[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Tue Nov 27 22:02:34 UTC 2007 

On Nov 27, 2007, at 11:24 AM, openid at allentom.com wrote:

> Using OpenID to authorize financial transactions would certainly raise
> legal and liability issues with potential OpenID Providers.

Why? Why wouldn't it be the same as when an RP asks for a user/ 
password? The RP is the one trusting the assertion and performing the  
transaction, they're the ones who get the credit card charge-back.

> To reduce the legal exposure resulting from the unintended use of  
> OpenID
> to authorize financial transactions, OpenID Providers would  
> probably want
> a way to publish a "Relying Party Acceptable Use" policy which states
> acceptable and appropriate uses that an RP can use with an  
> assertion from
> the OP, as well as explicitly listing inappropriate uses.

As I mentioned, the RP's are the one on the hook for unauthorized  
transactions, they get the charge-backs.

> For instance, most OPs would want to explicitly forbid the use of  
> their
> assertions to authorize financial and ecommerce transactions.

I have no idea why an OP would know about financial transactions. I'm  
referring merely to using the max-age ability of PAPE to force a user  
to re-login so that I know they're still there, and being able to  
trust the OP with PAPE so far as they did actually ask the user to  
log back in (thus proving the user is still at the helm). This is  
generally used with financial transactions to up the barrier to  
exploitation so that it takes a bit more than merely hijacking a  
session or sitting down at someone's computer (at work, library, etc.).

> The PAPE extension seems to be the right place to publish this type of
> information. In order to satisfy the legal requirements for  
> potential OPs,
> there needs to be a way for an OP to specify the url to a document  
> that
> explains the RP Acceptable Use policies for the OP, as well as a  
> mechanism
> for an OP to explicitly tell RPs that the assertion is not suitable  
> for
> high-value transactions. Maybe the community can define a set of
> acceptable use profiles similar to the NIST levels used in the PAPE
> extension.

The fact that a user can tell the OP to let them do anything they  
want, still leaves open the main issue here.... how does the RP trust  
the OP's assertions? We already know that the RP is on the line  
financially in most cases for unauthorized transactions, and relying  
on the user for security is not a good idea. If an OP a user is  
running lets them declare it as fine for financial transactions, most  
users will prolly turn it on, just cause its convenient. And Users  
have been shown to do insecure things merely because its convenient.

Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/3fb1e209/attachment-0002.bin>

More information about the general mailing list