <Zakim> m4nu, you wanted to ask about "addresses" being credentials
02:23:45 <Ian> m4nu: Overflow idea, promise-based...love it
02:24:03 <Ian> ...some things seem to me to be the space of credentials
02:24:15 <Ian> ...such as address
02:24:23 <Ian> ..there's shipping address, billing address, proof of age, etc.
02:24:25 <nick> nick has joined #wpwg
02:24:29 <nick> q+
02:24:34 <Ian> ...if we start working on that stuff, it distracts this group from setting up the payment
02:24:44 <schuki> schuki has joined #wpwg
02:24:50 <Ian> AdrianHB: There's a note for discussion about securing data
02:24:52 <Laurent> +1 to Manu, plus it's User credentials, we already have to care about merchant and instruments credentials
02:24:54 <schuki> present+ schuki
02:24:55 <nick> I believe addresses are absolutely within this group’s purview and should not be left to the credentials CG
02:25:09 <Ian> m4nu: There's a lot of JSON being suggested; messages need to be extensible however.
02:25:23 <Ian> ...merchants and payment schemes wants something that is extensible.
02:25:23 <kris> kris has joined #wpwg
02:25:41 <Ian> ...one way at W3C to do this is to use a registry, another is to use the linked data approach; we will need to discuss
02:26:13 <Ian> Zach: I want to address shipping address since so critical. I expect that we will have to address extensibility (though I think JSON is extensible)
02:26:15 <nicktr> ack MattSaxon
02:26:32 <ShaneM> As to payment address - it is one of many things that a merchant might request.  The API should have a way for a merchant to request X
02:26:37 <Ian> MattS: I like the flow.
02:27:05 <Ian> ...question about instrument response -is there an option for the merchant to say "I don't like this response"; I think that's important to the merchant
02:27:36 <Ian> Zach: that's not part of this proposal; one assumption of the system is that if you choose to support a payment method you are expected to support what you get back
02:28:54 <Ian> Discussion point: PSP declines a transaction...there's an authorization failure
02:29:09 <Ian> MattS: Question is whether the user agent has a response in the case of authorization failure
02:29:36 <Ian> Zach: After you submit a request in android pay, there's a way for android pay to take action..the more I think about this, the more I think this is a good question.
02:29:50 <Ian> MattS: There could be some magic on the merchant side that we should be discussing
02:29:58 <Ian> Zach: I can see an optional layer.
02:30:01 <CyrilV> q?
02:30:33 <Ian> adrianba: We should differentiate in the flow diagram between the the merchant on the server side...and ...
02:30:59 <Ian> AdrianHB: I think the standard doesn't have to tell the merchant what happens next; the merchant can decide...but it could be in scope to discuss
02:31:08 <adrianba> We should clarify the flow diagram in Zach's proposal to differentiate between the web page that calls the paymentRequest method and the service side communication
02:31:09 <Ian> MattS: On delegation....
02:31:27 <Ian> ...I'm wondering whether your flow allows the response to be proxied.
02:31:30 <Ian> Zach: Right now; no.
02:31:47 <Ian> ...I don't think that it's in our best interest to interject ourselves into that relationship
02:32:00 <Ian> MattS: I think that delegates a lot of work to the merchant; but many merchants prefer simplicity
02:32:12 <Ian> ...I think we need to look at how the merchant interface needs to be delegated to the PSP
02:32:41 <nicktr> ack padler
02:32:41 <Zakim> padler, you wanted to build on Matt's question and tie it back to the flows discussed earlier..
02:32:43 <Ian> We now have on the white board for flows:
02:32:46 <Ian> - credit card
02:32:48 <Ian> - credit transfer
02:32:51 <Ian> - Alipay
02:32:53 <Ian> - direct debit
02:32:54 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/model_1A_user_agent_pass_thru.svg
02:32:57 <Ian> - Proxy flows for PSPs
02:33:01 <Ian> - 3DSecure
02:33:29 <Ian> padler: We are trying to fix that the user does not need to send details to merchant's back end to be paid
02:33:51 <Ian> ...whether the PSP is locally invoked or remote, that seems to be the first delineation
02:34:21 <Ian> ...who declines the payment? If I invoke my payment processor and my payment processor says no, I need as a user to be able to choose an alliterative instrument.
02:34:55 <Ian> padler: how do I reply that the payment was successful? Is it from the browser? Or do I provide enough information so that the payment service provider can send information directly back to the merchant?
02:34:57 <padler> https://github.com/w3c/webpayments-ig/blob/master/latest/capabilities/images/model_1B_out_of_band_proof_of_payment.svg
02:35:06 <nicktr> q?
02:35:16 <nicktr> zakim, close the queue
02:35:16 <Zakim> ok, nicktr, the speaker queue is closed
02:35:24 <Ian> padler: It feels to me the key delineation is: (1) how do we prep the payment (2) how do we @@
02:35:29 <Ian> ack Laurent
02:35:57 <Ian> Laurent: I think we also need to have a flow where the instrument response goes back to the merchant on the server side
02:36:08 <Ian> ...I am thinking of the base credit card use case
02:36:27 <Ian> Zach: I think that this proposal accounts for that...we need to whiteboard the flows
02:36:56 <Ian> Laurent: Do we want to normalize these flows or just use them as examples?
02:37:10 <Ian> ...what I like in this proposal is that there are a lot things left to the merchant side
02:37:20 <nicktr> ack nick
02:37:29 <Ian> ...but need people in industry to understand what are examples v. normative
02:37:40 <Ian> nick: Re shipping address..I think it's important and should be part of this group.
02:37:48 <Ian> ...when I say it's not always a credential.
02:37:58 <Ian> ...address is a transient location...
02:38:10 <Ian> ...I think we need to cover card payments and billing address is required
02:38:13 <padler> +1 to comment abt transient location being important..
02:38:25 <zkoch> Github issues page: https://github.com/WICG/paymentrequest
02:38:27 <ShaneM> FYI there are terms in the schema.org vocabulary that we should be able to take advantage of.
02:38:27 <Ian> ...we'll need to define something for address; I don't want to wait for a group that's not yet be chartered
02:38:31 <zkoch> Post issues there so we can keep track and think about :)
02:38:48 <MattSaxon> +1 for Nick's address point
02:38:52 <Ian> ShaneM: Some of those things are special cases of a more general activity
02:38:59 <Ian> Nick: Agreed.
02:39:05 <Ian> topic: Manu's proposal
02:39:08 <m4nu> Credentials CG Proposals: https://docs.google.com/presentation/d/1Zx-wbg_vxsEuRInM64Y4xm7SdO_E6KO_qQ8abSExFkU/edit
02:39:13 <Ian> s/Manu's/Web Payments CG
02:39:19 <Ian> rrsagent, make minutes
02:39:19 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
02:39:32 <Ian> m4nu: Lot of agreement between this proposal and Zach's
02:39:36 <Ian> ...the general form of the API
02:39:44 <Ian> ...I will focus on the points that are not as aligned
02:40:16 <Ian> ...the CG has been working for 4+ years...this proposal is the latest thinking
02:41:51 <Ian> (Manu walks through presentation)
02:42:18 <ShaneM> There are also lots of E-Commerce vocabulary items at http://purl.org/goodrelations/
02:42:47 <Ian> https://web-payments.org/specs/source/web-payments-messaging/#message-formats
02:43:24 <CyrilV> q+
02:43:30 <Ian> zakim, open the queue
02:43:30 <Zakim> ok, Ian, the speaker queue is open
02:43:33 <Ian> q+ CyrilV
02:43:59 <slightlyoff> slightlyoff has joined #wpwg
02:44:00 <Ian> m4nu: The examples show that there's a URI for the service for handling payment requests
02:44:12 <gjaya> gjaya has joined #wpwg
02:44:57 <Ian> m4nu: The point is that different organizations would specify what the data is necessary for different instruments
02:45:30 <Ian> m4nu: Next we look at payment request initiation data blobs
02:45:59 <Ian> ...merchants can include whatever information they want into the message
02:46:11 <Ian> ...there's a digital signature at the end
02:46:21 <MattSaxon> q+
02:46:32 <ShaneM> Currency names are in ISO 4217; Country codes are in ISO 3166
02:46:34 <Ian> ...you shouldn't be able to tamper with the message
02:47:28 <ShaneM> ... note that if we have weird currency names that are outside of ISO 4217, maybe they could be scoped (ala CURIEs)
02:47:31 <Ian> ...there's another example of a request with multiple accepted schemes
02:48:03 <Ian> ...there's a longer example of an ISO20022 payment request that can be translated directly to XML
02:48:03 <nicktr> of course BTC would not be a currency in ISO world
02:48:21 <mountie> q+
02:48:24 <Ian> m4nu: So we have extensible messages; the routing is the domain of the APIs
02:48:27 <nicktr> ack CyrilV
02:48:28 <zkoch> q+ to clarify where/how money transfer takes place compared to other proposal
02:49:16 <dezell> q+ to ask about paymentCompleteService.
02:49:20 <Ian> Cyril: You need more information than "Visa' you need information about the bank that issues the visa
02:49:26 <Ian> ...you have a "Barclay's Visa"
02:50:49 <Ian> Cyril: Note that ISO20022 is not a scheme
02:50:57 <Ian> ...it's EPC
02:51:40 <Ian> ...so you need the scheme but also the issuer
02:51:44 <Ian> q?
