See also: IRC log
<Ian> Scribe: Ian
<scribe> Chair: Ian
<manu> scribe: manu
<Ian> https://www.w3.org/2017/03/commerce-charter.html
<Ian> https://www.w3.org/Payments/IG/wiki/Main_Page/Charter2017
Ian: The IGs charter expires at
the end of September. We started drafting a new one in March.
The revised charter is linked to above.
... The question is how to get this charter supported and
through the W3C process.
... I've started to write down a timeline for getting the
charter through the process. The Charter attempts to be a more
lightweight charter than the previous IGs charter. It calls out
5 activities.
... For example, Ken falls into the review work of others
category. My concrete proposal for timeline for this charter -
after today's discussion - tomorrow, send advance notice to AC.
We have a process piece in W3C where we give people a heads up
for charters in development.
... So, I will notify AC that this is a charter in development.
A week from then, we trigger a Call for Consensus to request
that W3C sends the charter for membership for review.
... Then another week for review... 19th of May, if there is
support from W3M... in mid-July with some suggested changes,
they'll make a decision, want to get it done... AC Review
starts later in July, ends in late August, and we can launch
new group by mid-September.
<Ian> Manu: I looked at the charter. Looks great. I couldn't find anything to criticize
<Ian> dezell: Timeline sounds fine
<Zakim> padler, you wanted to ask about other groups
<Ian> padler: We may want to list some examples of other groups in the consumer space
Pat: We may want to think about
other consumer groups that affect other folks in the standards
space.
... We may be able to get a different mindset in the group as
well.
ian: Very intentionally, this list is a list of examples, not a firm list. Having said that, your suggestion is useful, if you think that having folks in the list of examples would be helpful (to get their attention), feel free to send in suggestions to the list.
<Ian> pat: categories
<Ian> "consumer interest organizations"
Pat: Thinking about, in the Fed,
we grouped organizations to provide categories rather than
specific examples. Otherwise, you can say "Consumer Interest
Organizations" instead of saying something specific.
... If we can stick to more categories than examples, that
might be helpful.
Ian: In the participation
section...
... There is also a connection there...
Pat: If we want to draw people to W3C TPAC, it might be good to highlight desired participants there.
<Ian> +1 to thinking about (1) who in the group (2) who for liaisons
<Ken> +q
Ian: I'll work with MarCom team after the meeting since I'm hearing no objections on moving forward.
Ken: Do we need to officially agree to anything for this to proceed?
<Ian> Ken: +1 to advance notice
Ian: There are several steps in the process, demonstrating increasing levels of support as the charter progresses.
<Ian> dezell: +1 to advance notice
<padler> +1
manu: +1 to notify AC of charter in progress
<Ian> ACTION: Ian to prepare with the marcomm team advance notice of the commerce charter to the AC [recorded in http://www.w3.org/2017/06/05-wpay-minutes.html#action01]
<trackbot> 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs).
Ken: I've sent out a draft version of the deck.
<scribe> scribe: Ian
Ken: I spoke about this task
force in March
... gave perspective on why we were advocating to increase the
focus around security.
... next steps is to kick of evaluations
... would like feedback on content of presentation; all
thoughts welcome
... we are thinking of doing a security evaluation, followed by
good practices and also potential security fixes for the
spec
... clarification on scope of the TF - deliverables of the Web
Payments WG
... not the more general scope of "making the Web more
secure"
... mobile raises usability issues. What are the security
consequences of increasing usability?
... there are a lot of pressures and influences that play a
role in determining "what is adequate security"
... from regulatory (which is increasing exponentially, and
happens at many levels of jurisdiction)
... to other standards bodies and rule-making bodies
... as well as each company's internal policies
... and all this is changing constantly as new technology
arises, and as fraudsters come up with new attacks
[Slide 6]
scribe: to Slide 9
Ken: How Amex looks at security topics
Erik: Having been talking about
security for 3 years and gotten nowhere in the IG, I appreciate
your wokr.
... My experience is that W3C groups look at own work, not
overall flow.
<Zakim> manu, you wanted to ask about analysis document and areas for every system in the lifecycle - e.g. How is data protected at rest, in transit, how do you protect against info
manu: what is the output of the task force?
(IJ thinks the answer is "fixes to specs + good practices")
Manu: W3C specs only address part
of ecosystem.
