Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Kim Cameron on OpenID+Cardspace Integration

Kim Cameron has an article on how to mitigate the potential for phishing in OpenID by using CardSpace.

Assuming I'm understanding Kim's proposal correctly, then this is just replacing the username/password authentication at the OP with CardSpace authentication. If this is the case, OpenID can already do that: the OpenID spec says nothing at all about how the OP should authenticate the user.

It would be an interesting experiment to create an OP that allows users to choose on signup to use either a username/password or CardSpace. Since CardSpace isn't yet widely deployed it isn't feasible to make it the only means of authentication, but having it as an option is — presumably, at least — a viable approach today.

What this highlights is something that many people have been saying all along: phishing is not OpenID's problem, it's the OP's problem. A responsible OP must obviously take steps to ensure that users are not vulnerable to phishing; the authentication mechanism used between the user and the OP is intentionally out of scope in OpenID Authentication specifically to allow for innovations such as CardSpace to be integrated with no changes necessary.

Tags: openid, phishing

  • Moved to TypePad is now hosted on TypePad rather than LiveJournal. All of the old content remains over here in LiveJournal land, but those who are…

  • Moving the Goalposts

    In the few weeks since I published the first drafts of AtomActivity, ActivitySchema and friends several things have come about: FriendFeed is…

  • Activity Streams and Comment Aggregation

    One pain point that exists for activity streams right now is the dispersal of responses over various networks. When I post a blog entry like this…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.