[OpenID] OpenID 2.0, PAPE, and handling monetary transactions
Eric Norman
ejnorman at doit.wisc.edu
Thu Nov 29 00:01:35 UTC 2007
On Nov 27, 2007, at 10:42 PM, Allen Tom wrote:
> You provided Amazon your CC number, CC Security code, and a billing
> address that matches your CC's billing address. That seems to be more
> than what most stores would require if you used your card in person at
> the store.
There's more. When at the store, your credit card is also
one of those "something you have" things. Furthermore, the
store either obtains a piece of paper with your signature
via pen or a "digital signature" PIN) that signifies your
intent to use the card for this purchase. So which method
is stronger? Well, I reckon that's moot {look it up!)
In any case, I disagree with Johannes and think that a
credit card is a credential. It's just a matter or how
strong and reliable it is.
> Amazon can also store your CC number for future use, and your stored
> CC number can be used to authorize purchases by just entering your
> Amazon password. I would think that most OPs would want nothing to do
> with tying an OpenID to a stored credit card. This is actually the use
> case that I'm most concerned about.
As an aside, I sure do wish that sites like Amazon gave
me an option to require entry of by card number every time.
That is, they don't store it as a "convenience to the user".
This isn't a matter of me still being at the keyboard; it's
a matter of allowing me to do my own risk management.
Eric Norman
http://ejnorman.blogspot.com
More information about the general
mailing list