[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Dick Hardt dick at sxip.com
Tue Nov 27 17:22:37 UTC 2007 

On 27-Nov-07, at 9:06 AM, Ben Bangert wrote:

> On Nov 27, 2007, at 12:39 AM, Dick Hardt wrote:
>
>> White-listing OPs cuts against the OpenID philosophy where the  
>> user is deciding
>> How an RP decides which OPs to accept can be (and likely will be)  
>> for business and political reasons rather then technical reasons.  
>> If this is common practice, then we are not much further from the  
>> heavily siloed systems that we have today.
>
> Which is exactly why it would be prudent for the OpenID community  
> to come up with a way to add some level of verification that the  
> PAPE is being enforced by an OP that claims it is honoring it. In  
> this case, an RP would be deciding on an OP to accept based on  
> whether it knows for sure (sysadmin went and verified, etc.) the  
> PAPE schemes claimed are truly honored.
>
> If its not desirable for it to become common practice, lets do  
> something about being able to assert some level of verification on  
> PAPE?

As mentioned on another thread, perhaps we need to change the  
protocol so that it is inherently more secure. The RP phishing attack  
is a gaping hole in the protocol as it now stands.

>
>> Users are going to choose which OP to trust with the same market  
>> mechanisms they use to decide on numerous other trust decisions.
>> A users ISP can screw a user very easily, but I don't see RPs  
>> saying they need to choose which ISP the user uses. Similarly, as  
>> an RP are you going to force the user to use a particular browser  
>> and OS?
>
> Different issue. This is more like a business choosing to honor  
> only a specific state driver license because its unable to verify  
> accurately other states drivers licenses and doesn't want to get  
> caught selling liqueur to a minor. This is about an RP that may do  
> financial transactions choosing only OP's it knows honor PAPE so  
> that it can avoid credit card company charge-backs (which cost the  
> RP money).

This model will lead to a closed network that will stifle  
competition. Read up on Lessig's latest material if you are not  
familiar with it. It is "Open"ID ... and that means it is Open to any  
OP participating that the user trusts. The OP is providing  
authentication for the user, not the RP.

Conversely, parties that are making statements about the user such as  
credit, age, membership DO need to be trusted by the RP, since the RP  
is relying on them.

>
> While its great to say, "the user chooses, its up to them", legally  
> this isn't actually the case. Credit card companies do charge-backs  
> to companies all the time, the RP is the one that loses when the  
> user chooses poorly.

The current charge back by credit card companies of online  
transactions is an anomaly due to the desire of online merchants  
wanting to do the transaction, and the inability for them to prove  
the user did the transaction. It does not happen in the physical world.

>
> I don't mind the user being able to choose, I just want a way to  
> increase the pool of OP's that can be trusted, rather than having  
> to restrict it to a subset. As I mentioned earlier, to avoid  
> restricting it to a white-list of OP's right now, I ended up going  
> with security questions as USAA does, so that I have a system I can  
> trust (because its me), and the user is still able to authenticate  
> in a verifiable fashion.

I did not see any evidence besides the wiki entry on openid.net that  
USAA was accepting OpenIDs.

>
> The PAPE document itself apparently documents the fact that the  
> inevitable conclusion of its use will result in white-lists:
> "The lack of a single required trust model within OpenID allows for  
> Relying Parties to decide which Providers they trust using whatever  
> criteria they choose - likewise RPs will decide whether or not to  
> trust claims as to authentication policy from such OpenID Providers  
> as well."

I'm not a fan of that phrase being in the document.

>
> I still think it'd be great to have PAPE extended with a system of  
> signature signing and verification so that more OP's can be  
> "signed" and establish a larger pool of trustable OP's than having  
> to maintain a white-list. As is, I can white-list OP's I know from  
> personal verification honor PAPE, and users of those OP's won't  
> need the security questions. Less than ideal, but it works.

No it does not. You now have to create some body or system that  
decides if an OP is on the list or not. You are limiting the user  
choice and constraining the network.

More information about the general mailing list