[OpenID] Combining Google & Yahoo user experience research

[Jack Cleaver]

alavillipraveen at aol.com wrote:

> Also, the lack of SLAs both between RPs & OPs and OPs & users about 
> the use of OpenID protocol to login to some where else is very scary.
>  None of the major provider's TOS says anything about how long they 
> are going to let their users use their OpenIDs to login to some where
>  else. Even your favorite says "reserves the right to modify or 
> discontinue the Service with or without notice to Member.".? :-)

TOS and SLA would be a big issue for a bank, because of the potentially
very large legal liability they could face. It's one thing to accept
OpenID for a specific transaction of known value; you know how much risk
you are taking on. It's another thing entirely to let someone open a
bank account; in general, there are no limits placed by banks on how
much money you are allowed to deposit (and so, how much you might sue
the bank for if it was all stolen).

Under those circumstances, I would expect a bank either to make their
own arrangements for ID, and rely on no third parties at all; or to rely
only on third parties that were known quantities from a litigation POV.
This is irrespective of how reliable the ID provider might be; a given
OpenID provider might be provably more reliable than any system the bank
could devise, for example, and yet it would still be preferable to keep
the job in-house, just because it would make it easier to quantify the
risk (which includes the potential costs of litigation).

-- 
Jack.