[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

John Panzer jpanzer at acm.org
Wed Dec 5 20:36:45 UTC 2007 

Johannes Ernst wrote:
> I'd like to take issue with the following statement that's being made 
> all too often: [not picking on anybody in particular, just 
> "established wisdom"]
>
>>  the security requirements to authorize
>> financial transactions are much higher than the requirements to login to
>> most consumer oriented websites.
>
> Ahem, no?
>
> Just today, I ordered something from Amazon with no credential at all, 
> just my credit card number and "security code" (also printed on the 
> card) that every waiter knows in every restaurant I have ever been to.
>
> This is *less* security than username and password, not "much higher" 
> as is generally stated.
Of course you're ignoring the risk mitigation (==security) provided by 
the credit card anti-fraud measures and its safety net insurance policy 
after the ($50?) deductible that keeps you from having your bank account 
sucked dry.  The _only_ reason you can get away with this is because of 
that hidden security infrastructure -- and you and merchants pay for 
that infrastructure.

A financial transaction where you, say, buy Enron stock is a quite 
different matter.
> So, let's beware of blanket statements re security requirements ...
Agreed.


>
> Cheers,
>
>
>
> Johannes.
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> http://netmesh.info/jernst
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071205/91b85641/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071205/91b85641/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071205/91b85641/attachment-0005.gif>

More information about the general mailing list