[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Mon Nov 26 23:06:08 UTC 2007 

On Nov 26, 2007, at 1:45 PM, Dick Hardt wrote:

> A search of openid on the site usaa.com gave no results:
> 	http://www.google.com/search?q=openid+site%3Ausaa.com
>
> That wiki entry looks over a year old, which also then predates  
> PAPE. It is not clear, but it would seem that whoever wrote the  
> entry as thinking that USAA would be issuing the OpenID.

A friend of mine who has an account with them said the OpenID dialog  
only comes up if you have an account with them and selected the  
option. It's definitely implemented and running right now.

> Looks like Terry accurately addressed your other comments.
>
> Personally, I think anyone that used OpenID Authentication for  
> financial transactions would be crazy. I think we need to move  
> OpenID to a new level for it to be used for transactions any more  
> sensitive then social neworking and blog commenting.

So your online identity, who the world sees you as, your posts around  
the net, your online 'reputation' really, is not as important as  
securing a financial transaction? I personally would consider it  
incredibly damaging to have someone running around the net who  
hijacked a cookie off me. Sure the person hijacking my OpenID can't  
access my financial data, but I consider my online reputation rather  
valuable as well.

It just depresses me a bit that this seems to come down to, "OpenID,  
use it if you need something slightly better than anonymous  
comments". Why bother with being phishing resistant, or addressing  
any of the other security issues that OpenID has been attempting to  
tackle, if its just to secure some blog comments?

At the very least, I think it would be prudent in light of this, to  
have a nice big disclaimer on the openid.net developers page clearly  
saying, "OpenID is for things of little value, like blog comments and  
sites that never touch money." I'm speaking here in utter frustration  
of having spent quite a bit of time going over PAPE, and OpenID 2.0  
with the apparently crazy belief that OpenID is suitable for more  
than merely blog commenting.

Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/076f8859/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/076f8859/attachment-0002.bin>

More information about the general mailing list