This blog can't be viewed on LiveJournal. Instead see http://www.apparently.me.uk/3686.html.

Kim Cameron on OpenID+Cardspace Integration

21st Jan 2007

Kim Cameron has an article on how to mitigate the potential for phishing in OpenID by using CardSpace.

Assuming I'm understanding Kim's proposal correctly, then this is just replacing the username/password authentication at the OP with CardSpace authentication. If this is the case, OpenID can already do that: the OpenID spec says nothing at all about how the OP should authenticate the user.

It would be an interesting experiment to create an OP that allows users to choose on signup to use either a username/password or CardSpace. Since CardSpace isn't yet widely deployed it isn't feasible to make it the only means of authentication, but having it as an option is — presumably, at least — a viable approach today.

What this highlights is something that many people have been saying all along: phishing is not OpenID's problem, it's the OP's problem. A responsible OP must obviously take steps to ensure that users are not vulnerable to phishing; the authentication mechanism used between the user and the OP is intentionally out of scope in OpenID Authentication specifically to allow for innovations such as CardSpace to be integrated with no changes necessary.

Comments