02:52:01 <Ian> s/EPC/SET
02:52:41 <Ian> q?
02:53:18 <Ian> Cyril: Things to taken into account...timeout (e.g., bitcoin request)
02:53:23 <Ian> ...there are periods of uncertainty
02:53:25 <Laurent> q+
02:53:29 <Ian> ...to have a more concrete consent to pay
02:53:36 <kris> q+
02:54:06 <Ian> ack MattS
02:54:25 <Ian> CyrilV: Signature works for me as a form of consent
02:54:46 <Ian> MattS: Let's look at example in 2.1
02:55:18 <Ian> ...the payment request service ... is the intention is when I want to authorize I go to pay.example.com ?
02:55:38 <Ian> m4nu: Potentially.
02:56:02 <Ian> MattS: I'm happy with a non-specific response.
02:56:51 <Ian> Mountie: We need to discuss same origin policy
02:56:54 <Ian> m4nu: Agreed
02:56:57 <nicktr> ack zkoch
02:56:57 <Zakim> zkoch, you wanted to clarify where/how money transfer takes place compared to other proposal
02:57:05 <Ian> Zach: Are you taking a stance on when money is transferred?
02:57:07 <Ian> m4nu: No.
02:57:08 <nick> q+
02:57:11 <mountie> ack mountie
02:57:13 <nicktr> ack mountie
02:57:36 <Ian> m4nu: In the REST case, it could be that this URI is where you send the request. But in a promise-based flow the data you provide could be other.
02:57:54 <Ian> ...so there is no stance...the data that is provided is whatever people need to provide
02:58:08 <Ian> AdrianHB: Could be, for example, UI to display....
02:58:18 <nicktr> ack dezell
02:58:18 <Zakim> dezell, you wanted to ask about paymentCompleteService.
02:58:19 <Ian> q?
02:58:26 <dezell> ack me
02:59:00 <nicktr> ack Laurent
02:59:07 <Ian> m4nu: Payment complete service could be a service where you post information
02:59:28 <nick> I’m happy to wait
02:59:46 <Ian> m4nu: Message format takes some positions:
02:59:47 <CyrilV> q+
02:59:49 <Ian>  - not xml-based
03:00:05 <Ian> ...even though the financial service industry is powered by XML
03:00:27 <Ian> ...JSOn-based messages...extensibility is vital
03:00:36 <Ian> ....we want to future proof the solution
03:00:43 <Ian> ...JSON-LD provides an extensibility story
03:00:59 <Ian> ...communication is HTTPS only
03:01:39 <Ian> ...we need to make sure that we support card, bitcoin, ACH, SEPA, etc.
03:01:51 <Ian> ...we may also want to support non-scheme digital signatures
03:02:02 <MattSaxon> q+
03:02:08 <Ian> ...for things like offers of sale or invoices which we may pick up when we start work on ecommerce things
03:02:15 <zkoch> q+ to consider if we want to tie ourselves to a dependency like JSON-LD
03:02:19 <Ian> (Regarding the APIs)
03:03:28 <Ian> * Should be a browser API and a REST API
03:03:43 <Ian> m4nu: the browser API looks like Zach's proposal
03:03:45 <nicktr> +1 for other transport mechanism supports
03:05:04 <Laurent> q+
03:05:20 <Ian> m4nu: When the request is sent to another site...the site needs to be able to say "I've done the interactions I need to do such as 2 factor auth"
03:05:30 <Ian> ..then the PSP or paypal or google wallet or whoever has executed the initiation of the payment
03:05:49 <Ian> ...they put together something we call an "acknowledgment" (of receipt of the request)
03:06:00 <Ian> ...the acknowledgment resolves the promise on the merchant side
03:06:16 <Ian> ...the only thing that really differentiates the two proposals is that:
03:06:19 <shepazu> q+
03:06:19 <Ian>  * We are using linked data
03:06:27 <Ian> * Strong separation between messages and APIs
03:06:29 <Ian> * Signatures
03:06:37 <nicktr> ack kris
03:07:00 <shepazu> q+ to ask about transforming message serializations (JSON, XML)
03:07:09 <Ian> Kris: I think that "supporting ISO20022 messages" is missing apples and oranges
03:07:20 <Ian> ...do you mean "ACH format"
03:07:38 <Ian> ...if so you need to be clearer that we would be creating an ACH-formatted message in the payments sphere which doesn't make sense
03:07:46 <Ian> ..if we are talking instead of payment instruments we need to fix this
03:08:20 <Ian> ..example, we can do ACH-batched transfers at our company, and our hope is that our bank would give us a payment instrument
03:08:38 <Ian> Cyril: There is no ACH method
03:08:56 <Ian> NickTR: In the US it's different; that's the source of confusion
03:09:01 <Ian> Kris: We should clear up slide 5
03:09:29 <Ian> q?
03:09:36 <Ian> ack Laurent
03:10:03 <Ian> Laurent: I wanted to highlight an interesting difference between CG and Zach proposal:
03:10:11 <Ian> ....different prices for different ways to pay.
03:10:16 <Ian> ...that's possible in Manu's proposal
03:10:23 <Ian> ...you may also want to the same for signatures
03:10:40 <Ian> ..the signature itself may depend on the scheme
03:10:40 <mountie> q+
03:10:55 <ShaneM> q+ to suggest that the request could ask for additional information for each scheme in a merchant request
03:10:56 <Ian> m4nu: The proposal is to have two layers : one scheme-specific, but a second one that would come from this group...
03:11:02 <ShaneM> q?
03:11:07 <Ian> ...you can't use scheme specific mechanism for an offer of sale
03:11:08 <nicktr> ack nick
03:11:10 <Ian> zakim, close the queue
03:11:10 <Zakim> ok, Ian, the speaker queue is closed
03:11:26 <Ian> nick: Thanks to m4nu and zach for the proposals. A comment on both. We are missing "Discovery"
03:11:33 <Ian> ...how a server knows that this API is available
03:11:45 <Ian> ...we need to consider that, which brings me to another point: i don't see substantial discussion of privacy
03:11:51 <Ian> ...I'd like to see that in more detail
03:11:59 <Ian> ...how we can avoid these APIs being abused
03:12:08 <Laurent> q?
03:12:13 <Ian> ...eg., in the case of a REST API you could rapidly interest to determine what one has in a wallet
03:12:17 <Ian> ack Cy
03:12:18 <nicktr> ack CyrilV
03:12:59 <Ian> Cyril: I think that we may need signatures everywhere even if we have HTTPS everywhere.
03:13:24 <Ian> ...the message needs to be protected as well
03:13:44 <Ian> ...the message should be signed
03:13:51 <Ian> q?
03:14:21 <Rouslan> Rouslan has joined #wpwg
03:15:03 <Ian> CyrilV: There may be a need for another layer to parameterize how payment happens (e.g., installment)
03:15:09 <Ian> ...lots of merchants ask for that
03:15:35 <Ian> ...and how the user chooses to pay may affect things like fees
03:15:54 <Ian> q?
03:15:56 <nicktr> ack MattSaxon
03:16:03 <ShaneM> building discount capabilities into the payment offer.
03:16:33 <Ian> (More notes on API from Manu
03:16:36 <Ian> - promise-based
03:16:43 <Ian> - browser mediates flow via same origin policy
03:16:52 <Ian> - centralized discovery of payment instruments
03:16:54 <Ian> - polyfillable
03:18:42 <Ian> (Remaining work)
03:18:50 <Ian> - steal from Zach's proposal the good bits
03:19:06 <Ian> - ensure in-scope flows supported
03:19:16 <Ian> - Web Payments REST API spec
03:19:21 <Ian> - Detail discovery and process
03:19:30 <Ian> zakim, close the queue
03:19:30 <Zakim> ok, Ian, the speaker queue is closed
03:20:16 <Ian> MattS: In section 2...4/5/6 indicate differential behavior.
03:20:22 <Ian> ...that's a fundamental difference in the two flows.
03:20:55 <Ian> ...m4nu has different type of behavior based on instrument type built-in
03:21:01 <Ian> ...that seems to be a fundamental difference
03:21:31 <Ian> m4nu: This proposal attempts to support push, pull, and approaches that are in-browser (e.g., built-in bitcoin)
03:21:38 <Ian> ...so this algorithm tries to take that into account.
03:21:51 <Ian> ..the detail in there addresses some of the questions that have been raised.
03:22:04 <Ian> MattS: We need to address this fundamental difference.
03:22:29 <nicktr> ack
03:22:33 <nicktr> ack zkoch
03:22:33 <Zakim> zkoch, you wanted to consider if we want to tie ourselves to a dependency like JSON-LD
03:22:36 <Ian> Zach: The one limit of polyfills is that they limit us in what we can bring in.
03:22:51 <Ian> ...browser has access to some things like secure elements that other software may not have...polyfills may limit us
03:23:05 <Ian> ...second point - when we think about deployment -- dependencies add weight.
03:23:24 <Ian> ...JSON-LD dependency for example.
