[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Allen Tom openid at allentom.com
Wed Nov 28 04:25:01 UTC 2007


Ben Bangert wrote:
>
> I'm thinking in terms of the practical realities of how credit card 
> charges work in the USA. If an RP trusts an OP, and the OP lies, the 
> RP is on the hook. Not the OP, nor the user for trusting an OP that 
> didn't work right and wasn't verified

I believe the lawyers will go after the biggest target, and that very 
well could be the OP. An OP should have a mechanism to say that its 
OpenIDs are not suitable to access credit card numbers or to authorize 
any payments, or other high value transactions.

> We've already said this, the OP is NOT liable for the accuracy of what 
> they tell the RP. The RP is on the hook for charge-backs online, this 
> isn't in dispute, its a well known fact.
I disagree with you here, at some point, the lawyers will go after the 
OP, if the OP has enough assets to make it worthwhile.

>> It's not about "trust" (whatever that means).  In the case of
>> financial transactions, it's about risk management.  That includes
>> both dollars and "customer loyalty".
>
> Right, and risk management means ensuring that before doing something 
> involving a financial transaction, its prudent to ensure the user can 
> still present their authentication credentials. Since OP's may have 
> long timeouts, its desired to have the user re-authenticate to their 
> OP, which PAPE allows through the use of a max-age. There is however 
> no way to verify this, which is what I've been talking about the 
> entire time. Thus the use of security questions.
>

OPs may already know that their OpenIDs are not suitable for financial 
transactions, and would like a way to explicitly advertise that.

Again, it's great that we're talking about using OpenID for high value 
transactions, but consumer oriented OPs may already be aware of the 
limitations of OpenID and their own implementation of OpenID, and would 
not want to condone the use of their OpenIDs in an unsafe manner.

Also, just from a practically standpoint, users will have a strong 
relationship with their OP, and may hold their OP accountable for 
security issues, even for issues that were entirely the RP's fault.

Allen








More information about the general mailing list