[OpenID] Demo Travel/ retailshop
Peter Williams
pwilliams at rapattoni.com
Sun Apr 26 16:37:04 UTC 2009
Nah. That's fud, Nat.
Assuming google is an OP, and google checkout fullfills PCI (which it claims to do), we are fine on assurnace grounds for consumer Credit cards. If a google proprietary session (and the backend key management controls) can be audited as fulfilling PCI rules on accessing the stored card data/site under PCI, so can openid auth-intermediated sessions - once the openid auth uses suitable mechanism of suitable strength. AS we have seen recently, one can be running openid auth with _external_ security context management, with _externally managed_ associations - which of course eliminates much of the concern some have (legitimately) over openid auth's own crypto handshake and session resume procedures.
paypal is the perhaps the most interesting OP/AX/SP case, so far. They have both the paypal original payment model and the inherited VeriSign payment gateway concept to work with. The original model is more like an OAUTH SP, where the VeriSign component is more like a highly trusted OpenID RP.
I dont see any fundamental problem consumer-side CC handling this with openid+oauth technology. if openid can embrace oauth, a lot of the early religion will have been eliminated from openid. One can then see directories and other locator protocols supporting openid auth+OAUTH, to create a more complete application context, over various bindings. One can be using XRI in this of course, but more likely it will be XRDs via more traditional, well understood resolvers than resolvers built on the native XRI resolution protocol itself. Much as X.500 gave way to LDAP gave way to AD with multi-mastering, so pure XRI will give way more "natural" delivery technologiies. The fundamentals of XRDs and XRDs as security tokens should stick around tho, just as the fundamentals of the X.500 information model are still clearly manifest in Microsoft's AD, 20 years later.
________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Nat [sakimura at gmail.com]
Sent: Sunday, April 26, 2009 8:08 AM
To: Andrew Arnott
Cc: Santosh Rajan; general at openid.net
Subject: Re: [OpenID] Demo Travel/ retailshop
There is a question on assurance level that a financial institution fulfill. I doubt if any of the big OPs fulfill it right now.
=nat at San Francisco via iPhone
On 2009/04/26, at 7:10, Andrew Arnott <andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>> wrote:
Remember (I say this to everyone on the list),
Just because PayPal would make an excellent source of this information, that doesn't mean that it should become an OP. In the interest of the SSO model, since we seem to have enough big OPs out there, why not have PayPal become an OAuth Service Provider.
Imagine... you're already logged into eBay using your preferred OP. You're now ready to purchase. Why make you log in again using PayPal? Instead, just click the Pay With PayPal button. You see PayPal pop up, asking you to verify the purchase/bid/whatever. You click Yes. You see eBay again, and it has received all the info it needs. If you weren't already signed into PayPal you may need to sign in there before clicking "Yes", but you're strictly logging into PayPal and not re-logging into eBay.
You don't need to be an OP to be able to provide this info. If authentication isn't strictly necessary, OAuth is usually the right choice.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire
On Sun, Apr 26, 2009 at 5:54 AM, Santosh Rajan <santrajan at gmail.com<mailto:santrajan at gmail.com>> wrote:
I think Visa. Mastercard etc will get into the act!
Incidentally Paypal is an excellent position to be an OP for shopping sites, because not only can it provide a verified email address, it can also tell the RP if the user is a paypal verified user. ie. he has a verified credit card.(Of cource they will need to communicate this info somehow).
On Sun, Apr 26, 2009 at 5:28 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
so where are poeple planning on storing (partial) credit card data -
1. at the op (paypal OP model) attribute server
2. in the release module of the OP, udner user control
3. at the discovery agent (users XRDS, somehow protected)
4. one of the RPs
5. a super RP trusted by other RPs?
its a good test of the UCI/openid model, as now we have a sensitive attribute to worry about. Noone can just wave their hands and say : openid is for things that dont matter much...
________________________________________
From: <mailto:general-bounces at openid.net> general-bounces at openid.net<mailto:general-bounces at openid.net> [<mailto:general-bounces at openid.net>general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Santosh Rajan [santrajan at gmail.com<mailto:santrajan at gmail.com>]
Sent: Saturday, April 25, 2009 8:03 PM
To: general at openid.net<mailto:general at openid.net>
Subject: Re: [OpenID] Demo Travel/ retailshop
I am willing to help.
nieuwsgroep wrote:
>
> I think Brain Kissel and the others of the retail advisory committee
> (<http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit>http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit
> tee-webinar?type=powerpoint) did a great job summarizing the benefits of
> OpenID for retailers. It really helps to discuss OpenID with some of the
> relying party decision makers.
>
>
>
> In addition to the presentation I think it would help a lot if these
> benefits can be showed in an online demo. Convincing potential RP's to
> start
> a pilot project.
>
>
>
> Anyone working on a retail demo that shows the benefits by the following
> scenario:
>
>
>
> 1. Register online on a demo travelshop with an openid collecting as
> much as profile data to prefill the registration form.
>
> 2. Return to the travelsite and easily login with an OpenID
>
> 3. Book a demo holiday and post this back to my IDP/ Social profile
> (Like facebook or myspace) telling my connections I planned a holiday with
> DemoTravelshop.
>
> 4. Additionally easily redirect (Federated login) to a demo
> partnersite to rent a car.
>
>
>
> A good demo like this would complement the story to potential RP's and
> make
> it more tangible.
>
>
>
> Anyone working on such a demo, plans to, or willing to help on this?
>
>
>
> Kick
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> <http://openid.net/mailman/listinfo/general> http://openid.net/mailman/listinfo/general
>
>
-----
Santosh Rajan
<http://santrajan.blogspot.com>http://santrajan.blogspot.com <http://santrajan.blogspot.com> http://santrajan.blogspot.com
--
View this message in context: <http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html> http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html
Sent from the OpenID - General mailing list archive at Nabble.com.
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
<http://openid.net/mailman/listinfo/general>http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
<http://openid.net/mailman/listinfo/general>http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
More information about the general
mailing list