03:23:36 <Ian> ...I would vote that we take Manu's good ideas and put them in my proposal ;)
03:24:07 <Ian> m4nu: We do want rapid deployment....we don't want to leave browsers out in the cold... polyfills allow older browser support
03:24:30 <Ian> m4nu: I don't think we should propose sem web processing flow blown; I propose that we should provide hooks for extensibility
03:24:36 <Ian> q?
03:24:37 <nicktr> ack shepazu
03:24:38 <Zakim> shepazu, you wanted to ask about transforming message serializations (JSON, XML)
03:25:19 <Ian> shepazu: Should we factor out serialization (and, e.g., be able to provide an XML serialization)?
03:25:23 <CyrilV> q+
03:26:24 <nicktr> ack mountie
03:26:29 <Ian> ack mountie
03:26:47 <Ian> Mountie: Character encodings are important wrt signatures
03:27:10 <Ian> M4nu: JSON-LD is Unicode-based
03:27:19 <Ian> q?
03:27:34 <nicktr> ack ShaneM
03:27:34 <Zakim> ShaneM, you wanted to suggest that the request could ask for additional information for each scheme in a merchant request
03:28:24 <Ian> ShaneM: As the merchant is offering up information about instruments they accept (e.g., variable pricing) it might be additionally interesting to embed other additional information (e.g., merchant is willing to sell it for you at this price if you give them your home address)
03:28:35 <Ian> ...so there might be additional CONDITIONS beyond simply instrument
03:28:41 <Ian> m4nu: that may be a pre-step
03:29:08 <Ian> rrsagent, make minutes
03:29:08 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
03:55:31 <rbarnes> rbarnes has joined #wpwg
04:03:34 <kazue> kazue has joined #wpwg
04:07:38 <ShaneM> ShaneM has joined #wpwg
04:15:24 <LJWatson> LJWatson has joined #wpwg
04:18:24 <rbarnes> rbarnes has joined #wpwg
04:19:24 <mountie> mountie has joined #wpwg
04:22:52 <padler> padler has joined #wpwg
04:23:23 <nick> nick has joined #wpwg
04:24:42 <sangjo> sangjo has joined #wpwg
04:27:39 <Rouslan> Rouslan has joined #wpwg
04:31:22 <sangjo> sangjo has left #wpwg
04:32:40 <lbolstad> lbolstad has joined #wpwg
04:33:45 <m4nu> m4nu has joined #wpwg
04:33:47 <Jiangtao> Jiangtao has joined #wpwg
04:34:14 <zkoch> zkoch has joined #wpwg
04:34:41 <CyrilV> q?
04:36:29 <wonsuk> wonsuk has joined #wpwg
04:36:39 <MattPisut> MattPisut has joined #wpwg
04:36:57 <padler> padler has joined #wpwg
04:37:07 <Ian> topic: How to write an API
04:37:14 <joe> joe has joined #wpwg
04:37:21 <Ian> (Various guests from the TAG - Alex Russell, Travis Leithead, Mark Nottingham)
04:37:34 <nicktr> https://w3ctag.github.io/design-principles/
04:37:45 <Ian> alex: The TAG's responsibility is the overall coherence of the Web as a platform
04:37:50 <Ian> ....we collaborate with different WGs.
04:37:51 <kazue> kazue has joined #wpwg
04:37:58 <Ian> ...the earlier we work with you in your design, the better
04:38:09 <Ian> (Dan Appelquist arrives as well)
04:38:26 <Ian> DanA: We're the TAG we're here to help
04:38:47 <jmr> jmr has joined #wpwg
04:38:55 <Ian> ...we've worked with various groups also on joint deliverables
04:39:01 <dezell> dezell has joined #wpwg
04:39:17 <Ian> ...we have expertise in network protocols, javascript, security, etc.
04:39:39 <Ian> ...our offer is "come talk to us" we want to understand the problems you are trying to solve; and tie together APIs with rest of web platform.
04:39:48 <Ian> ...I was happy to see use of promises in early proposals.
04:40:00 <Ian> ...that's an example of where our work attempted to unify otherwise un coordinated bits
04:40:11 <joe> joe has left #wpwg
04:40:13 <Ian> ...use of WebIDL
04:40:30 <sangjo> sangjo has joined #wpwg
04:40:35 <twhalen> twhalen has joined #wpwg
04:40:57 <Ian> (Some discussion about the way things were re: events and callbacks)
04:41:05 <Ian> ...we have a guide now on how to use promises
04:41:12 <Ian> ...by domenic denicola
04:41:28 <Ian> ...I want to say that if you have questions; that's our job
04:41:52 <Ian> -> https://w3ctag.github.io/design-principles/ API Design Principles
04:42:24 <Ian> Alex: Another topic is origin model.
04:42:40 <Ian> ...how various actors in the system interact and where information can/cannot be passed
04:42:45 <m4nu> q+ to ask about high-level concerns around data security, extensibility, data linkability, credentials, decentralized identifiers.
04:42:49 <shepazu> shepazu has joined #wpwg
04:42:50 <Ian> zakim, open the queue
04:42:50 <Zakim> ok, Ian, the speaker queue is open
04:42:54 <m4nu> q+ to ask about high-level concerns around data security, extensibility, data linkability, credentials, decentralized identifiers.
04:43:27 <Ian> Alex: We've also seen high-level APIs....there are so many existing systems where it may be inevitable to have a high-level API
04:43:34 <shepazu> q+ to ask about message format, and security of polyfill
04:43:45 <Ian> ...high level solutions may not serve people
04:43:46 <AdrianHB> q+ to ask about the interaction model on different platforms
04:44:01 <Ian> ...it's important to have the conversations early about extensibility
04:44:02 <nicktr> q+ to ask about pre-requisites for good new APIs
04:44:18 <sam> sam has joined #wpwg
04:44:26 <Ian> ...we worry about the tension between the audio element, for example and "Web Audio"
04:44:37 <zkoch> q+
04:44:38 <jyrossi> jyrossi has joined #wpwg
04:44:41 <kris> q+
04:44:41 <nicktr> ack manu
04:44:48 <nicktr> ack m4nu
04:44:48 <Zakim> m4nu, you wanted to ask about high-level concerns around data security, extensibility, data linkability, credentials, decentralized identifiers.
04:45:31 <Ian> m4nu: There are a number of high-level concerns around data security. I think there's a unified response to security on the web today which is "use JOSE"
04:45:36 <lbolstad> lbolstad has joined #wpwg
04:45:48 <Ian> Alex: there are many people who think that's a good thing to do, but some people who think it's too complicated
04:46:04 <Ian> Manu: We are potentially going to hit that problem head-on...
04:46:21 <Ian> ...there are many different types of extensibility, e.g., linked data, data extensibility
04:46:49 <Ian> ...I don't know if the TAG has any recommendation about how to look at data extensibility
04:47:10 <Ian> ...when is it ok to have linkability in the platform?
04:47:24 <Ian> Alex: Our general discussion tends to revolve around "who the origin is"
04:47:29 <Ian> ...the web platform really has one security model
04:47:36 <Ian> ...this causes real chafing
04:47:48 <Ian> ..it's got weird grandfathered in behaviors
04:48:05 <Ian> ...the more than you can think about "who as an origin did that map back to?"
04:48:32 <Ian> ...reducing the questions to origins lets you treat it as an API question and let the browser handle the social aspect
04:48:45 <yaso> yaso has joined #wpwg
04:48:55 <Ian> ...promises, because they are asynchronous, you can ask the system or the user to make a choice about whether information can be shared
04:49:09 <Ian> ...e.g., requests for geolocation...those being async are important.....
04:49:27 <Ian> ...the architectural principle is "Where you are not sure what should happen, keep things asynchronous."
04:49:55 <Ian> m4nu: There are multiple groups searching for identity/credentials solutions....whether it's possible to authenticate people cross-domain.
04:50:01 <Ian> ...any input from the TAG on that question would be welcome.
04:50:30 <Ian> ...the TAG has an ability to say "this area is a problem and W3C should be spending more time talking about it" more visibly at the consortium.
04:50:47 <Ian> ...there are three groups currently struggling with it...would be nice for the TAG to discuss this.
04:50:55 <nicktr> q?
04:51:10 <Ian> Alex: Yes, where there are multiple groups discussing something, consistency would be a good thing
04:51:20 <Ian> ...one thing we are emphasizing is that it's ok to make local progress.
04:51:22 <sam_> sam_ has joined #wpwg
04:51:27 <Ian> ...don't block on boiling the ocean.
04:51:31 <Ian> ...boil just enough to make tea if you want tea
04:51:34 <Ian> q?
04:51:49 <Ian> ack shepazu
04:51:49 <Zakim> shepazu, you wanted to ask about message format, and security of polyfill
04:53:02 <Ian> shepazu: This morning there were 2 proposals. When I looked at them two diffs that stood out for me were (1) zach did not have a message format proposal [Zach: that is to be fleshed out]
04:54:00 <Ian> Alex: Inside w3c we are not relitigating transport. but there are areas for collaboration, such as out-of-band push notifications
04:54:09 <Ian> ...or working with TC39 on improving WebIDL
04:54:21 <Ian> ...please specify enough to solve the problem.
04:54:29 <Ian> shepazu: What about polyfills?
04:54:39 <mnot> mnot has joined #wpwg
04:54:43 <mnot> q?
04:54:49 <Ian> ...are there security concerns about delegating to a polyfill?
04:54:56 <Ian> Alex: There are up sides and risks to polyfills.
04:54:56 <mnot> q+
04:55:16 <Ian> ...upside is obviously earlier visibility....but the downside is that polyfills can end up with lives of their own
04:55:34 <Ian> ...a polypill that is widely used has risks.
04:55:55 <Ian> ..e.g., early shadow dom polyfills led people to think they were slow, but implemented natively are much faster than other approaches
04:56:13 <nicktr> ack AdrianHB
04:56:13 <Zakim> AdrianHB, you wanted to ask about the interaction model on different platforms
04:56:14 <Ian> ...just beware of downsides of polyfills
04:56:28 <Ian> AdrianHB: I want to throw more specific questions on the table.
04:56:47 <Ian> ..one of the questions that has been thrown around without a clear answer
04:57:01 <Ian> ...we have a narrow scope of what we want to standardize (which does not mean narrow in what we want to consider)
04:57:14 <Ian> ...the standard is for the flow between web site and payment instrument
04:57:30 <Ian> ...how that manifests itself on different platforms will be different (e.g., on mobile may be native app)
04:57:42 <Ian> ...so, e.g., user selection of payment instrument is selection of an app
04:57:51 <Ian> ..but we don't have an elegant way to replicate that in a desktop world.
04:58:00 <Ian> ...how would we achieve the same kind of idea on desktop?
04:58:22 <Ian> ...as a merchant web site I've provided information about ways I can be paid.
04:58:44 <Ian> ...let's say for this example the user agent assesses the list, compares to the list of payment instruments that have been registered, and provides the user with a set of choices.
04:59:07 <Ian> ..the user picks one, there's execution of some logic by the payment instrument (potentially in its own execution environment) and then returns (via a promise) a response.
04:59:13 <Ian> ..in mobile that pattern is quite familiar.
04:59:42 <Ian> ....one proposal for the desktop is the browser gives you a selection UI (thus, rendered by the browser)
05:00:01 <Ian> ...now the payment instrument wants to render some UI...is it sufficient to do so in a frame?
05:00:18 <Ian> Alex: I hear a couple of questions: (1) how much needs to be in the spec (2) if so, how much needs to be specific
05:00:36 <sam> sam has joined #wpwg
05:00:37 <Ian> AdrianHB: The definition of the payment instrument needs to have enough data for whatever the instrument execution environment needs
05:00:48 <Ian> ...so we need enough information (even if as simple as a URL)
05:00:56 <Ian> Alex: In the webplatfomr we are always mapping things back to URLs
05:01:07 <Ian> (Ahh, mention of HTTPRange-14)
05:01:16 <Ryladog> Ryladog has joined #wpwg
05:01:27 <Ian> Alex: You can map pieces of the transaction back to URLs and origins...that makes it easier to talk about "who is doing what with whom and with what data"
05:01:28 <nicktr> q?
05:01:34 <Ian> ...there's a related question about how to do the selection dance
05:01:47 <Ian> ...there are various approaches like protocol handlers, custom url schemes, etc.
05:01:54 <Ian> ...redirecting through the OS to get something
05:02:03 <Ian> ...mobile systems have intent handlers
05:02:15 <Ian> ..those are questions that are a bit out of view from the web platform.
05:02:22 <Ian> ...there have been ideas proposed like web intents
05:02:39 <Ian> ...there is an itch to re-explore that, but my advice today is to not try to solve that problem.
05:02:59 <Ian> ....provide enough information to bootstrap ... but also chart a path forward
05:03:30 <Ian> ...you might uncover latent issues this way ...the exercise is valuable...but I wouldn't get too hung up about harmonized UI across systems
05:03:52 <Ian> AdrianHB: Part of the motivation for the question is that we are looking at things from the perspective of the merchant creating things for their sites and calling this API
05:04:08 <Ian> ...but we are also thinking about how the payment instrument provider gets their instruments to different platforms
05:04:20 <Ian> ...maybe we don't have to SOLVE it but I think we should think about it since it will be part of flow.
05:04:24 <nicktr> ack nicktr
05:04:24 <Zakim> nicktr, you wanted to ask about pre-requisites for good new APIs
05:04:27 <Ian> Alex: I would guess your implementers help address it.
05:04:32 <AdrianHB> AdrianHB has joined #wpwg
05:04:54 <m4nu> q+ to ask about REST APIs
05:05:03 <Ian> nicktr: Given that we are just starting off, are there pre-requisites or patterns based on successful ones
05:05:07 <Ian> MarkN: Implementations
05:05:09 <Ian> Alex: Iteration
05:05:12 <Ian> MarkN: +1 to iteration
05:05:21 <Ian> Alex: You can't design something without implementation.
05:05:27 <Ian> Alex: So just get started.
05:05:56 <Ian> Travis: You also need people to do the work
05:06:01 <Ian> MarkN: Don't boil the ocean
05:06:14 <Ian> ...don't try to accommodate things you don't know.
05:06:26 <nicktr> q?
05:06:53 <Ian> MarkN: Shipping a spec is not a guarantee of success
05:06:56 <nicktr> ack zkoch
05:07:32 <Ian> zach: In our proposal, we took a hacky approach with a promise...we wanted to open a comms channel between browser and merchant, so that when an action takes place we want to emit an event with info that allows the merchant can respond.
05:08:10 <Ian> ...our approach is to have a first promise that returns an event target, that becomes the event target.
05:08:17 <Ian> ...a second promise is the instrument response promise.
05:08:30 <Ian> ...that should work BUT you could imagine a world where events and promises work together.
05:08:33 <Ian> ...any thoughts on this?
05:09:13 <Ian> Travis: I had a brief look at the API. I think you are modeling the right principles on the right syntaxes. Unless you have a strong motivation I think there's probably not a reason to merge concepts.
05:09:41 <Ian> Zach: There are some edge cases where having two promises is overkill...so the solution seems a bit ugly.
05:09:44 <nicktr> q?
05:09:56 <Ian> Travis: We'll stew about this and see if we can come back with something that's a bit better.
05:10:03 <Ian> (Some design on the fly)
05:10:08 <Ian> Alex: Promise is a one-shot response.
05:10:22 <Ian> ...we see this tension all over the place..e.vents have no historical data....
05:10:46 <Ian> Travis: You want to return data back to the platform.
05:11:00 <Ian> ...you are generally responding to a platform event...but here you are also sending data back.
05:11:20 <Ian> Alex: In service works we have "extendable events"...they extend the life of an operation...they also respond to it.
05:11:39 <Ian> ...that's a way of saying "I'm going to give you a value that is either a value or a promise."
05:11:57 <Ian> Zach: If there's a cleaner implementation let me know.
05:12:08 <Ian> ...also AdrianB mentioned other groups that may be looking at that.
05:12:16 <nicktr> ack kris
05:12:40 <Ian> https://w3ctag.github.io/design-principles/
05:13:06 <Ian> Travis: Myself and Domenic are collective authors
05:13:18 <Ian> Kris: With my ISO hat one we are trying to figure out how ISO messages would fit into an API environment.
05:13:23 <Ian> ...I'd like to speak with you separately about it.
05:13:25 <nicktr> ack mnot
05:13:38 <Ian> MarkN: Manu asked about extensibility and I wanted to add to that.
05:13:59 <Ian> ...extensibility has a critical role in what we do (e.g., future unintended uses)...but extensibility can be harmful especially in protocol design
05:14:06 <Ian> ...it can be quite counter-productive.
05:14:13 <Ian> ...there are painful memories of Web Services
05:14:36 <Ian> MarkN: Extensibility can give some players in market extra power
05:14:40 <Ian> ...e.g., "must understand" flags
05:14:49 <Ian> ...OAUTH2 is also a cautionary tale
05:15:04 <Ian> ...you can't use OAUTH2 unless knowing which flavor.
05:15:25 <Ian> ...so be wary of supporting lots of use cases, but then supporting none without some out-of-band shared understanding
05:15:25 <nicktr> ack m4nu
05:15:27 <Zakim> m4nu, you wanted to ask about REST APIs
05:15:54 <Ian> m4nu: We plan to have a browser API but also may need a RESTful API for machine-to-machine communication....
05:16:02 <Ian> ....e.g., car needs to pay automatically at the gas pump
05:16:10 <Ian> ...to my knowledge W3C has not standardized a REST API....
05:16:15 <Ian> shepazu: LDP
05:16:33 <Ian> m4nu: Does TAG have thoughts on RESTful API design?
05:16:44 <Ian> Mountie: What about CSP?
05:17:12 <Ian> MarkN: REST is not well-understood. I would encourage you rather to decide whether you want to use HTTP and just to use it wel
05:17:26 <Ian> MarkN: I'm happy to help with that as well
05:18:06 <Ian> ...there's a list at the IETF coming soon for help on using HTTP with APIs
05:18:20 <nicktr> q?
05:18:37 <Ian> m4nu: Is there anything analogous to IDL for HTTP design for APIs?
