[OpenID] My 2 Cents to the OpenID foundation

Allen Tom atom at yahoo-inc.com
Wed Apr 8 21:30:42 UTC 2009

John Bradley wrote:
> I am only speculating that moving a visa number between sites with AX 
> will need more that what AX 1.0 currently has to make the PCI auditors 
> happy.   The case of authenticating a user to a PCI site is a separate 
> issue.
> Simply using HMAC-SHA256 associations will not solve all of the issues 
> with conveying that sort of information across the Web.

Sending a CC number via an OpenID Assertion is not a good idea, even 
with HMAC-SHA256 and HTTPS. Assertions are usually sent via HTTP GET, 
and will be saved in the browser history. The data in the assertion is 
signed, but not encrypted, so anyone who has access to the browser 
history will be able to extract the data.

Off the top of my head, I would recommend a direct server to server call 
(probably using OAuth) to fetch payment instructions.


More information about the general mailing list