[OpenID] Durability of authorized sessions

Jack Cleaver jack at jackpot.uk.net
Wed Nov 28 20:13:52 UTC 2007


Allen Tom wrote:
> 
> Again, it would be very nice to have a standard mechanism for an OP
> to indicate that its OpenIDs are not suitable for high value
> transactions.

I'm not too comfortable about these "high value" or "1-100" rating schemes.

On the principle that the user is supposed to be in control, I suggest
that the user should be able to specify the maximum amount of money that
he'd be willing to lose through the acceptance by some RP of his OpenID
creds.

Similarly the RP, as the party exposed to CC charge-back, might want to
know that the user/OP combo is willing to certify the creds up to the
actual transaction value.

[I say "user/OP" because I am still interested in the original idea that
a user might operate their own OP. I've stopped developing my own code,
partly because the direction this project has taken has been
heavily-slanted towards the commercialisation of ID provision. But if
you view the OP as simply the user's identity agent, then the risk
relationship is essentially between the user (via his OP) and the RP.]

Just because a user says he is willing for his OpenID to be used for
transactions up to a maximum of (e.g.) $100, doesn't necessarily mean
that any RP is absolved of his charge-back risks. On the contrary; the
charge-back arrangements are a matter between the card-issuer and the
RP, and don't involve the OpenID user (or hs OP). Rather, if an RP
raises a charge in excess of the user's maximum, then I would suppose
that the user has a dispute with the RP that should in principle be
susceptible to settlement (to the RP's disadvantage) without the
involvement of the card-issuer.

Of course, if the user *is* relying on a third-party OP, that might lead
the RP to have increased confidence in the maximum transaction value
that the OP reports. Or not. That might be because of whitelisting, or
because of PAPE claims that the RP happens to trust, or both.

> If there is not a mechanism to do this, then OPs may need to
> blacklist these RPs on a case by case basis, which is certainly not a
> scalable or desirable solution. Alternatively, OPs may need to have a
> whilelist of acceptable RPs which is also contrary to the spirit of
> OpenID.

Oh, I disagree with the latter statement (while agreeing with the
former). If this is a user-controlled identity scheme, then the user
most certainly should be able to specify which RP's are and are not
permitted to rely on a given OpenID, and to what extent. Isn't that the
whole idea?

-- 
Jack.




More information about the general mailing list