[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Mon Nov 26 20:00:25 UTC 2007 

I've been working on an OpenID 2.0 based application to replace a  
legacy system the past few months, and its getting close to  
deployment (any day now!). Some interesting issues have come up since  
I first embarked on this project, mainly dealing with all the little  
details.

One of the most pressing, is security. While OpenID 1.0 was  
originally created with the intention of making it easy to manage  
your identity, so you could post comments to blogs, etc. it is  
increasingly being used and added to systems that do so much more....  
like financial websites (some banks now take OpenID), and other  
online websites that might manage subscriptions or other activities  
linked to financial data. With such a move, the inability to do a few  
basic actions becomes a massive problem that I've experienced.

The most common need I have when dealing with a user account linked  
to financial information, is before anything can be changed, I want  
to ensure that they can still provide authentication credentials.  
PAPE supports a max-age limit where I can ensure a user has been able  
to sign-in within a specific time frame, which appears to meet this  
need. However, whether or not the user's OP *really* honors it, is  
questionable, and except for a small white-list of IDP I can't really  
ensure that the user really has re-authenticated to their OP.

I've seen a few banks solve this problem by requiring security  
questions, so the security question is acting as a specific password  
that the bank can then ensure that you are you, rather than someone  
who got lucky sitting at another terminal. PAPE is only useful if  
you're absolutely sure the other website is actually honoring it,  
which naturally results in having to maintain a white-list of IDP's  
you can trust. And rather than having to restrict users to a white- 
list, I've gone with following the bank model and having OpenID users  
choose security questions (which is not as desirable as having PAPE I  
can trust).

To top it all off, PAPE is only Draft 1, which seems silly since so  
many sites are handling financial data, that only now did this become  
a concern. Meanwhile the advocacy to "Support OpenID", etc. is in  
full gear, and its rather frightening to think some sites may blindly  
start supporting OpenID without realizing its missing something as  
basic as a way to ensure a user can re-authenticate (quite a few OP's  
have very long session timeouts).

As PAPE is an early draft, could it be extended to support some sort  
of trust signature that can be signed off on? This could help  
alleviate the need to maintain a white-list, by instead supporting  
any OP that has had its PAPE support verified by means of another  
service (maybe some OpenID non-profit that can cryptographically sign  
OP's?).

At the very least, it'd be exceptionally useful to those implementing  
OpenID on websites that do need to handle accounts linked to  
financial data, with a set of guidelines for:
* How to handle re-authentication (PAPE with white-list? Security  
questions?)
* Security considerations (Can't trust an OP, since anyone can run  
one, and *claim* it supports PAPE, ie, no way to verify the claim)


Btw, thanks very much to the JanRain team for an excellent set of  
Python OpenID libraries that actually implement such early Drafts! :)

Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/8d282002/attachment-0002.bin>

More information about the general mailing list