[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Ben Bangert ben at groovie.org
Wed Nov 28 04:43:02 UTC 2007 

On Nov 27, 2007, at 8:25 PM, Allen Tom wrote:

> I believe the lawyers will go after the biggest target, and that  
> very well could be the OP. An OP should have a mechanism to say that  
> its OpenIDs are not suitable to access credit card numbers or to  
> authorize any payments, or other high value transactions.

There are no lawyers involved. A company charges a user 5 bucks,  
credit card company charges it back to them. It would now cost the  
company thousands in legal fees to press a lawsuit against a single OP  
that failed to honor what it claimed to. And if that single OP is  
actually the end users that was misconfigured? I'm not sure there's  
any more legal ability to sue an OP, than to sue a user that uses  
their username as their password.

> I disagree with you here, at some point, the lawyers will go after  
> the OP, if the OP has enough assets to make it worthwhile.

Lawyers don't do this for fun, and RP's can't go and sue every OP that  
fails to properly reauth a user like PAPE said they would. Plus, if  
you look at how PAPE works, an RP may not even realize that the OP  
failed to re-auth the user without going and checking it themselves.

> OPs may already know that their OpenIDs are not suitable for  
> financial transactions, and would like a way to explicitly advertise  
> that.

So what exactly is OpenID good for? Dick Hardt said it was good for  
social networks, but apparently not Facebook which now has some  
financial transactions. And it might not be good for any other social  
network that at some point wishes to engage in financial transactions.  
And if a blog service decides to have a premier membership level that  
has a subscription? Great, than OpenID is reduced even further in  
potential adoption.

The fact is, many many websites in some way handle financial  
transactions.... FaceBook, Amazon, NetFlix, 37 Signals Subscription- 
based sites, Tivo, etc. It's a pretty dang long list, and getting  
longer as many companies move from purely free websites to websites  
with various subscription levels.

> Again, it's great that we're talking about using OpenID for high  
> value transactions, but consumer oriented OPs may already be aware  
> of the limitations of OpenID and their own implementation of OpenID,  
> and would not want to condone the use of their OpenIDs in an unsafe  
> manner.
>
> Also, just from a practically standpoint, users will have a strong  
> relationship with their OP, and may hold their OP accountable for  
> security issues, even for issues that were entirely the RP's fault.

I'm really not concerned about high value transactions (someone else  
brought that up, not me), whatever we qualify those are. I'm talking  
about any old common financial transaction:
- User changes from 5/mth to 25/mth subscription
- User buys 40 buck book
- User sends $1 gift to a friend
etc.

I'm fine using security questions or some scheme I can verify that the  
user has re-authed, since apparently no one is interested in thinking  
up a way that the trust level of an OP can be asserted (no, I don't  
trust the OP to say how I should trust it). If the OpenID community  
has a problem with RP's having security questions, or a few tidbits  
from a credit card to prove that you actually know more details about  
the user, then please, provide an alternate solution.

Cheers,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/c3c5cc0c/attachment-0002.bin>

More information about the general mailing list