[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Tue Nov 27 18:59:26 UTC 2007 

On Nov 27, 2007, at 9:22 AM, Dick Hardt wrote:

> As mentioned on another thread, perhaps we need to change the  
> protocol so that it is inherently more secure. The RP phishing  
> attack is a gaping hole in the protocol as it now stands.

Definitely, if it can't be trusted, people will fall back to security  
questions and other ways to add security in a verifiable fashion  
(enter your last 4 digits of credit card, etc.).

You said earlier that OpenID is for social networks and blog  
comments, I'd like to point out that FaceBook is now starting to  
engage in financial transactions. Other social networks may do so in  
the future as well.

If OpenID is not going to be ready for anything involving financial  
transactions, thats a massive problem for adoption because some of  
the sites that take OpenID now may want to do things involving  
financial transactions in the future. It also means anyone  
considering use of OpenID for their social network needs to consider  
whether they may do something with subscriptions, etc. sometime down  
the road.

> This model will lead to a closed network that will stifle  
> competition. Read up on Lessig's latest material if you are not  
> familiar with it. It is "Open"ID ... and that means it is Open to  
> any OP participating that the user trusts. The OP is providing  
> authentication for the user, not the RP.

Why? I didn't say that you couldn't take OpenID from anyone, merely  
that if you don't know for certain that PAPE is being implemented you  
need additional measures of security. While its not ideal to have to  
have security questions, at least you don't have more usernames and  
passwords. It's still "Open", and you can login with it, it just has  
an extra hoop to jump through before doing something that may result  
in a financial transaction.

> The current charge back by credit card companies of online  
> transactions is an anomaly due to the desire of online merchants  
> wanting to do the transaction, and the inability for them to prove  
> the user did the transaction. It does not happen in the physical  
> world.

Actually, it does happen in the physical world, credit card companies  
do issue charge-backs to physical retailers in some cases. That's  
irrelevant though, OpenID is for use online, which is where the RP is  
as well.

> No it does not. You now have to create some body or system that  
> decides if an OP is on the list or not. You are limiting the user  
> choice and constraining the network.

I'm not limiting the user choice, the user can continue to choose an  
OP I can't verify. Why is asking the user a security question  
"limiting user choice"? That makes no sense. This is merely the  
practical implication of unverifiable PAPE implementations with  
OpenID. If this consequence isn't desired, lets fix the protocol as  
you suggested, or PAPE so that some additional measure of  
verifiability exists.

Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/d2e0e3c1/attachment-0002.bin>

More information about the general mailing list