[OpenID] PKI

James A. Donald jamesd at echeque.com
Wed Jan 24 21:08:39 UTC 2007 

     --
Hallam-Baker, Phillip wrote:
 > PKI is being successful at allowing users to identify
 > organizations. That is currently the most important
 > task in stopping phishing attacks where the phishing
 > gang is impersonating the bank.

No it is not.

For example, for a long time e-gold had certificate that
contained organization information that would have been
meaningless and surprising to most users, had they
looked at it, which obviously they did not, and for some
time their organization information pointed to an
expired shell company.

None of this had the slightest effect on their business.

End users simply are not looking at the organization
information, and if they did, then in many cases they
would be surprised, confused, and misled.

 > PKI is also used in a billion smart cards to
 > authenticate customers to their bank in the European
 > Chip and PIN scheme.
 >
 > These are billion dollar plus infrastructures that
 > secure trillions of dollars of trade annually. That is
 > a success.  There being no identity infrastructure
 > ubiquitously deployed in the Internet we cannot make
 > any conclusion as to the relative advantages of
 > different primary authentication schemes. The lack of
 > such an infrastructure to date appears to be due to
 > lack of perceived demand rather than lack of
 > technology.
 >
 > The user authentication support in SSL was an
 > afterthought, the user experience miserably executed
 > and poorly thought out. CardSpace changes that.

The user hostile experience is inherent in third party
true name idenfification.  Cardspace merely shifts the
user hostility to a different part of the process.   Our
primary reason to support proof of truename is to
provide proof of relationship, and true names are an
inherently clumsy way of doing his - hence the
propensity of businesses to concoct true names that are
obscure and little known, and the irritation of
consumers when asked to provide proof of true name.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      dpcbOHXyE+NwMYsvDNWT1cB2r3j/EhswL1O9+CbO
      4wm9LikXKHyU8FmdwiNVEkXLKiMSdNqphphWPecs1

More information about the general mailing list