Internet Secure Payments Protocol BOF (ISPP)

Reported by Amir Herzberg/IBM

Many thanks to Tony Fernandez for taking notes and preparing a first
draft of these minutes.

Mailing list information:


 General Discussion:    ietf-payments@cc.bellcore.com
       To Subscribe:    majordomo@cc.bellcore.com
                        (include in the body:  subscribe ietf-payments)
            Archive:    ftp://ftp.bellcore.com/pub/rubin/


The ISPP BOF met twice on Tuesday, Many payment systems were presented,
with a general approach toward convergence and open process.  There were
also some presentations about mechanisms to support different payment
systems and integration of payment systems into applications.

There was a lively discussion on whether there should be a working group
(or more than one) and what charter the group(s) should have (especially
considering the announcement by MasterCard and Visa of their intention
to publish a protocol in September).  The rough consensus was that there
should not be an IETF effort in this area, and more focus is needed
(e.g., the draft charter), possibly by splitting into two or three
working groups.  Draft charter(s) of the working group(s) should be
developed in the mailing list and then submitted to the Area Director
(some work in this direction has already begun).


Agenda

First session -- Technical presentations

   o Opening and agenda review
   o Overview of iKP: IBM implementation -- Gene Tsudik
   o Netscape implementation -- Taher Elgamal
   o Microsoft's STT protocol -- Barbara Fox
   o Credit card payments -- Cybercash, Steve Crocker/Don Eastlake
   o A framework for presentation of prices and payments -- Cybercash
   o Open Markets Payments System -- Win Treese
   o Electronic Business Co-op's Payment System -- Spyglass, Jeff Hostetler
   o PPV and its support for NetCheque, NetCash, and other payment
     systems -- USC-ISI, Clifford Neuman

Second session -- Mainly discussion of goals and charter

   o Agenda Review
   o The HP Internet Payment System -- Wenbo Mao
   o Globe-Online/GC-Tech transaction model -- Paul-Andre Pays
   o First Virtual -- Einar Stefferud
   o Statements of direction from MasterCard, Europay and Visa
   o Discussion of charter, goals, mailing-lists, etc.

Details of most of the presentations should be available from the
proceedings (on-line and hard copy).  Here are the details of discussion
of charter, goals, mailing-lists, etc., followed by the statements from
the Payment Systems participants.


Discussion

There was a lively discussion against and in favor of maintaining the
e-payment list or to form a new one, it was agreed to create a new
mailing list, called ietf-payments.  Avi Rubin will maintain it, and
initially this list will be used to discuss the charter and the need for
working group(s).

A very long charter was presented for a working group, followed by a
discussion of the charter and the need for a working group.

Some statements made during the discussion (it was impossible to record
the speakers):


   o There is a need to move rapidly because the market will not wait
     for us but move on their own.

   o The group will work on protocols at the cryptographic level and to
     provide inter-operability between the different systems.

   o The audience for this working group is not clear, because
     MasterCard and Visa are doing their own work, unless there are
     other domains to work for and with.  But the work being done here
     will influence their work.  Their standards will not use our
     working group protocol.

   o We are having problems seeing a coherent line here, the plastic
     cards will issue their standard by September, our working group
     will be able at best to have something by October so there is no
     way we can influence their standard.

   o Is the intention of the plastic to come in September for an
     standard for everybody?  The answer was yes from MasterCard and
     Visa.

   o Jeff Schiller:  We are not supposed to take an outside work and
     rubber stamp it by the IETF; we don't do that.  The right venue is
     the POISED way.  If the plastic cards come with their document, it
     can be published as an Informational RFC, but we do not take it as
     a standard.  Also, we are not here to give advice to the plastic
     cards for their work.


There was a lively discussion on the floor about our needs to interact
with the plastic companies, and if there was a need for a working group.

It was resolved to create a new mailing list and work on a more focused
charter, in order to be successful (in the IETF experience
accomplishments are inversely proportional to complexity of the charter
of the working group).

Nathaniel Borenstein proposed that we need in fact several working
groups---maybe even five---each focusing on a different aspect.

It was decided to continue discussion on the list about which working
group(s) should be created and the charter(s).  Jeff mentioned that we
could also have another BOF at the next IETF, if necessary (the two
sessions we had counted only as one BOF---there is a limit of two BOFs).


Presentations by Payments Systems Participants


MasterCard -- J. Wankmueller

MasterCard have a relationship with IBM on secure payments on the net.
MasterCard and Visa are also working together.

IBM, MasterCard, and Netscape are coming up with a proposal that is
embedded in iKP which uses the card over the Internet.  But MasterCard
have a very narrow focus, ``We need just the stuff for our product, so
we will like to focus to solve MasterCard needs only.''

What does MasterCard mean by being open?  Everybody will be able to run
these specifications (which are going to be published in September), and
there is no advantage of one vendor over the other.  They will create
the CA that just solves the needs for the card business.

There is a Joint effort with Visa to produce a document, MasterCard are
not endorsing any particular proposal.

Visa

Visa have been looking into making secure payments for a while.  There
is not a clear view; probably the business is small (in the USA only 8%
of the transactions are using plastic cards), so it is a question of
having the products used properly.  The business of the payments system
is the execution of the payment between the buyer and the bank.  These
products are successful because the cards are going to work and there
are recourse matters which are very important for the parties in the
transaction.  The Regulation C (in the USA) law regulates and protects
the customer and is very costly for Visa.

Europay

Europay have a relationship with IBM, using the iKP protocol.

Open protocols should be developed openly, within the domain of the
standards body.  They can only use whatever comes from here if it meets
their business needs, but they hope to influence our work.

Europay is working with Debit cards even more than with Credit cards,
and wants the IETF to help in developing a standard.