[OpenID] My 2 Cents to the OpenID foundation
Allen Tom
atom at yahoo-inc.com
Wed Apr 8 21:30:42 UTC 2009
John Bradley wrote:
>
> I am only speculating that moving a visa number between sites with AX
> will need more that what AX 1.0 currently has to make the PCI auditors
> happy. The case of authenticating a user to a PCI site is a separate
> issue.
>
> Simply using HMAC-SHA256 associations will not solve all of the issues
> with conveying that sort of information across the Web.
>
Sending a CC number via an OpenID Assertion is not a good idea, even
with HMAC-SHA256 and HTTPS. Assertions are usually sent via HTTP GET,
and will be saved in the browser history. The data in the assertion is
signed, but not encrypted, so anyone who has access to the browser
history will be able to extract the data.
Off the top of my head, I would recommend a direct server to server call
(probably using OAuth) to fetch payment instructions.
Allen
More information about the general
mailing list