<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue style='word-wrap: break-word;-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I haven’t been part of PAPE, but I think
the right view is one of incremental advancement towards the point where it’s
not insane to use OpenID for user authentication in “transactions of
value”. You may just be ahead of the curve. I think PAPE is one step –
signatures of PAPE statements may or may not be the next step. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>When you deal with “transactions of
value”, use of OpenID has to be analyzed in the context of the overall
transaction flow, and with the mindset of risk/benefit analysis, not just “security”.
I’m not sure that’s going to happen entirely in an open environment
like these email lists – it may be that the analysis is already happening
in private, and that mitigation factors to the obvious security issues are
already being put in place for certain transactions among certain RPs and OPs. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Or maybe it isn’t. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>In any case, these RPs will have to make
the call about the benefit of OpenID their business context. For example, in
many cases involving highly regulated industries such as banking or electronic
payments, it is the RPs and NOT the users that bear the risk (or at least a
good deal of the risk) of an authentication failure. Thus, the argument for
OpenID’s benefits takes on a different character in that environment, and
OpenID uptake is probably driven by a more concentrated, homogenous group than
we have been seeing for general OpenID adoption (e.g. Visa or the American
Bankers Association or FSTC, not the current OpenID community). Of course,
these organizations have their own interests, their own constraints, and their
own time horizons. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>What this community (us here) *<b><span
style='font-weight:bold'>can</span></b>* do is demonstrate how legacy
authentication mechanisms, such as biometrics, OTP, etc (which are more well
known to the “transaction of value” communities) can be used with
OpenID in a trustable way. And this community (use here) probably has a lot of
learning to do about risk analysis and how mitigation techniques go beyond
technological solutions. Both communities have a lot to learn from each other
and I think its going to take a while, but I am optimistic. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> -Gabe
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>P.S. Apologies for the generalizations
about “this community” – I know I’m preaching to the
choir for some folks here. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Ben Bangert<br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, November 26, 2007
3:06 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Dick Hardt<br>
<b><span style='font-weight:bold'>Cc:</span></b> openid-general General<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [OpenID] OpenID 2.0,
PAPE, and handling monetary transactions</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Nov 26, 2007, at 1:45 PM, Dick Hardt wrote:<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<div><span style='-webkit-text-stroke-width: -1'>
<p class=MsoNormal><span class=apple-style-span><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>A search of openid on the
site usaa.com gave no results:</span></span></font></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span class=apple-tab-span><font size=1 face=Helvetica><span
style='font-size:9.0pt;font-family:Helvetica'> </span></font></span><font
size=1 face=Helvetica><span style='font-size:9.0pt;font-family:Helvetica'><a
href="http://www.google.com/search?q=openid+site%3Ausaa.com">http://www.google.com/search?q=openid+site%3Ausaa.com</a></span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>That wiki entry looks over a year old, which also then predates PAPE.
It is not clear, but it would seem that whoever wrote the entry as thinking
that USAA would be issuing the OpenID.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>A friend of mine who has an account with them said the OpenID dialog
only comes up if you have an account with them and selected the option. It's
definitely implemented and running right now.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<div><span style='-webkit-text-stroke-width: -1'>
<div>
<p class=MsoNormal><span class=apple-style-span><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Looks like Terry
accurately addressed your other comments.</span></span></font></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Personally, I think anyone that used OpenID Authentication for
financial transactions would be crazy. I think we need to move OpenID to a new
level for it to be used for transactions any more sensitive then social
neworking and blog commenting.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So your online identity, who the world sees you as, your posts around
the net, your online 'reputation' really, is not as important as securing a
financial transaction? I personally would consider it incredibly damaging to
have someone running around the net who hijacked a cookie off me. Sure the
person hijacking my OpenID can't access my financial data, but I consider my
online reputation rather valuable as well.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>It just depresses me a bit that this seems to come down to,
"OpenID, use it if you need something slightly better than anonymous
comments". Why bother with being phishing resistant, or addressing any of
the other security issues that OpenID has been attempting to tackle, if its
just to secure some blog comments?<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>At the very least, I think it would be prudent in light of this, to
have a nice big disclaimer on the openid.net developers page clearly saying,
"OpenID is for things of little value, like blog comments and sites that
never touch money." I'm speaking here in utter frustration of having spent
quite a bit of time going over PAPE, and OpenID 2.0 with the apparently crazy
belief that OpenID is suitable for more than merely blog commenting.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Cheers,<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Ben<o:p></o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>