[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Dick Hardt dick at sxip.com
Tue Nov 27 08:39:08 UTC 2007 

On 26-Nov-07, at 5:05 PM, Ben Bangert wrote:

> On Nov 26, 2007, at 4:18 PM, Gabe Wachob wrote:
>
>> I haven’t been part of PAPE, but I think the right view is one of  
>> incremental advancement towards the point where it’s not insane to  
>> use OpenID for user authentication in “transactions of value”. You  
>> may just be ahead of the curve. I think PAPE is one step –  
>> signatures of PAPE statements may or may not be the next step.
>
> Thanks Gabe, the mere existence of PAPE seemed like a very clear  
> indicator of this as well. I'm still confused why Dick Hardt  
> considered it crazy to use

Clearly the attack vectors against OpenID need to be more clearly  
articulated if that is the case.

>
>> When you deal with “transactions of value”, use of OpenID has to  
>> be analyzed in the context of the overall transaction flow, and  
>> with the mindset of risk/benefit analysis, not just “security”.  
>> I’m not sure that’s going to happen entirely in an open  
>> environment like these email lists – it may be that the analysis  
>> is already happening in private, and that mitigation factors to  
>> the obvious security issues are already being put in place for  
>> certain transactions among certain RPs and OPs.
>
> Yep, this was what I was referring to about white-listing OP's that  
> I know are honoring PAPE properly so that I can rely on their  
> authentication rather than keeping my own batch of security  
> questions or some other financial data for verification.

White-listing OPs cuts against the OpenID philosophy where the user  
is deciding
How an RP decides which OPs to accept can be (and likely will be) for  
business and political reasons rather then technical reasons. If this  
is common practice, then we are not much further from the heavily  
siloed systems that we have today.

>
>> In any case, these RPs will have to make the call about the  
>> benefit of OpenID their business context. For example, in many  
>> cases involving highly regulated industries such as banking or  
>> electronic payments, it is the RPs and NOT the users that bear the  
>> risk (or at least a good deal of the risk) of an authentication  
>> failure. Thus, the argument for OpenID’s benefits takes on a  
>> different character in that environment, and OpenID uptake is  
>> probably driven by a more concentrated, homogenous group than we  
>> have been seeing for general OpenID adoption (e.g. Visa or the  
>> American Bankers Association or FSTC, not the current OpenID  
>> community). Of course, these organizations have their own  
>> interests, their own constraints, and their own time horizons.
>
> Right, this is why I was rather alarmed to see the apparent belief  
> that the user should be left to decide whether their OP is  
> 'secure', when many times the one that can lose in the transaction  
> is the RP if the user chooses poorly. What I've generally seen  
> happen, is the user does something stupid, a transaction is run,  
> the user notices and reports it as a stolen/unauthorized  
> transaction, and the credit card company charges it back to the RP  
> in question. So relying on a user to choose a 'secure' OP is out of  
> the question.

Users are going to choose which OP to trust with the same market  
mechanisms they use to decide on numerous other trust decisions.
A users ISP can screw a user very easily, but I don't see RPs saying  
they need to choose which ISP the user uses. Similarly, as an RP are  
you going to force the user to use a particular browser and OS?

-- Dick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/48af2527/attachment-0002.htm>

More information about the general mailing list