[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Eric Norman ejnorman at doit.wisc.edu
Wed Nov 28 02:36:49 UTC 2007


On Nov 27, 2007, at 4:02 PM, Ben Bangert wrote:

> On Nov 27, 2007, at 11:24 AM, openid at allentom.com wrote:
>
>> Using OpenID to authorize financial transactions would certainly raise
>> legal and liability issues with potential OpenID Providers.
>
> Why? Why wouldn't it be the same as when an RP asks for a 
> user/password? The RP is the one trusting the assertion and performing 
> the transaction ...

It would be good if you could get your head out of the
technology and start thinking in terms of what the various
parties need, want, and don't want.

For instance, in another message you mentioned that an RP
can save operational costs by not having to deal with password
resets and the like.  Good, that's something an RP would want.

But they are going to have to balance that against their
concerns about risk and liability.  For instance, if a bank
is going to rely on someone else to do account authentication
for them, they are going to worry about what happens if they
rely on a false positive and (for instance) $100,000 disappears
from a customer's account.

>> To reduce the legal exposure resulting from the unintended use of 
>> OpenID
>> to authorize financial transactions, OpenID Providers would probably 
>> want
>> a way to publish a "Relying Party Acceptable Use" policy which states
>> acceptable and appropriate uses that an RP can use with an assertion 
>> from
>> the OP, as well as explicitly listing inappropriate uses.
>
> As I mentioned, the RP's are the one on the hook for unauthorized 
> transactions ...

Right, but RPs don't want to be on the hook for that $100,000.
That's the risk management part.  One of the things they are
highly likely to ask of the OP is that the OP assumes liability
for any false positives.  This is, in the above example, OP
will pay RP $100,000 for OPs mistake.

That's one way to manage or mitigate the risk; there are others.

If it turns out that the bank will still be on the hook for
that $100,000 (because they can't come to a contractual agreement
with the OP(s), for instance).  Then they will probably just
do the authentication themselves.  Then they will at least be able
to control the process.

In fact, from what I read in the USSA link provided, that is just
what they're doing.  They're being their own OP and that's the
only choice you have.  Furthermore, they've added the security
questions (just more passwords) on top of that.

In even more fact, I don't even see USSA saying that they're using
OpenID!  They talk a lot about their Online ID, but I didn't see
any mention of OpenID; perhaps I missed something.

>> For instance, most OPs would want to explicitly forbid the use of 
>> their
>> assertions to authorize financial and ecommerce transactions.
>
> I have no idea why an OP would know about financial transactions. I'm 
> referring merely to using the max-age ability of PAPE to force a user 
> to re-login so that I know they're still there, and being able to 
> trust the OP with PAPE so far as they did actually ask the user to log 
> back in (thus proving the user is still at the helm). This is 
> generally used with financial transactions to up the barrier to 
> exploitation so that it takes a bit more than merely hijacking a 
> session or sitting down at someone's computer (at work, library, 
> etc.).

The head is mired in technology again.  If the OP is going to be
(partly) liable for the accuracy of what they tell the RP, then
they damned well will care about whether the information they
provide is used for financial transactions and how much is at risk
to the OP.  What do you think the disclaimers above (... explicitly
forbid ...) are about?

> The fact that a user can tell the OP to let them do anything they 
> want, still leaves open the main issue here.... how does the RP trust 
> the OP's assertions?

It's not about "trust" (whatever that means).  In the case of
financial transactions, it's about risk management.  That includes
both dollars and "customer loyalty".

Eric Norman
http://ejnorman.blogspot.com




More information about the general mailing list