05:18:50 <Ian> MarkN: <em>No</em>
05:19:09 <AdrianHB> q?
05:19:09 <Ian> Alex: We don't in the TAG do a lot of it so other communities may be more well-suited
05:19:42 <Ian> padler: Payments touches a lot of things...a number of the flows we can imagine like for IOT will become increasingly important.
05:19:51 <Ian> ...we could in the payments IG use the TAG's help
05:20:07 <kris> q+
05:20:11 <Ian> ...looking at things like identity and credentials, signing messages, confirming people are who they claim to be, ecommerce, etc.
05:20:45 <Ian> Alex; I have the feeling that when it's easy to pay for things in the browser, people will notice
05:21:18 <Ian> ...feel free to ask us for review of whatever you have at whatever stage
05:21:22 <AdrianHB> q+ to ask about declarative requests
05:21:23 <nicktr> q+ to ask wha the process is for that review?
05:21:29 <Ian> zakim, close the queue
05:21:29 <Zakim> ok, Ian, the speaker queue is closed
05:21:29 <adrianba> rrsagent, make minutes
05:21:29 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html adrianba
05:22:10 <nicktr> ack kris
05:22:31 <Ian> Kris: regarding RESTful design...you (MarkN) sounded mysterious....
05:22:37 <Ian> ....what's a classic misunderstanding?
05:22:58 <Ian> MarkN: In the context of designing an API, "REST" is meaningless. REST is a style. It happens to be modeled on HTTP but it is not HTTP
05:23:16 <Ian> ...the problem is that many people have different ideas of what it means...so not useful to communicate with that word.
05:23:23 <nicktr> ack AdrianHB
05:23:25 <Zakim> AdrianHB, you wanted to ask about declarative requests
05:23:34 <Ian> AdrianHB: The question came up earlier about whether we should be considering declarative ways of doing things.
05:23:42 <Ian> ...e.g., what would be a good way to do something declaratively?
05:24:06 <Ian> Alex: Normal declarative style we see in HTML and CSS...that gets you to a point where you hang information off the DOM
05:24:17 <Ian> ..that has upsides in that you can easily provide UI for something in the DOM
05:24:40 <Ian> ...but it's difficult to both build an API that hangs together as well as the HTML bits...it leaves a lot to come back and do.
05:25:05 <mnot> The blog entry about extensibility I mentioned: https://www.mnot.net/blog/2006/04/07/extensibility
05:25:08 <Ian> Alex: Declarative is great because you don't have to specify much. You can increase what is specified over time. The <audio> element doesn't give us a good way to do processing
05:25:13 <Ian> ....so now we have to go figure it out.
05:25:20 <Ian> ...we are moving more in the direction of APIs
05:25:25 <Ian> ..and e.g., using web components.
05:25:29 <ShaneM>   q+ to point out that starting magical rarely results in an accessibil solution
05:25:31 <Ian> Travis: If you start with an API you allow for experimentation
05:25:32 <Ian> .
05:25:46 <Ian> ....and you can see what arises in the community and then standardize it declaratively later.
05:25:53 <Ian> ....declarative is very portable.
05:25:57 <nicktr> q?
05:26:13 <Ian> Alex; Declarative leaves a lot for interpretation (and some devs like this, but for browser vendors it can be painful)
05:26:37 <nicktr> ack nicktr
05:26:37 <Zakim> nicktr, you wanted to ask wha the process is for that review?
05:26:40 <Ian> ShaneM: I think we are smart to start with an API
05:27:05 <Ian> nicktr: You spoke about asking TAG to review drafts. Is there a practice to getting that review? Or just poke someone on the TAG.
05:27:18 <Ian> https://tag.w3.org/
05:27:23 <rbarnes> rbarnes has joined #wpwg
05:27:33 <Ian> Alex; We are w3ctag on github
05:27:43 <Ian> DanA: Opening an issue in our github repo is the most direct way
05:27:49 <Ian> ...we will address it on our next call
05:27:54 <Ian> https://github.com/w3ctag/spec-reviews
05:28:00 <Ian> Alex: We are using FTF time to review specs
05:28:33 <Ian> rrsagent, make minutes
05:28:33 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
05:31:49 <Ian> rrsagent, make minutes
05:31:49 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
05:32:49 <Travis> Travis has joined #wpwg
05:32:51 <Ian> topic: Flows
05:33:16 <Ian> (Slide illustrating the scope)
05:34:31 <nick> maybe everyone should just buy an Apple TV for all conference rooms
05:34:39 <Ian> AdrianHB: I want to distinguish Registration from Payment
05:35:15 <Ian> DISCUSSION POINT: Will there be a "register payment instrument" in the API?
05:35:31 <Ian> AdrianHB: There may be other execution environments where the payment instrument may be registered differently
05:35:38 <Ian> (On payment)
05:35:52 <Ian> AdrianHB: the flow we have agreed on at a high level is:
05:35:58 <Ian> - Request form merchant/payee into the browser API
05:36:17 <Ian> - the browser (either performing the role of wallet or talking to wallets) performs "matching"
05:36:27 <Ian> (Adrian prefers "matching" to "discovery")
05:36:44 <Ian> ...effectively taking the accepted methods and matching available instruments
05:36:53 <Ian> ..the matching parameters are not surfaced to the user
05:37:23 <Ian> ...if there's a payment instrument from my bank and it uses Visa and the merchant accepts Visa...it will be surfaced as "Adrian's Bank"
05:37:42 <Ian> MattS: I think both options should be available ("Visa" and "Adrian's Bank")
05:37:51 <ShaneM> q+ to talk about user choice in naming
05:37:56 <Ian> ...I think the flow and the user interface should allow for either "Barclay Card" or "Visa Card"
05:38:01 <Ian> zakim, open the queue
05:38:01 <Zakim> ok, Ian, the speaker queue is open
05:38:11 <ShaneM> q+ to talk about user choice in naming
05:38:19 <Ian> AdrianHB: Suppose I install the "Visa App" and I log into my app and load my cards.
05:38:32 <Ian> ...when I get the choice of which payment instrument, I could get "Visa" as my choice.
05:38:42 <Ian> ...this is more about the brand than trying to give it a name
05:38:47 <padler> q+ to ask about loose coupling of registry..
05:38:55 <Laurent> q+
05:39:18 <slightlyoff> Ian: my comment about declarative was actually opposite: Browser vendors tend to like declarative but it's painful for web developers
05:39:27 <Ian> Cyril: Difference between Visa issued by my bank and visa.me
05:39:36 <Ian> (Whoops. :(
05:39:51 <sangjo_> sangjo_ has joined #wpwg
05:40:11 <Ian> rrsagent, make minutes
05:40:11 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
05:40:20 <mnot> mnot has joined #wpwg
05:40:23 <ShaneM> q- ShaneM
05:40:25 <Ian> AdrianHB: So per Cyril's point, how you install the instrument may determine naming
05:40:33 <zkoch> q
05:40:34 <zkoch> q+
05:40:46 <Ian> MattS: I would not limit to how things work currently....there may be examples where we should not over restrict
05:41:11 <nick> q+
05:41:13 <Ian> AdrianHB: I imagine the user being prompted with a choice "Want to use your Visa?" and "Want to use your Barclay Card?" They could hold the same card information
05:41:19 <Ian> MattS: I agree with that.
05:41:23 <nicktr> ack padler
05:41:23 <Zakim> padler, you wanted to ask about loose coupling of registry..
05:41:38 <Ian> padler: The one thing that popped into my mind is the question of where the instruments are actually registered
05:41:51 <Ian> ...are they with the browser? or with a registry service (which holds them for me)?
05:42:03 <Ian> ...the browser can thus either have stuff or ask a service provider for the same information
05:42:24 <Ian> ...I don't want to have to register my card again and again with different devices
05:42:44 <Ian> AdrianHB: Is that an implementation detail or does it impact the API?
05:43:26 <Ian> AdrianHB: We are going to standardize this in the user agent...how it's supported could be an implementation detail....
05:43:41 <ShaneM> q+ to say I dont think we can preclude external resolvers
05:43:41 <sangjo> sangjo has left #wpwg
05:43:44 <Ian> ....I've wrestled with this a fair amount; I don't think we can specify it ... although we could recommend that browsers support services.
05:43:52 <Ian> padler: I like the idea of a hook
05:45:05 <Ian> AdrianHB: The payment instrument is an interface to the payment service provider.
05:45:14 <Ian> ...there is executable logic.
05:45:27 <Ian> ..whether it executes locally or remotely is an implementation detail.
05:47:08 <zkoch> +1 to being browser decision
05:47:10 <m4nu> q+ to ask browser position on local storage or 3rd party storage of payment instruments.
05:47:20 <Ian> rrsagent, make minutes
05:47:20 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
05:47:22 <Ian> q?
05:47:49 <Ian> nicktr: It sounds like we have a decision to make whether we make it a requirement or a suggestion
05:48:05 <zkoch> q-
05:48:14 <Ian> DISCUSSION POINT: Do we need to provide a recommendation for how we handle the handoff between user agent and payment instrument?
05:48:26 <Ian> ...for the payment request
05:49:12 <Ian> padler: I suggest we parameterize so that we can make a choice
05:49:12 <brettw> brettw has joined #wpwg
05:49:15 <Ian> q?
