[OpenID] Can you make an online payment with your OpenID?

[Coderre, Mark]

I didn't see a response on this but I would like to discuss the problem of backing the credential. OpenID seems friendly with the notion of responsible consumers but for an industry or company to trust it, there needs to be either a strong backer of the identity or a network of backers that increase the strength. The concept would be the multiple entities, chosen and trusted by the consumer, can back the identity assurance level and watch for anomolies that could be a threat to the consumer and the consumer's private information at each of the sites involved in the trust circle.

Mark Coderre
Security Architecture Lead
Aetna Enterprise Architecture
860-636-2440


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Jørn Wildt
Sent: Wednesday, February 27, 2008 2:13 AM
To: general at openid.net
Subject: [OpenID] Can you make an online payment with your OpenID?

Can you make an online payment with your OpenID? I guess the immediate answer is, no, there is no such service available. At least I haven't been able to find one.



But why shouldn't it be possible? It seems to me that it should be a lot more safe than using credit card numbers - anyone can use your credit card numbers, but it is only you and no one else who can use your OpenID.



I don't know if Yahoo! has any paid-for-premium service, but lets assume they have. Then Yahoo! is able to collect money from these people already. So a webshop could accept payments through OpenIDs from premium.yahoo.com/people/NAME if the webshop has an agreement with Yahoo. Any bank or card issuer could do the same and let you pay with OpenIDs of the form MYID.MYBANK.COM for instance 12345678.mymastercardid.com.



Advantages for the end-user would be a more secure payment method than using your credit card numbers, widely available with the big players bying in on OpenID, and a well known technology (when it becomes widely used of course).



There's probably lots of problems with this idea and I guess a lot of you would say "Phishing!" immediately. But what if the bankers *required* you to use a technology like CardSpace or similar (see Kim Camerons video here: http://www.identityblog.com/?p=923). Then you would never be issued a phishable password.



This should be doable right now, but the user experience would need some improvements: when I am asked to accept an OpenID query at myopenid.com then I am only presented with a URL and no other message. For a payment transaction I would like to see the amount and some other text too. This would require some minor extensions to the OpenID standard (as far as I understand it).



Dreaming on ... I could also see the use of OpenID as a payment method without prior agreement between the webshop and the OpenID issuer: "all it needs" is a digitaly secure way for the webshop to ask the OpenID provider if it allows payments, in which countries, and probably also a few other things.. Much like SSL where you trust a certificate because it has been signed by a root certificate. In this case the OpenID provider would have a certificate from "someone" that proves it can be used for payments.



Thanks for listening :-)



/Jorn Wildt

This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna