Payment systems

The debate continues. Please read the first part of my response OpenTransact the Payment Standard where everything is out of scope first.

Manu wrote a new response which I will respond to in a separate blog post. First let me finish responding to the original

Generally this post will again reflect the differences in approaches. OpenTransact is a single layer simple pragmatic standard for performing payments nothing else. PaySwarm is a fully featured idealistic multi layered approach where you must buy into a whole different way running your business.

A Facebook friend suggested that OpenTransact vs PaySwarm is like Libertarianism vs Socialism. I don’t quite buy that in practice as I know that PaySwarm is not about forcing anyone to do anything.

However the basic PaySwarm philosophy of wanting to design a whole world view is very similar to central planning or large standards bodies like ANSI, IEEE etc. OpenTransact follows the market based approach that the internet was based on of small standards that do one thing well.

The W3C Web Payments Community Group was launched in August 2011 because Digital Bazaar had created their PaySwarm spec. I have been working with several others since 2009 on bootstrapping an open grassroots created standard OpenTransact with pretty much the same purpose as PaySwarm. I immediately joined the W3C group to see if we could work together towards our obvious common goal.

Different philosophies

So while we both shared this common goal, the fundamental philosophies of PaySwarm and OpenTransact could not be more different.

PaySwarm attempts to solve every single problem up front and thus creates a standard that is very smart in many ways but also very complex. It’s background is I understand in a P2P media market place called Bitmunk where licenses, distribution contacts and other media DRM issues are considered important. Manu Sporny of Digital Bazaar has also been a chair of the RDFa working group so PaySwarm comes with a lot of linked data luggage as well.

OpenTransact comes from the philosophy that we don’t solve a problem until the problem exists and several people have real experiences solving it. I have also been very active in the OAuth community and believe there are many things both good and bad that can be learnt from that process and how developers took to it. OpenTransact also follows the tradition of early web standards of having most parameters as optional.

Currency is one of the most popular buzzwords right now and there are lots of different definitions. I’ll try to unify them in some way and talk about some of the issues involved. Over the next couple of posts I’ll try to analyze what currency is.

If you ask most people on the street, currency is what they have in their bank account and in their wallet.

Gamers will tell you that currency can also mean numbers on a screen earned and spent within a game.

Silicon valley hipsters will also try to say that Virtual Currency is the latest monetization strategy out there, often without realizing what it really means.

Community activists also like to remind us of all the successful community currencies that have sprouted up in the past few years.

So my first attempt at a definition is:

A currency is a fungible asset that can be transferred from one person to the other.

Now under that definition we may also need to include stocks, options other securities. As they are generally transferrable and fungible. Most people wouldn’t consider them currency, but they fit the definition perfectly. I’m personally quite happy to consider them currencies.

Virtual Currencies?

What makes a currency virtual or not? It’s not wether it has any real value as World of Warcraft Gold clearly has value. I’d say it depends on the backing of it. So an attempt at a definition:

A virtual currency is a currency backed by the promise of it’s issuer.

Closed loop currencies

A closed loop currency is a currency only meant to be spent with the issuer. Good examples are Starbucks Cards, but most game currencies are also closed loop currencies as you can only use them within the games.

What about Whuffie, Page Rank and other reputation currencies?

That is a good question. These are currencies that are objectively awarded and taken away based on your standing/actions in a community. Pagerank is often also described as a currency. Most of these break my definition above as they aren’t generally speaking transferable.

Whether they are really fungible is also a good question. A Google PageRank of 8 would have to be worth 8 times a PageRank of 1. But clearly that is not the case.

In my next post I explore a few different flavors of what many of us think is just one currency, the all mighty US Dollar.

Correction: I had misunderstood this to be an official PayPal proposal. It is actually Praveen and Ray Tanaka private provosal, that they are trying to push with amongst other providers PayPal.

Praveen and Ray Tanaka’s both from PayPal gave a talk at OsCon presenting their new Open Web Payments proposal:

PayPal of course have one of the oldest http based payment APIS out there already, but as PayPal’ers like Praveen have admitted it is pretty old school in its approach and very bloated by now. I’ve been talking quite a lot with Praveen the last half year about OpenTransact , which seems to have had a fair amount of influence on this.

Like OpenTransact Open Web Payments utilizes OAuth as well as WebFinger. Where it differs is it’s use of Atom and AtomPub and more fundamentally that it ignores URI’s as a fundamental part of the protocol.

Atom transactions

I think Atom in itself could be a good way of publishing transaction data, but it shouldn’t be the only way. There also needs to be json and microformats. XML and in particular heavily namespaced XML is not very popular today with developers outside the enterprise. The datamodel isn’t too bad but I think it is too complex. There are too many data elements:

AtomPub for payments

To create a payment you POST a chunk of atom xml to a URL creating an entry. I’m glad it follows HTTP conventions. I’m not in love with allowing GETS for modifying transactions. And a refund might be better modeled with a DELETE

This is an example of a transaction:

Contrast this with OpenTransacts equivalent:

POST /transactions/usd HTTP/1.1
Authorization: OAuth ... oauth_token="ad180jjd733klru7", ...
Content-length: 239

amount=25.00&to=support@safeway.com&memo=Milk

Again too much information. We already know the sender through the OAuth token, no need to repeat it. Why do we need enter this much information about about the recipients. A single URI, email address or other identifier should be sufficient, particular as we are using webfinger.