05:49:19 <Ian> ack Laurent
05:49:23 <nicktr> ack Laurent
05:49:31 <adrianba> s/^q$//
05:49:49 <Ian> Laurent: One whether payment instruments have execution logic....
05:50:05 <Ian> ...I think the payment instrument is not just one credential; it's also authorization logic.
05:50:14 <Ian> ...there's also payment initiation logic.
05:50:32 <Ian> ..we want to keep the LOGIC outside of the scope of the W3C
05:50:32 <Ian> ...the id part is that which we want to register in to the browser
05:50:37 <Ian> ..that's where the regulatory impact is
05:51:11 <Ian> Laurent: You need to display the brand associated with the authorization logic...that's typically visa for example...in this group we need to provide a way for the browser to COMPUTE this information (even if we don't specify the UI)
05:51:22 <Ian> ...display of authorization logic.
05:52:07 <Ian> THREE THINGS:
05:52:10 <Ian>  - DATA
05:52:11 <Ian>  - RULES
05:52:13 <Ian>  - EXECUTIOn
05:52:21 <ShaneM> q+ to disagree with Laurent about attempting to require that the brand is somehow embedded in what is displayed to the user
05:52:35 <Ian> Laurent: a payment instrument is all three; so we need another name for the "data" part since calling it a "data payment instrument" is a source of confusion
05:52:44 <nicktr> q?
05:52:47 <Ian> ...we need to be able to provide the BRAND of the authorization logic.
05:52:51 <Ian> ...it's important to the user experience
05:52:53 <Ian> q?
05:53:15 <mountie> +1 for Laurent because of SOP.
05:53:20 <Ian> Laurent: When I have to select a visa card through the browser, I want one with visa + my bank brand and visa + visa wallet brand
05:53:22 <nicktr> ack nick
05:53:31 <Ian> nick: I'm not sure if I are with that.
05:53:42 <Ian> ...I don't know whether PayPal wants the visa brand to be the authorization brand
05:53:56 <nicktr> s/I are with/I agree with
05:54:15 <brettw> q?
05:54:21 <brettw> q+
05:55:09 <wonsuk> wonsuk has joined #wpwg
05:56:34 <Ian> Nick: A lot of these discussions are UI-related....it appears to me that the user agent concern themselves with UI is potentially dangerous
05:57:49 <Ian> AdrianHB: Should we allow browsers to unilaterally decide which brand information to display?
05:58:10 <Ian> ...that leaves open situations where, e.g., browser favors its own brand
05:58:15 <nicktr> ack ShaneM
05:58:15 <Zakim> ShaneM, you wanted to say I dont think we can preclude external resolvers and to disagree with Laurent about attempting to require that the brand is somehow embedded in what is
05:58:19 <Zakim> ... displayed to the user
05:58:22 <Ian> (Ian did hear that "display of some brand" is important)
05:58:27 <Laurent> +1 to talk about discovery / matching algorithm in the group
05:59:11 <Ian> Shane: We need expressly to not preclude solutions that lie outside the browser.
05:59:23 <Ian> ...e.g., "Google, you must not preclude me from using a different selection mechanism"
05:59:31 <Ian> (Just to pick on Google as an example)
05:59:33 <padler> +1
05:59:53 <nicktr> ack m4nu
05:59:53 <Zakim> m4nu, you wanted to ask browser position on local storage or 3rd party storage of payment instruments.
06:01:11 <Ian> m4nu: We should very strongly say "This is about user choice."
06:01:34 <Laurent> +1
06:01:40 <nicktr> ack brettw
06:01:44 <padler> +1
06:02:05 <mountie> -1 user consent should be moderated.
06:02:22 <nick> I think it’s a noble goal, but I don’t know if it’s possible for a W3C spec to enforce it in any way
06:02:24 <Ian> Brett: I want to stay away from specifying UI. If a payment instrument is registered with an Android app, the branding would go along with the branding. If we specify a manifest file, then the logo etc. could be part of the manifest file
06:02:38 <kazue> +1 user choice
06:02:40 <dezell> dezell has joined #wpwg
06:02:54 <Ian> Brett: You don't have a canonical representation of a Visa card....you can get a card multiple ways and can't guarantee it will always be displayed the same way
06:03:36 <m4nu> q+ to ask browser position on local storage or 3rd party storage of payment instruments.
06:05:05 <Ian> ack m4nu
06:05:05 <Zakim> m4nu, you wanted to ask browser position on local storage or 3rd party storage of payment instruments.
06:05:06 <nicktr> ack m4nu
06:05:53 <Ian> m4nu: Will browser vendors only implement local storage?
06:05:55 <rbarnes> q+
06:06:10 <Ian> AdrianHB: May depend on platform.
06:06:27 <Ian> ...e.g., on mobile it may happen the way it happens today
06:06:27 <rbarnes> q-
06:06:34 <zkoch> q+
06:07:04 <Laurent> q+
06:07:20 <nicktr> ack zkoch
06:07:27 <lbolstad> q+
06:07:31 <Ian> zkoch: I think it's too early to say
06:07:38 <rbarnes> q+
06:07:42 <mountie> q+
06:07:46 <Ian> ...we'll share when we get to that point..there's too much unknown
06:07:55 <Laurent> q-
06:07:57 <Ian> ...more clarity will come as we make progress
06:08:03 <Laurent> q+
06:08:03 <rbarnes> q-
06:09:26 <Ian> ack lb
06:09:51 <Ian> lars erik: I strongly feel that a specification SHOULD NOT go into detail about how a browser should display something
06:10:06 <sam> sam has joined #wpwg
06:10:11 <Ian> ...the user registers a payment instrument
06:10:23 <Ian> ...wherever I find a manifest file and it "installs in my browser"
06:10:34 <Ian> ...is the idea that this is shared across browsers?
06:10:53 <Ian> m4nu: We want cross browser and cross device.
06:10:57 <nick> cross browser / cross device has, to me, substantial privacy questions that remain unresolved
06:11:15 <Ian> AdrianHB: The manifest file could be stored "somewhere" but not necessarily in the browser.
06:11:23 <nicktr> ack mountie
06:11:25 <Ian> ...the browser could request it from a remote service.
06:11:27 <Ian> q?
06:11:49 <Ian> Mountie: User consent should be moderated
06:12:01 <Ian> ...if the payment instrument is controlled server-side, maybe we need a different UI
06:12:12 <Ian> ..and in that case there may not be the same need for user content.
06:12:36 <Ian> AdrianHB: What is the user consenting to?
06:12:41 <Ian> Mountie: Both registration and payment
06:13:04 <Ian> Mountie: When instrument is controlled user side, then we need agreement on the user via some kind of UI
06:13:20 <Ian> ..but if the instrument is server side (e.g., PayPal) we don't need UI...it's supported via the server.
06:15:25 <Ian> AdrianHB: Potentially there are payment instruments built into the browser, rendered by the browser
06:15:29 <Ian> q?
06:15:44 <m4nu> q+ to note there's a lot of queue jumping.
06:15:53 <Ian> MattS: I think we should allow all the different various rendering options
06:16:13 <Ian> AdrianHB: I want us to explicitly not specify UI...just information that enables whoever will render to do their job
06:16:31 <m4nu> q-
06:16:45 <nicktr> ack Laurent
06:16:48 <padler> q?
06:17:44 <Ian> Laurent: I think we need to consider the use case of when I install paypal and automatically all my credit cards registered with paypal are registered with the browser.
06:18:40 <Ian> Laurent: open question to the group...I could see a potential need for a query to find out whether there is "at least one instrument that matches"
06:18:50 <zkoch> q+
06:19:15 <Ian> AdrianHB: Payment instruments will have an origin.
06:19:26 <Ian> ...either the origin where the manifest comes from, or when you install the app where it came from.
06:19:48 <Ian> ..when you visit a domain, there is some additional functionality that the instrument provider can execute like "is my instrument already installed"
06:19:51 <CyrilV> Q?
06:19:55 <CyrilV> q+
06:19:59 <nick> q+
06:20:43 <Ian> AdrianHB: We may want to consider an origin-bound API call. You can test for the existence of an instrument but only if the origin of the requestor matches the origin of the instrument that was registered with it
06:20:46 <MattSaxon> q+
06:21:02 <Ian> zakim, close the queue
06:21:02 <Zakim> ok, Ian, the speaker queue is closed
06:21:18 <MattSaxon> q-
06:21:41 <Ian> zkoch: Generally speaking I think that you can rely on the browsers in many ways to address the "no instrument" situation.
06:21:52 <ShaneM> if navigator.paymentRequest...
06:21:56 <Ian> ...we also would check to see whether the (payment) API is implemented
06:22:22 <Ian> ...if the user has no payment instrument installed, I expect the browsers will offer some solution that is a helpful user experience
06:22:43 <mnot> mnot has joined #wpwg
06:22:47 <Ian> ...I think we can mitigate this on the browser side without specifying it in the API
06:22:54 <Ian> Laurent: Should we recommend it?
06:23:10 <Ian> AdrianHB: Maybe in the card case where browsers have card storage mechanisms.
