[OpenID] OpenID 2.0, PAPE, and handling monetary transactions
Allen Tom
openid at allentom.com
Wed Nov 28 04:42:48 UTC 2007
Hi Johannes,
You provided Amazon your CC number, CC Security code, and a billing
address that matches your CC's billing address. That seems to be more
than what most stores would require if you used your card in person at
the store.
Amazon can also store your CC number for future use, and your stored CC
number can be used to authorize purchases by just entering your Amazon
password. I would think that most OPs would want nothing to do with
tying an OpenID to a stored credit card. This is actually the use case
that I'm most concerned about.
Likewise, the level of security to login to a financial site is quite a
bit higher than what's required to login to most consumer websites. For
instance, financial sites should tie credentials to IP addresses,
require strong passwords, have short lived sessions, etc. Also, decently
sized high value sites would also require SOX compliance and all the
baggage that comes with that.
Allen
Johannes Ernst wrote:
> I'd like to take issue with the following statement that's being made
> all too often: [not picking on anybody in particular, just
> "established wisdom"]
>
>> the security requirements to authorize
>> financial transactions are much higher than the requirements to login to
>> most consumer oriented websites.
>
> Ahem, no?
>
> Just today, I ordered something from Amazon with no credential at all,
> just my credit card number and "security code" (also printed on the
> card) that every waiter knows in every restaurant I have ever been to.
>
> This is *less* security than username and password, not "much higher"
> as is generally stated.
>
> Now, you can quibble with my statement, but in order to do so, we need
> to put a whole lot of if-then-else's around when higher security is
> and isn't required. The fact of the matter is that less security than
> OpenID Auth was perfectly acceptable for parties that know what they
> are doing (Amazon, Visa etc.) for a transaction worth 100's of dollars.
>
> So, let's beware of blanket statements re security requirements ...
>
> Cheers,
>
>
>
> Johannes.
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> http://netmesh.info/jernst
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/d13dc41f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/d13dc41f/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071127/d13dc41f/attachment-0005.gif>
More information about the general
mailing list