What this does have that OpenTransact doesn’t support at the moment is multiple recipients. We could add that using the following convention:

POST /transactions/usd HTTP/1.1
Authorization: OAuth ... oauth_token="ad180jjd733klru7", ...
Content-length: 239

amount=25.00&to=support@safeway.com&memo=Milk&amount.2=2.00&to.2=support@yourgroceryapp.com

Where art thou URI

Each transaction does have a URI which is excellent. Posting to an atom resource should create a URI. The rest of the API misses an opportunity to look at the fundamental concept of value as a resource.

For historical reasons payment apis have traditionally followed the messaging model. This goes back to the days before financial institutions were online (see my previous article on the sorry state of payment standards). PayPal, VISA, M/C, SWIFT are financial intermediaries sending messages with instructions back and forth. This message oriented way of thinking about payments is what causes much of the complexity as you need to include lots of redundant information in the payment message.

The web on the other hand works using the concept of resources and actions. It is pretty object oriented in this way. Messaging applications can be created on top of the web, but the complexities are hidden behind this object oriented world. This is how atom, twitter, facebook etc all work.

The best example of a field all payment messaging standards require is the currency field. On the web we don’t need this as we have URI’s.

A payment is the transfer of one resource to another. So lets model that in the restful object oriented way. Each currency has a separate URI:

• http://paypal.com/owp/usd
• http://paypal.com/owp/eur

HTTP POST to this URI to transfer funds. HTTP GET to get transactions in that currency.

In addition in the above grocery transaction the funding types elements. Neither the merchant nor the consumer cares about these. They are also extremely specific to PayPal and are likely not of any interest to most other people wanting to implement this, such as banks. They could be modeled into the URIS as well:

• http://paypal.com/owp/usd – do whatever default behavior is
• http://paypal.com/owp/usd/creditcard
• http://paypal.com/owp/usd/checking

These options could be presented to merchant using WebFinger.

This concept of using URI’s to represent value is key to OpenTransact’s simplicity.

Conclusion

I am glad that Praveen is at PayPal trying to open up their payment world. We can’t discount the importance of an evangelist within PayPal pushing for open standards. I just don’t think it is radical enough. I also think it is too complex both for consuming developers and for developers creating new financial services supporting it.

Any good developer could definitely work with it, but for the majority of developers creating simple PHP/ASP type sites it would present some major hurdles the same way OAuth 1 has. OAuth 2 learnt from this and PayPal’s proprietary API’s have always been targeted at these kinds of developers. While conceptually it is simpler than the old API’s, I think many developers would find it easier to deal with the old API in practice due to the complexities of XML.

Another important question is if PayPal are actually committing to this. I believe PayPal has good intentions with this, but other large corporations were notorious for bringing down competitors with nothing but press releases announcing new products.

It is more of a full stack though than OpenTransact. Hopefully we can work together on the lists to create a common full stack. I see this as Ray and Praveen’s reply to OpenTransact and as the start of a conversation. Similar to OAuth Wrap being the response to the complexity of OAuth1 which lead to the great new OAuth2 standard.

2 news stories on the same day are quite interesting in their contrast.

Pin and Chip is broken

The first one has the collective might and minds of the European banking system and their suppliers who overlooked a slight issue in their authentication protocol for authenticating Chip cards with a pin number. In Europe most Visa/MC cards are smart cards and have to be authenticated with a pin. This in theory allows for an authenticated payment message.

Only problem was that, well one very important bit of the message was not authenticated leaving a gaping hole. I won’t go into the details as well as Ross Anderson does. He is one of the security researchers who discovered the flaw. Unfortunately it sounds like carders discovered it before them.

Now what to do with these supposedly safe authenticated transactions? There is no way of knowing which ones were fake. You can’t mass revoke all european cards. Some one is in a bit of a bind right now.

Grader’s security screw up

The second story was about HubSpot a Cambridge, Mass. based startup who self admittedly screwed up and let a malicious user comprise the security of their Grader service a rating service for twitter users.

Granted we are not talking about a system that handles the majority of Europe’s electronic point of sales transactions here. But they know they screwed up. However due to the fact that Grader used OAuth they were able to mitigate any damage pretty quickly by asking Twitter to revoke their Consumer credentials and any tokens they had issued to it.

Revokability

The difference is that while both Chip and Pin and OAuth are ways of doing delegated authentication, the only token to revoke in the Chip and Pin scheme is in the card itself. The standards behind Chip and Pin assumes that it’s technology is perfect and through their rule books that all parties involved along the long chain from the card to the issuing bank can automatically be trusted.

This is basically the exact issue I described in The sorry state of Payment Standards.

OAuth does not define how a user authenticates himself to either of the services involved, rather it is focused on the delegation.

The delegation is done in the form of an authorized token that can be equipped with limits and can at any time be revoked. It is under the control of the user. In this case Grader themselves request the revocation as they knew that all of their credentials were compromised. Where do the European bankers even start to clean up this mess?

I think OAuth a simple (as authentication standards go) standard developed on a mailing list by a small group of developers has incredible potential in payments applications. This is of course why we picked it as one of the fundamental building blocks for OpenTransact.

Is OAuth perfect? Probably not. Nothing is 100% secure. It has had one serious security flaw which was fixed. But by design it is revokable. You can do something about it if something goes wrong. There is now an IETF OAuth Working Group working on making it an official internet standard.