Server-to-server channel (now: Kerberos, Phishing)

[Vinay Gupta]

One further thought on Kerberos: as far as I know, Kerberos is a  
minimal implementation - nothing simpler than this actually works in  
the real world, and the Kerberos operating environment is a bit  
simpler than what is being discussed in some instances here, in terms  
of managing the language of what access permissions are being granted  
by this sign-on event.

One thing I'd like to suggest we examine is personal customization as  
a way to prevent Phishing. For example, say that my OpenID service  
provider serves pages to me over HTTPS, and furthermore allows me to  
upload my own color preference and background images.

Now, nobody who isn't logged in as me can see my image and colors, so  
if somebody tries to mount Man In The Middle, they can't get access  
to my images etc. and the page will look all wrong. Sounds dumb but  
it might actually work pretty well in practice...

But the key is that those images have to be private, so that they foe  
can't spider the page and show you a copy.

Vinay




--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually works!)              Cell:  
Iceland (+354) 869-4605
http://howtolivewiki.com/hexayurt - old         http://appropedia.org/ 
Hexayurt_Project - new
Skype/Gizmo/Gtalk: hexayurt   I have a proof which unfortunately this  
signature is too short