[OpenID] OpenID 2.0, PAPE, and handling monetary transactions
Peter Williams
pwilliams at rapattoni.com
Tue Nov 27 00:34:35 UTC 2007
For any deployment of openid at a bank, i'm interested in the risk management department's decision on which modes and which encryption features (of several supported by the std) the bank was willing to endorse.
For example, one can use none of the ciphering mechanims specified in the std - delegating the security controls rather to the bearer (e.g. Ssl handshake using a visa-endorsed DH ciphersuite and subsequent data integrity). Similarly, one might argue reasonably that using foreground channels exclusively makes the openid flow comply with the SET rules for moto transactions crossing the interchange, as exploited similarly in 3dsecure sso. Alternatively, the payment flows may be restricted to certain payment gateways and acquirers, which ensure the transaction is cleared internally.
All in all its an excellent test case to see what has been done - and in a way that can be rated against stable security criteria and risk management techniques. The accomodations made (if any) to bring openid into the mainstream are well worth documenting. Someone should give the bank cio a medal - for taking the same kind of forward thinking posture that wells fargo took in 1995 when adopting ssl V2.
-----Original Message-----
From: Ben Bangert <ben at groovie.org>
Sent: Monday, November 26, 2007 4:11 PM
To: Terry Hayes <Terry.Hayes at corp.aol.com>
Cc: openid-general General <general at openid.net>
Subject: Re: [OpenID] OpenID 2.0, PAPE, and handling monetary transactions
On Nov 26, 2007, at 1:04 PM, Terry Hayes wrote:
> Can you tell me which banks have adopted OpenID for
> authentication? Mine certainly hasn't. Are they allowing all
> types of transactions based on OpenID? How does a user's OpenID
> become associated with their account?
USAA does, not sure as I haven't used it myself.
> I certainly don't expect my bank or my brokerage to adopt OpenID.
> I'm comfortable managing passwords for those sites separately.
> OpenID would be great for lots of other places, like my New York
> Times account, my blog, or even my Tivo or Netflix accounts.
Tivo and Netflix both have financial data, since you can change your
subscription level. As Dick Hardt notes, OpenID should never be used
for Tivo, Netflix, NY Times (since NY Times accounts can be linked to
financial data, though they may have dropped this), and many other
sites that in some way do handle financial information.
> In the world of OpenID, you (the bank or other RP) need to accept
> the OP's PAPE statement. OpenID transfers control of a user's
> identity to the user. They are free to select a provider that
> gives them a set of features and a level of security that makes
> them comfortable. It is the user's responsibility to choose an
> appropriate OP, one that actually implements the portions of the
> specifications they will need for the sites they visit.
Agreed, however as a website developer I generally want to protect
users from their own insecure choices. Ie, users will happily choose
easy to guess passwords given the ability to do so. It would be nice
to have a way to verify sets of OP's that properly honor PAPE,
instead of relying on the user to know what their OP does and doesn't
do.
> That said, it's perfectly reasonable for the bank (or other RP) to
> notify the user that they need to take appropriate care in
> selecting an OP. Clearly, there is a registration step where the
> bank associates an account with an OpenID serviced by the user's
> chosen OP. (This may be at each login, if the OP changes in the
> delegated case.) At that point, the RP can in require the user to
> agree that they are taking appropriate care. Most institutions
> already do this when dealing with the user's management of
> passwords. ("You must keep the password to yourself...")
>
> Again, this is just a result of the way OpenID puts the user in
> control.
Most users are not security experts, nor know much about security. Is
OpenID for the geek, or the average person? Putting a big red notice,
"Warning, only use OpenID if you are *Absolutely* sure it properly
honors the PAPE extension" seems like a sure way to get no one but
the very brave to use it.
> In fact, I would be unhappy having to provide answers to security
> questions to some entity other than my OP. The idea of designating
> an OP is to get most of the identity information in a single
> trusted and managed location. Spreading answers to personal
> questions around to various RPs (financial institutions or not) is
> moving in the wrong direction.
In this case, its the only way for the RP to know with certainty (as
much as possible online at least) you're still at the helm of the
computer. If the RP doesn't know you had to just log in again, you
could be sitting at a terminal with a still active OpenID session
that someone left an hour ago.
> Again, I'm surprised to hear that "so many sites are handling
> financial data". It is certainly not my sense that the "Support
> OpenID" advocacy (as you call it) is pushing sites with high value
> transactions in this direction at all.
>
> If the OpenID community does want to push in this direction, there
> are other things to worry about first, such as consistent and
> working support for SSL-based OpenIDs (https URLs).
When I refer to 'financial data', I mean any site that has some means
to cause you to incur additional financial expenses. There's a lot of
these, like Netflix, and Tivo, BaseCamp, and other sites which have
various subscription levels, credit cards on file, etc. If you can
change billing options, order stuff, etc. the site is dealing in
financial transactions.
Some of these sites ask for a bit of your credit card before having
you change options in your account, while others require a security
question, or your password. With OpenID, no password, so the choice
is a bit of credit card data, or the security question. I was just
referring to the need for 'something' else to verify the user is
still there, and is the right user before performing an option that
can cause a financial transaction.
I don't see why its so crazy to let someone login with OpenID if you
protect the additional actions that can incur a cost with a security
question or some other form of verification that you can verify
without relying on the OP. These websites do not generally have
financial transactions as the centerpiece of their usage, but may be
subscription based, or occasionally cause a financial transaction to
occur.
I'd really like to see a growth in adoption of OpenID, and having a
set of recommendations for how to handle actions that can cost a user
money in a secure manner even if they login with OpenID seems prudent.
Cheers,
Ben
More information about the general
mailing list