Internet Secure Payments Protocol BOF (ISPP) Reported by Amir Herzberg/IBM Many thanks to Tony Fernandez for taking notes and preparing a first draft of these minutes. Mailing list information: General Discussion: ietf-payments@cc.bellcore.com To Subscribe: majordomo@cc.bellcore.com (include in the body: subscribe ietf-payments) Archive: ftp://ftp.bellcore.com/pub/rubin/ The ISPP BOF met twice on Tuesday, Many payment systems were presented, with a general approach toward convergence and open process. There were also some presentations about mechanisms to support different payment systems and integration of payment systems into applications. There was a lively discussion on whether there should be a working group (or more than one) and what charter the group(s) should have (especially considering the announcement by MasterCard and Visa of their intention to publish a protocol in September). The rough consensus was that there should not be an IETF effort in this area, and more focus is needed (e.g., the draft charter), possibly by splitting into two or three working groups. Draft charter(s) of the working group(s) should be developed in the mailing list and then submitted to the Area Director (some work in this direction has already begun). Agenda First session -- Technical presentations o Opening and agenda review o Overview of iKP: IBM implementation -- Gene Tsudik o Netscape implementation -- Taher Elgamal o Microsoft's STT protocol -- Barbara Fox o Credit card payments -- Cybercash, Steve Crocker/Don Eastlake o A framework for presentation of prices and payments -- Cybercash o Open Markets Payments System -- Win Treese o Electronic Business Co-op's Payment System -- Spyglass, Jeff Hostetler o PPV and its support for NetCheque, NetCash, and other payment systems -- USC-ISI, Clifford Neuman Second session -- Mainly discussion of goals and charter o Agenda Review o The HP Internet Payment System -- Wenbo Mao o Globe-Online/GC-Tech transaction model -- Paul-Andre Pays o First Virtual -- Einar Stefferud o Statements of direction from MasterCard, Europay and Visa o Discussion of charter, goals, mailing-lists, etc. Details of most of the presentations should be available from the proceedings (on-line and hard copy). Here are the details of discussion of charter, goals, mailing-lists, etc., followed by the statements from the Payment Systems participants. Discussion There was a lively discussion against and in favor of maintaining the e-payment list or to form a new one, it was agreed to create a new mailing list, called ietf-payments. Avi Rubin will maintain it, and initially this list will be used to discuss the charter and the need for working group(s). A very long charter was presented for a working group, followed by a discussion of the charter and the need for a working group. Some statements made during the discussion (it was impossible to record the speakers): o There is a need to move rapidly because the market will not wait for us but move on their own. o The group will work on protocols at the cryptographic level and to provide inter-operability between the different systems. o The audience for this working group is not clear, because MasterCard and Visa are doing their own work, unless there are other domains to work for and with. But the work being done here will influence their work. Their standards will not use our working group protocol. o We are having problems seeing a coherent line here, the plastic cards will issue their standard by September, our working group will be able at best to have something by October so there is no way we can influence their standard. o Is the intention of the plastic to come in September for an standard for everybody? The answer was yes from MasterCard and Visa. o Jeff Schiller: We are not supposed to take an outside work and rubber stamp it by the IETF; we don't do that. The right venue is the POISED way. If the plastic cards come with their document, it can be published as an Informational RFC, but we do not take it as a standard. Also, we are not here to give advice to the plastic cards for their work. There was a lively discussion on the floor about our needs to interact with the plastic companies, and if there was a need for a working group. It was resolved to create a new mailing list and work on a more focused charter, in order to be successful (in the IETF experience accomplishments are inversely proportional to complexity of the charter of the working group). Nathaniel Borenstein proposed that we need in fact several working groups---maybe even five---each focusing on a different aspect. It was decided to continue discussion on the list about which working group(s) should be created and the charter(s). Jeff mentioned that we could also have another BOF at the next IETF, if necessary (the two sessions we had counted only as one BOF---there is a limit of two BOFs). Presentations by Payments Systems Participants MasterCard -- J. Wankmueller MasterCard have a relationship with IBM on secure payments on the net. MasterCard and Visa are also working together. IBM, MasterCard, and Netscape are coming up with a proposal that is embedded in iKP which uses the card over the Internet. But MasterCard have a very narrow focus, ``We need just the stuff for our product, so we will like to focus to solve MasterCard needs only.'' What does MasterCard mean by being open? Everybody will be able to run these specifications (which are going to be published in September), and there is no advantage of one vendor over the other. They will create the CA that just solves the needs for the card business. There is a Joint effort with Visa to produce a document, MasterCard are not endorsing any particular proposal. Visa Visa have been looking into making secure payments for a while. There is not a clear view; probably the business is small (in the USA only 8% of the transactions are using plastic cards), so it is a question of having the products used properly. The business of the payments system is the execution of the payment between the buyer and the bank. These products are successful because the cards are going to work and there are recourse matters which are very important for the parties in the transaction. The Regulation C (in the USA) law regulates and protects the customer and is very costly for Visa. Europay Europay have a relationship with IBM, using the iKP protocol. Open protocols should be developed openly, within the domain of the standards body. They can only use whatever comes from here if it meets their business needs, but they hope to influence our work. Europay is working with Debit cards even more than with Credit cards, and wants the IETF to help in developing a standard.