... focusing on what W3C is doing and how they map to your
ecosystem
... and how those specs protect data in each subsystem
... what is deliverable.
... e.g., here is the environment, here is who is involved,
here is how W3C is addressing these
Ken: First next step is
recruiting subject matter experts in security for this
work
... e.g., Amex is likely to contribute a security expert to the
discussion
... I would like to ask other orgs in the WG to do the
same
... I think we are not likely to get the WG participants
directly...but rather their colleagues in security
... Ian and I have spoken about different forms of output
... could be best practices, spec fixes
... regarding expertise we could also hire a firm that has
expertise in security evaluations
<manu> Ian: I like the idea of a focused effort on the security portion of the WPWG deliverables...
<manu> Ian: Ken has suggested some ways to address that - it goes beyond what has been suggested before. Even if we were to hire security experts, it's no guarantee, but it's a good backstop.
<manu> Ian: To Manu's question, the obvious deliverables are identification of bugs in the spec that need fixing, and security suggestions for developers using the API.
<Ken> +q
<manu> Ian: We may not want to have general statements on security models, we may want to say concretely what this API does to create a new security challenge, or a new security benefit. We want to motivate security around this API. For example, because of this API <some terrible thing could happen>... or "did you understand by doing tokenization, that would really benefit end users". So, let's stay away from broad statements.
<Erik> API is standardizing fraud. Implementers of the API enter the fraud chain.
<Zakim> padler, you wanted to ask if there is any sort of precedent for this in W3C?
<manu> Ian: If you feel that's true, Erik - send specifics about how the APi does that.
padler: Thanks, Ken. I think this is important.
<manu> Pat, there is stuff like this - specs have privacy and security considerations sections: https://w3c.github.io/vc-data-model/#privacy-considerations
padler: one question I have: is
there precedent at W3C for a dedicated security assessment of a
specification?
... here's why I ask - do you make recommendations about
security and how to implement, or do you identify
vulnerabilities?
... what liabilities are there for recommending security
approaches
... the form factor for how to surface the issues may be
important even in recruiting talent
<manu> Ian: At a very soft level, W3C does these things at the spec level rather than the flow level.
<manu> Ian: The group identifies security and privacy considerations and then decides how to express those in the specs. There are evaluations coming from organizations implementing.
<manu> Ian: We have a Security IG, they are invited to do reviews of our specs... I know Sam is trying to energize that activity.
<manu> Ian: That's not as formal as Ken is looking to do, but there is soft precedent for this. There is a general desire to do more.
padler: If the goal is to build a
team to do detailed assessments, make that front and
center
... and maybe be clearer about the outcomes
<manu> Pat: The desire to do more is great, I'm hearing everyone say we want to do more here - is there a way to focus on that, so that if the goal is to provide a team that does detailed assessments, make that front-and-center, and then say what we want deliverables to look like.
padler: right now it's a bit more about "why there is fraud" rather than "what we are going to do"
(IJ agrees with Pat's comment)
scribe: I would focus on what the group will do and who should participate
dezell: I think the security experts will tell us what we need to do
<Zakim> weiler, you wanted to suggest adding privacy review to the scope (e.g. recognizing that there might be anonymous/pseudonymous payments and that linkability of transactions is an
weiler: Thanks, Ken!
... I suggest adding privacy review to the scope of what the
task force will do
... things like "unlinkability of transactions" or "leakages of
personally identifying information"
... I think that many of the experts will be able to consider
those at the same time
... there was a comment about the scope of the
presentation
... I got distracted by the details of the presentation
Ken: I will add privacy review and think about how to make it less distracting
<Erik> Privacy Review = Boil the ocean even more
<weiler> privacy review = take the end users' need into account.
IJ: I am hearing perhaps tailor the presentation to the SMEs
Ken: Thank you for the
input
... the initial version of the deck was directed to addressing
some earlier feedback
... I think the more concise we get about audience the more
successful we will be
... I will incorporate today's input
... agree next version should target recruiting support we
need
<Ken> +1
IJ: For me, 19 June sounds
good
... after charter CfC
<manu> +1 on June 19
RESOLUTION: Next meeting is 19 June at 10-11am ET
<Erik> +1
<Erik> I am still not convinced the Browser can be a secure initiation environment for Payments. With an App you get fine grained control, with the Browser you get full market penetration but it doesnt do any 1 thing as good as an App.