[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

James A. Donald jamesd at echeque.com
Sat Jan 20 00:52:43 UTC 2007


Gabe Wachob wrote:
 > > Regarding anti-phishing & IE - isn't that one of the
 > > main design goals of Cardspace?

Mike Beltzner wrote:
 > Well, yes and no. As I understand it (and the last
 > time I looked at it deeply it was called InfoCard, so
 > Things May Have Changed -- I'll count on someone
 > telling me if I'm wrong) the way Cardspace works is
 > that when a website asks for information, the user
 > reaches into their "wallet" to select the "card" that
 > they wish to present.
 >
 > If the website requesting that information is
 > malicious, Cardspace in and of itself does nothing to
 > prevent you from passing the information along.

However, the information you present does not allow the
operators of the fake web site to login to the real web
site.

The analogy is that you are showing them your ID card,
not giving them a copy of your ID card.  The usual
cryptographic tricks are used to ensue that they cannot
reconstruct your ID card from the information that you
show them.





More information about the general mailing list