[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Tue Nov 27 01:05:17 UTC 2007


On Nov 26, 2007, at 4:18 PM, Gabe Wachob wrote:

> I haven’t been part of PAPE, but I think the right view is one of  
> incremental advancement towards the point where it’s not insane to  
> use OpenID for user authentication in “transactions of value”. You  
> may just be ahead of the curve. I think PAPE is one step –  
> signatures of PAPE statements may or may not be the next step.

Thanks Gabe, the mere existence of PAPE seemed like a very clear  
indicator of this as well. I'm still confused why Dick Hardt  
considered it crazy to use

> When you deal with “transactions of value”, use of OpenID has to be  
> analyzed in the context of the overall transaction flow, and with  
> the mindset of risk/benefit analysis, not just “security”. I’m not  
> sure that’s going to happen entirely in an open environment like  
> these email lists – it may be that the analysis is already  
> happening in private, and that mitigation factors to the obvious  
> security issues are already being put in place for certain  
> transactions among certain RPs and OPs.

Yep, this was what I was referring to about white-listing OP's that I  
know are honoring PAPE properly so that I can rely on their  
authentication rather than keeping my own batch of security questions  
or some other financial data for verification.

> In any case, these RPs will have to make the call about the benefit  
> of OpenID their business context. For example, in many cases  
> involving highly regulated industries such as banking or electronic  
> payments, it is the RPs and NOT the users that bear the risk (or at  
> least a good deal of the risk) of an authentication failure. Thus,  
> the argument for OpenID’s benefits takes on a different character  
> in that environment, and OpenID uptake is probably driven by a more  
> concentrated, homogenous group than we have been seeing for general  
> OpenID adoption (e.g. Visa or the American Bankers Association or  
> FSTC, not the current OpenID community). Of course, these  
> organizations have their own interests, their own constraints, and  
> their own time horizons.

Right, this is why I was rather alarmed to see the apparent belief  
that the user should be left to decide whether their OP is 'secure',  
when many times the one that can lose in the transaction is the RP if  
the user chooses poorly. What I've generally seen happen, is the user  
does something stupid, a transaction is run, the user notices and  
reports it as a stolen/unauthorized transaction, and the credit card  
company charges it back to the RP in question. So relying on a user  
to choose a 'secure' OP is out of the question.

> What this community (us here) *can* do is demonstrate how legacy  
> authentication mechanisms, such as biometrics, OTP, etc (which are  
> more well known to the “transaction of value” communities) can be  
> used with OpenID in a trustable way. And this community (use here)  
> probably has a lot of learning to do about risk analysis and how  
> mitigation techniques go beyond technological solutions. Both  
> communities have a lot to learn from each other and I think its  
> going to take a while, but I am optimistic.

I'd also love to see this happen.

Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/a5501672/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071126/a5501672/attachment-0002.bin>


More information about the general mailing list