[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

[Johannes Ernst]

I'd like to take issue with the following statement that's being made  
all too often: [not picking on anybody in particular, just  
"established wisdom"]

>  the security requirements to authorize
> financial transactions are much higher than the requirements to  
> login to
> most consumer oriented websites.

Ahem, no?

Just today, I ordered something from Amazon with no credential at all,  
just my credit card number and "security code" (also printed on the  
card) that every waiter knows in every restaurant I have ever been to.

This is *less* security than username and password, not "much higher"  
as is generally stated.

Now, you can quibble with my statement, but in order to do so, we need  
to put a whole lot of if-then-else's around when higher security is  
and isn't required. The fact of the matter is that less security than  
OpenID Auth was perfectly acceptable for parties that know what they  
are doing (Amazon, Visa etc.) for a transaction worth 100's of dollars.

So, let's beware of blanket statements re security requirements ...

Cheers,



Johannes.



Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/4052a5bb/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/4052a5bb/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst