Justin S. Peavey wrote: > > I fully agree with you in your example above until you mention money. > In the Amazon example for book purchases, the user is not the one > affected by a mis-authenticated transaction, Amazon and the credit-card > companies are; the user is indemnified by most credit card companies for > fraudulent purchases. If the user was *actually bound* to be > responsible for the transactions their identities perform, the model > works - but this is not the world that I (or Amazon, or Bank of America) > live in.
Is anyone really expecting an OpenID identity to be used in place of a credit card number? Perhaps I'm just not seeing the advantage of this, but I would expect that most organizations carrying out credit card transactions would: * Use OpenID to authenticate the user against the account to gain access to the purchase history, returns, enquiries and such. * Demand the user's credit card before actually performing any transaction. While I'll admit that Amazon and PayPal currently store credit card details and require (in some cases) only the password to be entered, it can hardly be argued that my Amazon password is any more secure than my IdP password. In Amazon's case they still don't let you make a purchase knowing only the password in most cases; you have to provide all or part of the stored credit card number or other authentication details. But this is all beside the point given the fact that the OP *is always in control* — there is NO WAY that the RP can tell what the OP really did. The OP can lie, the OP can have a bad implementation of a given authentication scheme or the OP might not even be a traditional OP at all. I don't really see the value in presenting a protocol which gives an illusion of control to the RP; it just seems dishonest. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
