[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

[Ben Bangert]

On Nov 27, 2007, at 12:39 AM, Dick Hardt wrote:

> White-listing OPs cuts against the OpenID philosophy where the user  
> is deciding
> How an RP decides which OPs to accept can be (and likely will be)  
> for business and political reasons rather then technical reasons. If  
> this is common practice, then we are not much further from the  
> heavily siloed systems that we have today.

Which is exactly why it would be prudent for the OpenID community to  
come up with a way to add some level of verification that the PAPE is  
being enforced by an OP that claims it is honoring it. In this case,  
an RP would be deciding on an OP to accept based on whether it knows  
for sure (sysadmin went and verified, etc.) the PAPE schemes claimed  
are truly honored.

If its not desirable for it to become common practice, lets do  
something about being able to assert some level of verification on PAPE?

> Users are going to choose which OP to trust with the same market  
> mechanisms they use to decide on numerous other trust decisions.
> A users ISP can screw a user very easily, but I don't see RPs saying  
> they need to choose which ISP the user uses. Similarly, as an RP are  
> you going to force the user to use a particular browser and OS?

Different issue. This is more like a business choosing to honor only a  
specific state driver license because its unable to verify accurately  
other states drivers licenses and doesn't want to get caught selling  
liqueur to a minor. This is about an RP that may do financial  
transactions choosing only OP's it knows honor PAPE so that it can  
avoid credit card company charge-backs (which cost the RP money).

While its great to say, "the user chooses, its up to them", legally  
this isn't actually the case. Credit card companies do charge-backs to  
companies all the time, the RP is the one that loses when the user  
chooses poorly.

I don't mind the user being able to choose, I just want a way to  
increase the pool of OP's that can be trusted, rather than having to  
restrict it to a subset. As I mentioned earlier, to avoid restricting  
it to a white-list of OP's right now, I ended up going with security  
questions as USAA does, so that I have a system I can trust (because  
its me), and the user is still able to authenticate in a verifiable  
fashion.

The PAPE document itself apparently documents the fact that the  
inevitable conclusion of its use will result in white-lists:
"The lack of a single required trust model within OpenID allows for  
Relying Parties to decide which Providers they trust using whatever  
criteria they choose - likewise RPs will decide whether or not to  
trust claims as to authentication policy from such OpenID Providers as  
well."

I still think it'd be great to have PAPE extended with a system of  
signature signing and verification so that more OP's can be "signed"  
and establish a larger pool of trustable OP's than having to maintain  
a white-list. As is, I can white-list OP's I know from personal  
verification honor PAPE, and users of those OP's won't need the  
security questions. Less than ideal, but it works.

Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/aa2f6bec/attachment-0002.bin>