[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

[Allen Tom]

Hi Ben,

As you've already mentioned, the security requirements to authorize 
financial transactions are much higher than the requirements to login to 
most consumer oriented websites.  Many potential OPs may want to issue 
OpenID assertions that are appropriate for the overwhelming majority of 
consumer websites, but are not sufficient to access bank or credit 
accounts, or to authorize other high value transactions. I'm mostly 
concerned about protecting OPs from potential liability issues if an RP 
decides to use an OpenID to authorize transactions that exceed an OP's 
security policies.

For instance, authorizing financial transactions generally requires that 
the credentials be relatively short lived (like an hour) and be tied to 
a specific IP address. In contrast, consumer oriented websites generally 
tend to issue long lived credentials that are not bound to an IP address 
(as consumers tend to roam and get re-IPed fairly often).  A 
consumer-focused OpenID Provider may issue long lived credentials that 
persist across browser sessions and IP address changes so that their 
users don't need to type their password very often. The OP may also want 
to explicitly tell its RPs that its assertions are not sufficient for 
certain high value transactions, especially anything having to do with 
transferring money.

PAPE allows for an RP to request certain levels of authentication, but 
it does not provide a way for OPs to tell RPs that their assertions are 
not sufficient to authorize certain transactions. Perhaps it would be 
best to define a new "not suitable for financial or other high value 
transactions" PAPE policy. Responsible high-value RPs could restrict 
access to a whitelist of trusted OPs that support high value transactions.

Again, I'm mostly concerned about protecting potential OPs from 
liability issues in the event that something goes wrong when an OpenID 
is used to authorize high value transactions. Certainly, it would be 
great when OpenID is widely used for everything, including high value 
transactions, but not all OPs would want to accept liability for RPs 
that use OpenIDs for high value transactions.

Allen

Ben Bangert wrote:
> On Nov 27, 2007, at 11:24 AM, openid at allentom.com wrote:
>
>> Using OpenID to authorize financial transactions would certainly raise
>> legal and liability issues with potential OpenID Providers.
>
> Why? Why wouldn't it be the same as when an RP asks for a 
> user/password? The RP is the one trusting the assertion and performing 
> the transaction, they're the ones who get the credit card charge-back.
>
>> To reduce the legal exposure resulting from the unintended use of OpenID
>> to authorize financial transactions, OpenID Providers would probably 
>> want
>> a way to publish a "Relying Party Acceptable Use" policy which states
>> acceptable and appropriate uses that an RP can use with an assertion 
>> from
>> the OP, as well as explicitly listing inappropriate uses.
>
> As I mentioned, the RP's are the one on the hook for unauthorized 
> transactions, they get the charge-backs.
>
>> For instance, most OPs would want to explicitly forbid the use of their
>> assertions to authorize financial and ecommerce transactions.
>
> I have no idea why an OP would know about financial transactions. I'm 
> referring merely to using the max-age ability of PAPE to force a user 
> to re-login so that I know they're still there, and being able to 
> trust the OP with PAPE so far as they did actually ask the user to log 
> back in (thus proving the user is still at the helm). This is 
> generally used with financial transactions to up the barrier to 
> exploitation so that it takes a bit more than merely hijacking a 
> session or sitting down at someone's computer (at work, library, etc.).
>
>> The PAPE extension seems to be the right place to publish this type of
>> information. In order to satisfy the legal requirements for potential 
>> OPs,
>> there needs to be a way for an OP to specify the url to a document that
>> explains the RP Acceptable Use policies for the OP, as well as a 
>> mechanism
>> for an OP to explicitly tell RPs that the assertion is not suitable for
>> high-value transactions. Maybe the community can define a set of
>> acceptable use profiles similar to the NIST levels used in the PAPE
>> extension.
>
> The fact that a user can tell the OP to let them do anything they 
> want, still leaves open the main issue here.... how does the RP trust 
> the OP's assertions? We already know that the RP is on the line 
> financially in most cases for unauthorized transactions, and relying 
> on the user for security is not a good idea. If an OP a user is 
> running lets them declare it as fine for financial transactions, most 
> users will prolly turn it on, just cause its convenient. And Users 
> have been shown to do insecure things merely because its convenient.
>
> Cheers,
> Ben