[OpenID] OpenID 2.0, PAPE, and handling monetary transactions
Ben Bangert
ben at groovie.org
Mon Nov 26 20:00:25 UTC 2007
I've been working on an OpenID 2.0 based application to replace a
legacy system the past few months, and its getting close to
deployment (any day now!). Some interesting issues have come up since
I first embarked on this project, mainly dealing with all the little
details.
One of the most pressing, is security. While OpenID 1.0 was
originally created with the intention of making it easy to manage
your identity, so you could post comments to blogs, etc. it is
increasingly being used and added to systems that do so much more....
like financial websites (some banks now take OpenID), and other
online websites that might manage subscriptions or other activities
linked to financial data. With such a move, the inability to do a few
basic actions becomes a massive problem that I've experienced.
The most common need I have when dealing with a user account linked
to financial information, is before anything can be changed, I want
to ensure that they can still provide authentication credentials.
PAPE supports a max-age limit where I can ensure a user has been able
to sign-in within a specific time frame, which appears to meet this
need. However, whether or not the user's OP *really* honors it, is
questionable, and except for a small white-list of IDP I can't really
ensure that the user really has re-authenticated to their OP.
I've seen a few banks solve this problem by requiring security
questions, so the security question is acting as a specific password
that the bank can then ensure that you are you, rather than someone
who got lucky sitting at another terminal. PAPE is only useful if
you're absolutely sure the other website is actually honoring it,
which naturally results in having to maintain a white-list of IDP's
you can trust. And rather than having to restrict users to a white-
list, I've gone with following the bank model and having OpenID users
choose security questions (which is not as desirable as having PAPE I
can trust).
To top it all off, PAPE is only Draft 1, which seems silly since so
many sites are handling financial data, that only now did this become
a concern. Meanwhile the advocacy to "Support OpenID", etc. is in
full gear, and its rather frightening to think some sites may blindly
start supporting OpenID without realizing its missing something as
basic as a way to ensure a user can re-authenticate (quite a few OP's
have very long session timeouts).
As PAPE is an early draft, could it be extended to support some sort
of trust signature that can be signed off on? This could help
alleviate the need to maintain a white-list, by instead supporting
any OP that has had its PAPE support verified by means of another
service (maybe some OpenID non-profit that can cryptographically sign
OP's?).
At the very least, it'd be exceptionally useful to those implementing
OpenID on websites that do need to handle accounts linked to
financial data, with a set of guidelines for:
* How to handle re-authentication (PAPE with white-list? Security
questions?)
* Security considerations (Can't trust an OP, since anyone can run
one, and *claim* it supports PAPE, ie, no way to verify the claim)
Btw, thanks very much to the JanRain team for an excellent set of
Python OpenID libraries that actually implement such early Drafts! :)
Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/8d282002/attachment-0002.bin>
More information about the general
mailing list