06:23:17 <Ian> ...they could synthesize a payment instrument to support the legacy schemes
06:23:21 <Ian> q?
06:23:30 <zkoch> ack zkoch
06:23:34 <Ian> ...maybe we provide guidance in the card spec Note
06:23:41 <nicktr> ack CyrilV
06:23:59 <Ian> CyrilV: When you take the example of a paypal account and put lots of instruments in it.
06:24:19 <nick> q-
06:24:31 <Ian> ...we should focus on payment instruments that are the "first instrument used" and if there are different systems in the background we should forget it
06:24:36 <nicktr> q?
06:24:38 <Ian> ..maybe in the future we look at these "reloading systems"
06:24:55 <nicktr> q+
06:24:56 <Ian> ...so the case of paypal is that it's an instrument, no matter how it is reloaded
06:25:04 <ShaneM> +1
06:26:29 <ShaneM> q+ to clarify that paypal's payment instrument selection doesnt work that way
06:26:36 <Ian> zakim, open the queue
06:26:36 <Zakim> ok, Ian, the speaker queue is open
06:26:37 <MattSaxon> q+
06:26:46 <MattSaxon> q-
06:26:48 <Ian> q+ Shane
06:27:08 <Ian> rbarnes: What's the value of the "payment agent" level of abstraction?
06:27:19 <Ian> AdrianHB: As a user I've registered to pay with paypal
06:27:20 <Rouslan> q+ to talk about value of blue box
06:27:36 <Laurent> q+
06:27:44 <Ian> rbarnes: There's a slightly higher level point here which is that the payment instrument may have multiple choices
06:28:05 <Rouslan> q-
06:28:23 <nicktr> ack ShaneM
06:28:39 <Ian> ShaneM: there may be payment instruments that work that way, but paypal is not one of them.
06:29:02 <mountie> q+
06:29:08 <Ian> ack shane
06:29:26 <Ian> Cyril: Paypal is not authorized to display my account information
06:29:29 <nicktr> ack Laurent
06:29:35 <CyrilV> q+
06:29:41 <Ian> zakim, close the queue
06:29:41 <Zakim> ok, Ian, the speaker queue is closed
06:29:47 <Ian> Laurent: replace paypal with MasterPass
06:30:48 <Ian> AdrianHB: Ambition here is to be able to load instruments for example that are more secure
06:30:49 <ShaneM> Dashlane is another example
06:31:08 <ShaneM> oh - and so is LastPass
06:31:13 <nicktr> ack mountie
06:31:17 <Ian> ...payment experience can be upgraded in the background
06:31:35 <Ian> Mountie: If server wallet exists and there's a payment instrument, how do we discover the payment instrument on the server side?
06:31:57 <Ian> AdrianHB: CoinBase is an example of dealing with blockchain.
06:32:02 <Ian> ..you install a CoinBase wallet
06:32:20 <Ian> ...you could have a CoinBase wallet with a bitcoin option or a coinable option
06:32:41 <Ian> rrsagent, make minutes
06:32:41 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
06:32:45 <Ian> q?
06:32:48 <nicktr> ack CyrilV
06:33:18 <Ian> CyrilV: We have to manage the form of payment instrument and the underly reloading
06:34:14 <Ian> AdrianHB: All we care about is matching merchant payment instrument with the instrument (not potential instruments within it)
06:34:34 <Ian> rrsagent, make minutes
06:34:34 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
06:34:39 <dwim_> btw, will AdrianHB share the slide?
06:35:27 <AdrianHB> AdrianHB has joined #wpwg
06:43:43 <AdrianHB> AdrianHB has joined #wpwg
06:50:33 <lbolstad> lbolstad has joined #wpwg
06:50:39 <mnot> mnot has joined #wpwg
06:51:25 <rbarnes> rbarnes has joined #wpwg
06:51:46 <AdrianHB> AdrianHB has joined #wpwg
06:55:56 <yaso> yaso has joined #wpwg
06:57:47 <Jiangtao> Jiangtao has joined #wpwg
06:58:35 <mountie> mountie has joined #wpwg
06:59:00 <nick> nick has joined #wpwg
07:06:40 <shepazu> shepazu has joined #wpwg
07:10:44 <Ian> rrsagent, make minutes
07:10:44 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
07:10:52 <Rouslan> Rouslan has joined #wpwg
07:11:21 <shepazu> schribenick: shepazu
07:11:36 <padler> padler has joined #wpwg
07:11:50 <kazue> kazue has joined #wpwg
07:11:54 <shepazu> scribenick: shepazu
07:12:14 <shepazu> MattPisut: I've written up the actors in a payment
07:12:40 <shepazu> … PSP, Merchant, Shopper, Browser Form Fill
07:12:54 <shepazu> … Legacy card payment
07:13:09 <shepazu> … this isn't technical, just the actors present
07:13:58 <shepazu> CyrilV: are we describing multiple pay flows?
07:14:20 <zkoch> zkoch has joined #wpwg
07:15:15 <shepazu> MattPisut: Merchant (Payee) PSP, Merchant (Payee), Shopper (Payer), Browser Form Fill, Shopper (Payer) PSP
07:15:28 <shepazu> … shopper goes to merchant website
07:15:43 <shepazu> … mechant website makes an offer to shopper
07:16:54 <shepazu> (discussion of flow, photo to follow)
07:18:54 <shepazu> MattPisut: I'm including Merchant (Payee) PSP and Shopper (Payer) PSP, because the API descriptions this morning only included Merchant (Payee), Shopper (Payer), and Browser Form Fill
07:20:41 <shepazu> MattPisut: I don't think a "standard credit card flow" exists
07:21:25 <shepazu> s/MattPisut/MattSaxon/g
07:22:32 <mountie> Legacy Card Payment (Merchant Hosted) : http://goo.gl/C5K0tZ
07:23:09 <shepazu> nicktr: let's look at this as it applies to the 2 models used today
07:23:25 <shepazu> s/used/presented/
07:25:34 <shepazu> zkoch: the flow for our proposal is similar, but encapsulates some of the steps as a data blob
07:28:15 <AdrianHB> AdrianHB has joined #wpwg
07:28:38 <m4nu> q+ to worry about making phishing easier
07:28:40 <shepazu> (discussion of optional Shopper (Payer) PSP step)
07:28:45 <m4nu> zakim, open queue
07:28:45 <Zakim> ok, m4nu, the speaker queue is open
07:28:47 <m4nu> q+ to worry about making phishing easier
07:30:12 <kris> kris has joined #wpwg
07:30:42 <ShaneM> ShaneM has joined #wpwg
07:31:16 <AdrianHB> q?
07:32:06 <AdrianHB> q+ to suggest that the fastest way we will figure this out is to start prototyping :)
07:32:12 <Ian> q+
07:33:18 <nicktr> ack m4nu
07:33:18 <Zakim> m4nu, you wanted to worry about making phishing easier
07:33:48 <Ian> q-
07:33:59 <mountie> q+
07:34:06 <AdrianHB> q-
07:34:07 <AdrianHB> q+
07:34:29 <Laurent> q+
07:34:54 <shepazu> m4nu: if we're documenting flows, and this the PAN being returned… we do care what happens in a 3rd-party app
07:35:32 <shepazu> MattSaxon: there are 3 flows here:
07:35:43 <shepazu> … legacy card payment
07:35:56 <shepazu> … automatic form fill
07:36:17 <shepazu> … autofill via a 3rd party app
07:36:29 <Laurent> q-
07:36:36 <zkoch> zkoch has joined #wpwg
07:36:51 <Ian> ACTION: MattS to write up three flows around legacy card payments
07:37:03 <shepazu> m4nu: let's differentiate this in the spec, this makes it easy to phish
07:37:05 <Ian> m4nu: Heads-up this leads to risk of phishing
07:37:40 <nick> I disagree, I don’t see an increased risk here
07:38:04 <nicktr> q+
07:38:07 <shepazu> m4nu: we make it automated, we make it easier for the user to send their card info
07:38:29 <mountie> title Card Payment Flow (Merchant Hosted)
07:38:29 <mountie> participant Payee PSP as P
07:38:29 <mountie> participant Merchant\n(Payee) as M
07:38:29 <mountie> participant Shopper\n(Payer) as U
07:38:30 <mountie> participant Browser\nPaymentRequest UI as B
07:38:30 <mountie> participant Payer PSP as CP
07:38:32 <mountie> U->M: visit
07:38:34 <mountie> M->U: offer
07:38:36 <shepazu> MattSaxon: this just describes the flows so far
07:38:36 <mountie> U<->B : fill form
07:38:38 <mountie> B<->CP: payment processing\n(PAN/Expiry)
07:38:40 <mountie> B->U: result
07:38:42 <mountie> U->M: result
07:38:44 <mountie> M->M: verify result
07:38:46 <mountie> M->U: thank you
07:38:48 <mountie> CP->M: settlement
07:38:52 <mountie> http://goo.gl/5Ah5u9
07:39:45 <shepazu> mountie: maybe we should consider the payment instrument … ???
07:40:08 <shepazu> … the money flow changes
07:40:18 <shepazu> MattSaxon: I don't think it does change
07:40:36 <shepazu> … it doesn't mask the card info
07:41:47 <shepazu> nicktr: we're not talking about the future yet
07:41:56 <nicktr> q?
