[OpenID] Assertion Quality Extension => openid.importance
Martin Atkins
mart at degeneration.co.uk
Wed Dec 13 10:25:35 UTC 2006
Justin S. Peavey wrote:
>
> I fully agree with you in your example above until you mention money.
> In the Amazon example for book purchases, the user is not the one
> affected by a mis-authenticated transaction, Amazon and the credit-card
> companies are; the user is indemnified by most credit card companies for
> fraudulent purchases. If the user was *actually bound* to be
> responsible for the transactions their identities perform, the model
> works - but this is not the world that I (or Amazon, or Bank of America)
> live in.
Is anyone really expecting an OpenID identity to be used in place of a
credit card number? Perhaps I'm just not seeing the advantage of this,
but I would expect that most organizations carrying out credit card
transactions would:
* Use OpenID to authenticate the user against the account to gain
access to the purchase history, returns, enquiries and such.
* Demand the user's credit card before actually performing any
transaction.
While I'll admit that Amazon and PayPal currently store credit card
details and require (in some cases) only the password to be entered, it
can hardly be argued that my Amazon password is any more secure than my
IdP password. In Amazon's case they still don't let you make a purchase
knowing only the password in most cases; you have to provide all or part
of the stored credit card number or other authentication details.
But this is all beside the point given the fact that the OP *is always
in control* — there is NO WAY that the RP can tell what the OP really
did. The OP can lie, the OP can have a bad implementation of a given
authentication scheme or the OP might not even be a traditional OP at
all. I don't really see the value in presenting a protocol which gives
an illusion of control to the RP; it just seems dishonest.
More information about the specs
mailing list