[OpenID] OpenID 2.0, PAPE, and handling monetary transactions

Eric Norman ejnorman at doit.wisc.edu
Thu Nov 29 00:01:35 UTC 2007


On Nov 27, 2007, at 10:42 PM, Allen Tom wrote:

>  You provided Amazon your CC number, CC Security code, and a billing 
> address that matches your CC's billing address. That seems to be more 
> than what most stores would require if you used your card in person at 
> the store.

There's more.  When at the store, your credit card is also
one of those "something you have" things.  Furthermore, the
store either obtains a piece of paper with your signature
via pen or a "digital signature" PIN) that signifies your
intent to use the card for this purchase.  So which method
is stronger?  Well, I reckon that's moot {look it up!)

In any case, I disagree with Johannes and think that a
credit card is a credential.  It's just a matter or how
strong and reliable it is.

>  Amazon can also store your CC number for future use, and your stored 
> CC number can be used to authorize purchases by just entering your 
> Amazon password. I would think that most OPs would want nothing to do 
> with tying an OpenID to a stored credit card. This is actually the use 
> case that I'm most concerned about.

As an aside, I sure do wish that sites like Amazon gave
me an option to require entry of by card number every time.
That is, they don't store it as a "convenience to the user".
This isn't a matter of me still being at the keyboard; it's
a matter of allowing me to do my own risk management.

Eric Norman
http://ejnorman.blogspot.com




More information about the general mailing list