Currency is one of the most popular buzzwords right now and there are lots of different definitions. I’ll try to unify them in some way and talk about some of the issues involved. Over the next couple of posts I’ll try to analyze what currency is.

If you ask most people on the street, currency is what they have in their bank account and in their wallet.

Gamers will tell you that currency can also mean numbers on a screen earned and spent within a game.

Silicon valley hipsters will also try to say that Virtual Currency is the latest monetization strategy out there, often without realizing what it really means.

Community activists also like to remind us of all the successful community currencies that have sprouted up in the past few years.

So my first attempt at a definition is:

A currency is a fungible asset that can be transferred from one person to the other.

Now under that definition we may also need to include stocks, options other securities. As they are generally transferrable and fungible. Most people wouldn’t consider them currency, but they fit the definition perfectly. I’m personally quite happy to consider them currencies.

Virtual Currencies?

What makes a currency virtual or not? It’s not wether it has any real value as World of Warcraft Gold clearly has value. I’d say it depends on the backing of it. So an attempt at a definition:

A virtual currency is a currency backed by the promise of it’s issuer.

Closed loop currencies

A closed loop currency is a currency only meant to be spent with the issuer. Good examples are Starbucks Cards, but most game currencies are also closed loop currencies as you can only use them within the games.

What about Whuffie, Page Rank and other reputation currencies?

That is a good question. These are currencies that are objectively awarded and taken away based on your standing/actions in a community. Pagerank is often also described as a currency. Most of these break my definition above as they aren’t generally speaking transferable.

Whether they are really fungible is also a good question. A Google PageRank of 8 would have to be worth 8 times a PageRank of 1. But clearly that is not the case.

In my next post I explore a few different flavors of what many of us think is just one currency, the all mighty US Dollar.

Correction: I had misunderstood this to be an official PayPal proposal. It is actually Praveen and Ray Tanaka private provosal, that they are trying to push with amongst other providers PayPal.

Praveen and Ray Tanaka’s both from PayPal gave a talk at OsCon presenting their new Open Web Payments proposal:

PayPal of course have one of the oldest http based payment APIS out there already, but as PayPal’ers like Praveen have admitted it is pretty old school in its approach and very bloated by now. I’ve been talking quite a lot with Praveen the last half year about OpenTransact , which seems to have had a fair amount of influence on this.

Like OpenTransact Open Web Payments utilizes OAuth as well as WebFinger. Where it differs is it’s use of Atom and AtomPub and more fundamentally that it ignores URI’s as a fundamental part of the protocol.

Atom transactions

I think Atom in itself could be a good way of publishing transaction data, but it shouldn’t be the only way. There also needs to be json and microformats. XML and in particular heavily namespaced XML is not very popular today with developers outside the enterprise. The datamodel isn’t too bad but I think it is too complex. There are too many data elements:

AtomPub for payments

To create a payment you POST a chunk of atom xml to a URL creating an entry. I’m glad it follows HTTP conventions. I’m not in love with allowing GETS for modifying transactions. And a refund might be better modeled with a DELETE

This is an example of a transaction:

Contrast this with OpenTransacts equivalent:

POST /transactions/usd HTTP/1.1
Authorization: OAuth ... oauth_token="ad180jjd733klru7", ...
Content-length: 239

amount=25.00&to=support@safeway.com&memo=Milk

Again too much information. We already know the sender through the OAuth token, no need to repeat it. Why do we need enter this much information about about the recipients. A single URI, email address or other identifier should be sufficient, particular as we are using webfinger.

What this does have that OpenTransact doesn’t support at the moment is multiple recipients. We could add that using the following convention:

POST /transactions/usd HTTP/1.1
Authorization: OAuth ... oauth_token="ad180jjd733klru7", ...
Content-length: 239

amount=25.00&to=support@safeway.com&memo=Milk&amount.2=2.00&to.2=support@yourgroceryapp.com

Where art thou URI

Each transaction does have a URI which is excellent. Posting to an atom resource should create a URI. The rest of the API misses an opportunity to look at the fundamental concept of value as a resource.

For historical reasons payment apis have traditionally followed the messaging model. This goes back to the days before financial institutions were online (see my previous article on the sorry state of payment standards). PayPal, VISA, M/C, SWIFT are financial intermediaries sending messages with instructions back and forth. This message oriented way of thinking about payments is what causes much of the complexity as you need to include lots of redundant information in the payment message.

The web on the other hand works using the concept of resources and actions. It is pretty object oriented in this way. Messaging applications can be created on top of the web, but the complexities are hidden behind this object oriented world. This is how atom, twitter, facebook etc all work.

The best example of a field all payment messaging standards require is the currency field. On the web we don’t need this as we have URI’s.

A payment is the transfer of one resource to another. So lets model that in the restful object oriented way. Each currency has a separate URI:

• http://paypal.com/owp/usd
• http://paypal.com/owp/eur

HTTP POST to this URI to transfer funds. HTTP GET to get transactions in that currency.

