[OpenID] Combining Google & Yahoo user experience research
Peter Williams
pwilliams at rapattoni.com
Mon Oct 20 15:13:39 UTC 2008
Is openid as a concept applicable for handling fraudulent logins to online banking sites?
I ask as - and dick h may correct me - but elements of the board deny that today the technology is even applicable for websso between general enterprise applications (let alone online banking satisfying consumer protection laws).
We have to be careful, as security professionals. $r example, the shibboleth communities makes great fuss that strong academic freedoms and us/uk "federal" privacy mandates force shib sso to adopt certain designs models. But, those same demands are apparently weak in other areas: they strangely dont obligate any software assurance tests, third party interoperability testing and certification, etc.
little point (beyond research) of having strong functional security without the complementary assurances. no point doing online banking with openid if there is no viable general e-commerce use of openid...
-----Original Message-----
From: Jack Cleaver <jack at jackpot.uk.net>
Sent: Monday, October 20, 2008 3:45 AM
To: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Combining Google & Yahoo user experience research
alavillipraveen at aol.com wrote:
> Also, the lack of SLAs both between RPs & OPs and OPs & users about
> the use of OpenID protocol to login to some where else is very scary.
> None of the major provider's TOS says anything about how long they
> are going to let their users use their OpenIDs to login to some where
> else. Even your favorite says "reserves the right to modify or
> discontinue the Service with or without notice to Member.".? :-)
TOS and SLA would be a big issue for a bank, because of the potentially
very large legal liability they could face. It's one thing to accept
OpenID for a specific transaction of known value; you know how much risk
you are taking on. It's another thing entirely to let someone open a
bank account; in general, there are no limits placed by banks on how
much money you are allowed to deposit (and so, how much you might sue
the bank for if it was all stolen).
Under those circumstances, I would expect a bank either to make their
own arrangements for ID, and rely on no third parties at all; or to rely
only on third parties that were known quantities from a litigation POV.
This is irrespective of how reliable the ID provider might be; a given
OpenID provider might be provably more reliable than any system the bank
could devise, for example, and yet it would still be preferable to keep
the job in-house, just because it would make it easier to quantify the
risk (which includes the potential costs of litigation).
--
Jack.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list