07:42:00 <nicktr> ack mountie
07:42:24 <shepazu> AdrianHB: I think we can achieve both the legacy flow and improve it slightly
07:42:55 <shepazu> … for the PSP to do this, they do need to do something different, like provide a key pair
07:43:17 <shepazu> … it's not much innovation, just encrypting the PAN
07:43:18 <nicktr> ack me
07:43:20 <Laurent> +1
07:43:28 <shepazu> … only marginally better, but better
07:43:43 <nicktr> q?
07:43:48 <nicktr> ack AdrianHB
07:43:51 <nicktr> q+
07:43:54 <shepazu> MattSaxon: that's an opportunity with or without this
07:44:13 <m4nu> q+ to note that encrpting doesn't solve the phising problem
07:44:15 <nicktr> ack nicktr
07:44:16 <shepazu> AdrianHB: I think we need to start prototyping early
07:44:45 <shepazu> nicktr: it would be great to include tokenization into user flows, but let's have that conversation later, it's complicated
07:45:04 <nicktr> q?
07:45:11 <m4nu> ack m4nu
07:45:11 <Zakim> m4nu, you wanted to note that encrpting doesn't solve the phising problem
07:45:22 <mountie> redraw with Token : http://goo.gl/rfMDPS
07:45:43 <nick> q+
07:45:45 <shepazu> m4nu: we are going to be sending it back and forth, encrypting to the attacker doesn't help phishing
07:46:08 <shepazu> … we should know we're going to help phish faster
07:46:25 <nicktr> q?
07:46:36 <Rouslan> q+
07:46:43 <nicktr> ack nick
07:46:45 <shepazu> MattSaxon: we have risks, we need to document them and suggest mitigations
07:47:04 <sam> sam has joined #wpwg
07:47:21 <shepazu> nick: autocomplete already autofills forms… but there are ways to mitigate that today
07:47:35 <shepazu> … we can verify actors who claim to be someone
07:47:49 <nicktr> ack Rouslan
07:47:55 <shepazu> … browsers do offer some solutions today
07:48:16 <shepazu> Rouslan: let's document the questions, and get security / privacy reviews
07:48:23 <m4nu> +1 to Rouslan
07:48:25 <Ian> DISCUSSION POINT: How (much) to secure legacy case (e.g., to avoid phasing)
07:49:04 <shepazu> MattPisut: we need to document how the legacy flow works later
07:49:11 <Ian> (MattP notes this does not include the "registration" bits but otherwise accurately captures legacy flow)
07:49:26 <shepazu> nick: manu, would your proposal change this flow?
07:49:36 <shepazu> m4nu: no, it supports this and more flows
07:50:40 <shepazu> MattSaxon: my red was different… it seemed that the UA reaches directly to the Merchant PSP, past the Merchant
07:51:00 <shepazu> m4nu: no, not for a traditional pull payment
07:51:16 <zkoch> s/red/read
07:51:40 <shepazu> AdrianHB: this is a different flow, … ???
07:51:50 <Jiangtao_> Jiangtao_ has joined #wpwg
07:52:28 <Laurent> q+
07:52:28 <nicktr> q?
07:53:15 <shepazu> AdrianHB: this does look like a legacy flow… even if the merchant isn't involved at all
07:53:46 <shepazu> nicktr: from our perspective, it's the same player
07:54:30 <shepazu> Ian: is there an option that includes return flow?
07:54:55 <shepazu> AdrianHB: if the merchant host the page, the host of the page doesn't see the info
07:54:57 <Ian> IJ: I am hearing that one knob even in the legacy system is "the return origin is different from the intitiation origin"
07:55:36 <nicktr> ack Laurent
07:57:39 <shepazu> MattSaxon: let's articulate the many existing legacy flows
07:58:01 <shepazu> m4nu: we haven't covered ???, ???, ??? yet
07:58:32 <nicktr> s/???, ???, ???/3D secure, ???, ???/
07:58:54 <shepazu> m4nu: there are lots of jumping off points
08:01:01 <Ian> scribe: Ian
08:01:33 <Laurent> q+
08:01:49 <Ian> MattS: One value of digging into the flows is to see the subtle differences.
08:02:10 <Ian> ...we need to make explicit decisions whether to allow some use cases (e.g., the "direct to Merchant PSP" response)
08:02:11 <CyrilV> q+
08:02:12 <AdrianHB> q+
08:02:29 <Ian> m4nu: I think there are use cases that are important e.g., that don't put Merchant in PCI scope
08:02:30 <nicktr> q+
08:03:37 <Ian> m4nu: The CG design of the API is to support both legacy and future cases.
08:03:56 <Ian> MattP: I am concerned about putting browser in distributed transaction flow...wouldn't you also have to have PSPs update code?
08:04:00 <Ian> m4nu: Not necessarily.
08:04:08 <Ian> ...legacy ones get back PANs as-is
08:04:15 <Ian> MattP: I'd hate to be the browser in the liability flow.
08:04:28 <Ian> ...or I'd do it twice and be liable.
08:04:40 <Ian> MattP: PSPs may have mutually authenticated connections to their merchants
08:04:49 <nicktr> ack Laurent
08:05:35 <Ian> Laurent: I think it's interesting to capture points such as:
08:05:46 <Ian>  * the CG flow has an interesting flow
08:05:55 <Ian> * Adrian offers a way to improve security
08:05:56 <Ian> ....
08:06:25 <Ian> Laurent: Maybe if we can look through the perspective of "what should we add/remove from current proposals"?
08:07:01 <Ian> MORE FLOWS
08:07:13 <Ian> * 3D Secure (consumer PSP involved)
08:07:15 <Ian> * Push Pay
08:07:16 <nicktr> ack CyrilV
08:07:23 <Ian> (We'll try to capture those as well by tomorrow)
08:07:43 <Ian> CyrilV: If during offer we add public key, the browser could encrypt the PAN
08:08:42 <Ian> q?
08:08:48 <Ian> ack Adrian
08:08:48 <nicktr> ack AdrianHB
08:09:01 <nicktr> q?
08:09:14 <Ian> AdrianHB: I think that there's some value in our recognizing the hats of trying to be PSPs and trying to be scheme operators here
08:09:26 <Ian> ...if we come up with an abstract flow and we standardize it today
08:10:01 <Ian> ...we should ask ourselves "What do I care about as Visa? What do I have to tell to whom? How does it change the flow that happens out there already?"
08:10:30 <Ian> ...e.g., Visa might say to PSPs "now you need to tell your merchants to do the following"
08:10:39 <Ian> MattS: They have solved the problem you are describing
08:10:54 <Ian> AdrianHB: I think that the flow we design will be simple and these options will be scheme-specific decisions
08:11:00 <nicktr> ack nicktr
08:11:06 <Ian> ack nicktr
08:11:36 <Ian> nicktr: We need to document "silent order post" use case
08:11:41 <Ian> (Stripe, Braintree)
08:11:58 <Ian> nicktr: Schemes don't typically talk to acceptors
08:12:17 <Ian> Nicktr:...can we get Visa Europe to join the WG?
08:12:32 <nicktr> q?
08:13:45 <Ian> rrsagent, make minutes
08:13:45 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
08:17:08 <mountie> 3D Secure Payment Flow : http://goo.gl/pmqTjH
08:17:21 <Rouslan> Everyone, here is what I am thinking about APIs for handling the legacy case: https://docs.google.com/document/d/1pBSMclozKhKlKHxd3MsG4K1bR2zr3j57oBDPKoakltk/edit?usp=sharing . Please let me know if that's we're talking about or I am way off base. Some examples included in the doc.
08:17:58 <Ian> rrsagent, make minutes
08:17:58 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/28-wpwg-minutes.html Ian
08:20:23 <kris> kris has joined #wpwg
08:20:26 <Ian> http://r.gnavi.co.jp/h001228/
08:20:51 <mnot> mnot has joined #wpwg
08:21:24 <mountie> mountie has joined #wpwg
08:24:27 <zkoch> zkoch has joined #wpwg
08:38:26 <rbarnes> rbarnes has joined #wpwg
08:45:49 <dezell> dezell has left #wpwg
08:57:43 <AdrianHB> AdrianHB has joined #wpwg
08:59:17 <wonsuk> wonsuk has joined #wpwg
09:13:38 <wonsuk> wonsuk has joined #wpwg
09:32:05 <MattSaxon> MattSaxon has joined #wpwg
10:27:23 <nicktr> nicktr has joined #wpwg
12:35:18 <rbarnes> rbarnes has joined #wpwg
13:00:12 <rbarnes> rbarnes has joined #wpwg
13:10:20 <zkoch> zkoch has joined #wpwg
13:24:02 <rbarnes> rbarnes has joined #wpwg
13:34:30 <rbarnes> rbarnes has joined #wpwg
14:24:36 <Zakim> Zakim has left #wpwg
14:36:16 <sam> sam has joined #wpwg
14:40:23 <m4nu> m4nu has joined #wpwg
15:05:13 <nicktr> nicktr has joined #wpwg
17:01:29 <AdrianHB> AdrianHB has joined #wpwg