In addition in the above grocery transaction the funding types elements. Neither the merchant nor the consumer cares about these. They are also extremely specific to PayPal and are likely not of any interest to most other people wanting to implement this, such as banks. They could be modeled into the URIS as well:

• http://paypal.com/owp/usd – do whatever default behavior is
• http://paypal.com/owp/usd/creditcard
• http://paypal.com/owp/usd/checking

These options could be presented to merchant using WebFinger.

This concept of using URI’s to represent value is key to OpenTransact’s simplicity.

Conclusion

I am glad that Praveen is at PayPal trying to open up their payment world. We can’t discount the importance of an evangelist within PayPal pushing for open standards. I just don’t think it is radical enough. I also think it is too complex both for consuming developers and for developers creating new financial services supporting it.

Any good developer could definitely work with it, but for the majority of developers creating simple PHP/ASP type sites it would present some major hurdles the same way OAuth 1 has. OAuth 2 learnt from this and PayPal’s proprietary API’s have always been targeted at these kinds of developers. While conceptually it is simpler than the old API’s, I think many developers would find it easier to deal with the old API in practice due to the complexities of XML.

Another important question is if PayPal are actually committing to this. I believe PayPal has good intentions with this, but other large corporations were notorious for bringing down competitors with nothing but press releases announcing new products.

It is more of a full stack though than OpenTransact. Hopefully we can work together on the lists to create a common full stack. I see this as Ray and Praveen’s reply to OpenTransact and as the start of a conversation. Similar to OAuth Wrap being the response to the complexity of OAuth1 which lead to the great new OAuth2 standard.

The Authosphere is a buzz this morning with XAuth. My first instinct when I started seeing headlines about it was, yet another OAuth competitor?

It turns out it is nothing of the sort and it could turn out to be a very useful service. “Service” you say, isn’t it a standard? It really is a service and not a new authentication standard. But I’ll get to that.

What is it?

The way you can look at XAuth is that it is a cross domain cookie containing a list of services that you use.

What does it solve?

The problem that this aims to fix is really a UI one, not a security one. If you know the user already uses Google accounts and Meebo, there is no need to over clutter your user interface with login buttons to 40 different social networks.

It could work really well hand in hand with both OpenID and OAuth to minimize the user interface for connecting to them. OpenTransact also has potential uses for XAuth as it could be used on a payment form to filter the list of payment types a user uses.

So how does it work?

XAuth essentially defines 3 different parties to the flow:

• Extenders are web services that a user is logged into that present some public API. These often have the same role as the OpenID providers and OAuth Providers.
• Retrievers are web services that want to discover and consume one or more of the Extenders. In OpenID terms these are relying parties and in OAuth terms these are Consumers.
• XAuth.org is the final party. All communication of XAuth happens through an iframe and javascript hosted here. This is just static hosting, all data is stored in the users browser.

How do I use it?

As a developer it is pretty easy to do. Most of the work is in the Javascript layer and there really is very little that needs to be done on the server backend side. As I understand more about the process I will update this page.

XAuth is implemented as a javascript library you import in your header:

<script type="text/javascript" src="http://xauth.org/xauth.js"></script>

This script creates a hidden iframe on your page with the following page http://xauth.org/server.html.

Extender implementation

If you are an Extender, you extend your service by calling the XAuth.extend() function with a token. I would expect this to be done once a user logs in to the Extender service.

XAuth.extend({
  token: "bb87aef641b8f29023a8c207f",
  expire: 1271773157402,
  extend: ["www.meebo.com", "www.youface.com", "*"],
  callback: extendCallback
});

The token is a XAuth specific token, which I don’t completely understand yet. The demo code just generates a random token. Here is what the spec says:

this is the XAuth token, created specifically for use with XAuth and used by an auth extender to request additional services from the extender. This token will be stored with the canonical domain as the key.

My guess is that it should say:

this is the XAuth token, created specifically for use with XAuth and used by an auth Retriever to request additional services from the extender. This token will be stored with the canonical domain as the key.

The spec doesn’t mention more here but I imagine this could be used together with OAuth somehow for a really low permission OAuthToken. But lets see what implementers do with it.

The extend allows you to limit the token to only certain trusted domains. Use “*” to allow anyone access.

The optional callback method is called with the following data:

{
  "cmd": "xauth::extend",
  "id": 0
}

Once this has been called a record is created in the HTML5 Local Storage for the http://xauth.org/server.html page:

If you are unfamiliar with HTML5 Local Storage, think of it as a more evolved form of cookies. Some people have called in browser based NoSQL.

As part of your logout code you should also call XAuth.expire(), which removes it from the list of tokens.

Retriever implementation

The retriever is also pretty simple to implement. You make the call to the XAuth.retrieve() function:

XAuth.retrieve({
  retrieve: ["www.meebo.com", "www.youface.com", "xauth.org"],
  callback: retrieveCallback
});

You must list all the Extender domains you are interested in and the callback function is called with tokens for each of the available Extenders.

{
  "cmd": "xauth::retrieve",
  "id": 4,
  "tokens": {
    "xauth.org": {
      "token": "bb87aef641b8f29023a8c207f",
      "expire": 1271773157402
    }
  }
}

Now remember XAuth doesn’t say what to do with this information. Everything from now follows the regular API’s you already use. I expect that this is initially going to be used to hide various openid login widgets in the beginning.

For an interactive spec/testing console go to the XAuth Specs page.

User privacy issues

So as a user how do you control this? Do I really want these sites to know what I use?

At the XAuth home page you will find this control panel:

It allows you to switch XAuth off completely and to see and manage the tokens Extenders are publishing for you.

Service or Standard

I guess it really doesn’t matter, but strictly speaking this is a service not a standard. It does rely on the XAuth server to provide js and the iframe page.

This is Discovery not Auth

I find probably the biggest issue with XAuth is the choice of name. XAuth is not an authentication protocol. I would call it a discovery protocol. It has more in common with WebFinger (again in a complimentary way) than with authentication protocols like OpenID and OAuth.

Having spent more than 2 years explaining to people that OAuth and OpenID are not the same, this just adds more confusion. Names are really important.

I also think the choice of Extenders and Retrievers is confusing. I think using Provider and Client would be clearer. Lets not invent more terminology if it isn’t necessary.

Conclusion

I think this could be really useful. It looks very easy to implement for both Extenders and Retrievers. The usage of HTML5 functions also hints at a bunch of new services that are now possible.

Of course with any of these kinds of services until there are Extenders out there, very few Retrievers are going to implement this. I understand that both Meebo and Google will support it.

As it is so easy to implement, it might not hurt at all for smaller startups to implement Extenders. It could be a way to promote your API.

2 news stories on the same day are quite interesting in their contrast.

Pin and Chip is broken

The first one has the collective might and minds of the European banking system and their suppliers who overlooked a slight issue in their authentication protocol for authenticating Chip cards with a pin number. In Europe most Visa/MC cards are smart cards and have to be authenticated with a pin. This in theory allows for an authenticated payment message.

Only problem was that, well one very important bit of the message was not authenticated leaving a gaping hole. I won’t go into the details as well as Ross Anderson does. He is one of the security researchers who discovered the flaw. Unfortunately it sounds like carders discovered it before them.

Now what to do with these supposedly safe authenticated transactions? There is no way of knowing which ones were fake. You can’t mass revoke all european cards. Some one is in a bit of a bind right now.

Grader’s security screw up

The second story was about HubSpot a Cambridge, Mass. based startup who self admittedly screwed up and let a malicious user comprise the security of their Grader service a rating service for twitter users.

Granted we are not talking about a system that handles the majority of Europe’s electronic point of sales transactions here. But they know they screwed up. However due to the fact that Grader used OAuth they were able to mitigate any damage pretty quickly by asking Twitter to revoke their Consumer credentials and any tokens they had issued to it.

Revokability

The difference is that while both Chip and Pin and OAuth are ways of doing delegated authentication, the only token to revoke in the Chip and Pin scheme is in the card itself. The standards behind Chip and Pin assumes that it’s technology is perfect and through their rule books that all parties involved along the long chain from the card to the issuing bank can automatically be trusted.

This is basically the exact issue I described in The sorry state of Payment Standards.

OAuth does not define how a user authenticates himself to either of the services involved, rather it is focused on the delegation.

The delegation is done in the form of an authorized token that can be equipped with limits and can at any time be revoked. It is under the control of the user. In this case Grader themselves request the revocation as they knew that all of their credentials were compromised. Where do the European bankers even start to clean up this mess?

I think OAuth a simple (as authentication standards go) standard developed on a mailing list by a small group of developers has incredible potential in payments applications. This is of course why we picked it as one of the fundamental building blocks for OpenTransact.

Is OAuth perfect? Probably not. Nothing is 100% secure. It has had one serious security flaw which was fixed. But by design it is revokable. You can do something about it if something goes wrong. There is now an IETF OAuth Working Group working on making it an official internet standard.

As I mentioned in my last post The Sorry state of Payment Standards I wanted to blog about OpenTransact which so far is probably one of the most important outcomes of the Agile Banking mailing list set up after my talk last year on Agile Banking.

OpenTransact was designed to be very simple and is based on REST the best practice for current web API design. It should be so easy to implement for developers that there really shouldn’t be an excuse not to implement it.

An OAuth authenticated HTTP POST request to assets URL containing the parameters amount, to and optional memo field. Payer is deduced from the OAuth token.

eg.

POST /transactions/usd HTTP/1.1
Authorization: OAuth ... oauth_token="ad180jjd733klru7", ...
Content-length: 239

amount=10.00&to=you@example.com&memo=Milk

The above example shows a payment of $10 to [email protected] from the user who authorized the “ad180jjd733klru7” OAuth token.

Using the Ruby OAuth gem you would write the above as:

@token.post "/transactions/usd", :amount=>10, :to=>"[email protected], :memo=>"Milk"

That is pretty much it. But please do read on for more about motivations, issues and applications.