[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Terry Hayes Terry.Hayes at corp.aol.com
Mon Nov 26 21:04:13 UTC 2007 

I'm always surprised that people are considering using OpenID for  
financial transactions (at least right now).  OpenID has a lot to  
offer without being used at sites that require the highest levels of  
security.  However, since the question was asked, I'll respond to a  
few points below.

Terry

On Nov 26, 2007, at 12:00 , Ben Bangert wrote:

> I've been working on an OpenID 2.0 based application to replace a  
> legacy system the past few months, and its getting close to  
> deployment (any day now!). Some interesting issues have come up  
> since I first embarked on this project, mainly dealing with all the  
> little details.
>
> One of the most pressing, is security. While OpenID 1.0 was  
> originally created with the intention of making it easy to manage  
> your identity, so you could post comments to blogs, etc. it is  
> increasingly being used and added to systems that do so much  
> more.... like financial websites (some banks now take OpenID), and  
> other online websites that might manage subscriptions or other  
> activities linked to financial data. With such a move, the  
> inability to do a few basic actions becomes a massive problem that  
> I've experienced.

Can you tell me which banks have adopted OpenID for authentication?   
Mine certainly hasn't.  Are they allowing all types of transactions  
based on OpenID?  How does a user's OpenID become associated with  
their account?

I certainly don't expect my bank or my brokerage to adopt OpenID.   
I'm comfortable managing passwords for those sites separately.   
OpenID would be great for lots of other places, like my New York  
Times account, my blog, or even my Tivo or Netflix accounts.

>
> The most common need I have when dealing with a user account linked  
> to financial information, is before anything can be changed, I want  
> to ensure that they can still provide authentication credentials.  
> PAPE supports a max-age limit where I can ensure a user has been  
> able to sign-in within a specific time frame, which appears to meet  
> this need. However, whether or not the user's OP *really* honors  
> it, is questionable, and except for a small white-list of IDP I  
> can't really ensure that the user really has re-authenticated to  
> their OP.

I don't know all the details of PAPE (I'm way behind on some of the  
proposed extensions), but I'm going to assume that part of the OpenID  
authentication response includes a (signed) statement that certain  
PAPE requests were satisfied (in this case "max-age").  In other  
words, the OP is asserting that it honors PAPE.

In the world of OpenID, you (the bank or other RP) need to accept the  
OP's PAPE statement.  OpenID transfers control of a user's identity  
to the user.  They are free to select a provider that gives them a  
set of features and a level of security that makes them comfortable.   
It is the user's responsibility to choose an appropriate OP, one that  
actually implements the portions of the specifications they will need  
for the sites they visit.

That said, it's perfectly reasonable for the bank (or other RP) to  
notify the user that they need to take appropriate care in selecting  
an OP.  Clearly, there is a registration step where the bank  
associates an account with an OpenID serviced by the user's chosen  
OP. (This may be at each login, if the OP changes in the delegated  
case.)  At that point, the RP can in require the user to agree that  
they are taking appropriate care.  Most institutions already do this  
when dealing with the user's management of passwords.  ("You must  
keep the password to yourself...")


Again, this is just a result of the way OpenID puts the user in control.

>
> I've seen a few banks solve this problem by requiring security  
> questions, so the security question is acting as a specific  
> password that the bank can then ensure that you are you, rather  
> than someone who got lucky sitting at another terminal. PAPE is  
> only useful if you're absolutely sure the other website is actually  
> honoring it, which naturally results in having to maintain a white- 
> list of IDP's you can trust. And rather than having to restrict  
> users to a white-list, I've gone with following the bank model and  
> having OpenID users choose security questions (which is not as  
> desirable as having PAPE I can trust).

In fact, I would be unhappy having to provide answers to security  
questions to some entity other than my OP.  The idea of designating  
an OP is to get most of the identity information in a single trusted  
and managed location.  Spreading answers to personal questions around  
to various RPs (financial institutions or not) is moving in the wrong  
direction.

>
> To top it all off, PAPE is only Draft 1, which seems silly since so  
> many sites are handling financial data, that only now did this  
> become a concern. Meanwhile the advocacy to "Support OpenID", etc.  
> is in full gear, and its rather frightening to think some sites may  
> blindly start supporting OpenID without realizing its missing  
> something as basic as a way to ensure a user can re-authenticate  
> (quite a few OP's have very long session timeouts).

Again, I'm surprised to hear that "so many sites are handling  
financial data".  It is certainly not my sense that the "Support  
OpenID" advocacy (as you call it) is pushing sites with high value  
transactions in this direction at all.

If the OpenID community does want to push in this direction, there  
are other things to worry about first, such as consistent and working  
support for SSL-based OpenIDs (https URLs).

>
> As PAPE is an early draft, could it be extended to support some  
> sort of trust signature that can be signed off on? This could help  
> alleviate the need to maintain a white-list, by instead supporting  
> any OP that has had its PAPE support verified by means of another  
> service (maybe some OpenID non-profit that can cryptographically  
> sign OP's?).

Again, the OpenID model puts the user in charge.  The financial  
institution's customer needs to select a provider that delivers the  
appropriate level of security, which may include correctly  
implementing PAPE.

>
> At the very least, it'd be exceptionally useful to those  
> implementing OpenID on websites that do need to handle accounts  
> linked to financial data, with a set of guidelines for:
> * How to handle re-authentication (PAPE with white-list? Security  
> questions?)
> * Security considerations (Can't trust an OP, since anyone can run  
> one, and *claim* it supports PAPE, ie, no way to verify the claim)

PAPE may be the appropriate solution for "re-authentication".  As far  
as "anyone can run" a provider, it's up to the user to choose a good  
one, and up the bank (or other RP) to inform the user of their  
responsibility and liability.

>
>
> Btw, thanks very much to the JanRain team for an excellent set of  
> Python OpenID libraries that actually implement such early Drafts! :)
>
> Cheers,
> Ben_______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list