[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Gabe Wachob gabe.wachob at amsoft.net
Tue Nov 27 00:18:22 UTC 2007 

I haven't been part of PAPE, but I think the right view is one of
incremental advancement towards the point where it's not insane to use
OpenID for user authentication in "transactions of value". You may just be
ahead of the curve. I think PAPE is one step - signatures of PAPE statements
may or may not be the next step. 

 

When you deal with "transactions of value", use of OpenID has to be analyzed
in the context of the overall transaction flow, and with the mindset of
risk/benefit analysis, not just "security". I'm not sure that's going to
happen entirely in an open environment like these email lists - it may be
that the analysis is already happening in private, and that mitigation
factors to the obvious security issues are already being put in place for
certain transactions among certain RPs and OPs. 

 

Or maybe it isn't. 

 

In any case, these RPs will have to make the call about the benefit of
OpenID their business context. For example, in many cases involving highly
regulated industries such as banking or electronic payments, it is the RPs
and NOT the users that bear the risk (or at least a good deal of the risk)
of an authentication failure. Thus, the argument for OpenID's benefits takes
on a different character in that environment, and OpenID uptake is probably
driven by a more concentrated, homogenous group than we have been seeing for
general OpenID adoption (e.g. Visa or the American Bankers Association or
FSTC, not the current OpenID community). Of course, these organizations have
their own interests, their own constraints, and their own time horizons. 

 

What this community (us here) *can* do is demonstrate how legacy
authentication mechanisms, such as biometrics, OTP, etc (which are more well
known to the "transaction of value" communities) can be used with OpenID in
a trustable way. And this community (use here) probably has a lot of
learning to do about risk analysis and how mitigation techniques go beyond
technological solutions. Both communities have a lot to learn from each
other and I think its going to take a while, but I am optimistic. 

 

            -Gabe 

 

P.S. Apologies for the generalizations about "this community" - I know I'm
preaching to the choir for some folks here. 

 

 

  _____  

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Ben Bangert
Sent: Monday, November 26, 2007 3:06 PM
To: Dick Hardt
Cc: openid-general General
Subject: Re: [OpenID] OpenID 2.0, PAPE, and handling monetary transactions

 

On Nov 26, 2007, at 1:45 PM, Dick Hardt wrote:





A search of openid on the site usaa.com gave no results:

              http://www.google.com/search?q=openid+site%3Ausaa.com

 

That wiki entry looks over a year old, which also then predates PAPE. It is
not clear, but it would seem that whoever wrote the entry as thinking that
USAA would be issuing the OpenID.

 

A friend of mine who has an account with them said the OpenID dialog only
comes up if you have an account with them and selected the option. It's
definitely implemented and running right now.





Looks like Terry accurately addressed your other comments.

 

Personally, I think anyone that used OpenID Authentication for financial
transactions would be crazy. I think we need to move OpenID to a new level
for it to be used for transactions any more sensitive then social neworking
and blog commenting.

 

So your online identity, who the world sees you as, your posts around the
net, your online 'reputation' really, is not as important as securing a
financial transaction? I personally would consider it incredibly damaging to
have someone running around the net who hijacked a cookie off me. Sure the
person hijacking my OpenID can't access my financial data, but I consider my
online reputation rather valuable as well.

 

It just depresses me a bit that this seems to come down to, "OpenID, use it
if you need something slightly better than anonymous comments". Why bother
with being phishing resistant, or addressing any of the other security
issues that OpenID has been attempting to tackle, if its just to secure some
blog comments?

 

At the very least, I think it would be prudent in light of this, to have a
nice big disclaimer on the openid.net developers page clearly saying,
"OpenID is for things of little value, like blog comments and sites that
never touch money." I'm speaking here in utter frustration of having spent
quite a bit of time going over PAPE, and OpenID 2.0 with the apparently
crazy belief that OpenID is suitable for more than merely blog commenting.

 

Cheers,

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/036834bc/attachment-0002.htm>

More information about the general mailing list