[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Granqvist, Hans hgranqvist at verisign.com
Fri Jan 19 23:00:19 UTC 2007


> If the website requesting that information is malicious, 
> Cardspace in and of itself does nothing to prevent you from 
> passing the information along.

The idea of CardSpace's UI is that the average user will
see whether the site is good or bad.

CardSpace would do this mainly by making most of the (EV)
PKI chain visible to the end user.  Normal PKI gotchas
such as self-issued, expired, or revoked certs would be 
more difficult (if not impossible) to ignore.

The info you then send to the site would be exclusively
encrypted for the recipient (using PKI again), to thwart 
MITM attacks.

I'm not saying that this prevents a malicious site, just
that it makes it a bit more expensive and difficult to be 
malicious.

-Hans



More information about the general mailing list