Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Kim Cameron on OpenID+Cardspace Integration

Kim Cameron has an article on how to mitigate the potential for phishing in OpenID by using CardSpace.

Assuming I'm understanding Kim's proposal correctly, then this is just replacing the username/password authentication at the OP with CardSpace authentication. If this is the case, OpenID can already do that: the OpenID spec says nothing at all about how the OP should authenticate the user.

It would be an interesting experiment to create an OP that allows users to choose on signup to use either a username/password or CardSpace. Since CardSpace isn't yet widely deployed it isn't feasible to make it the only means of authentication, but having it as an option is — presumably, at least — a viable approach today.

What this highlights is something that many people have been saying all along: phishing is not OpenID's problem, it's the OP's problem. A responsible OP must obviously take steps to ensure that users are not vulnerable to phishing; the authentication mechanism used between the user and the OP is intentionally out of scope in OpenID Authentication specifically to allow for innovations such as CardSpace to be integrated with no changes necessary.

Tags: openid, phishing

  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.