[OpenID] PKI

Hallam-Baker, Phillip pbaker at verisign.com
Wed Jan 24 21:18:26 UTC 2007

Your point might be more credible if the community you refer to had not already demonstrated itself willing to trust their money to an unincorporated bank whose deposits are uninsured and whose operations depend on the account holder placing absolute trust in the bank proprietors, every possible avenue of legal recourse being intentionally rendered inoperative.

> -----Original Message-----
> From: James A. Donald [mailto:jamesd at echeque.com] 
> Sent: Wednesday, January 24, 2007 4:09 PM
> To: Hallam-Baker, Phillip
> Cc: Ka-Ping Yee; openid-general; heraldry-dev at incubator.apache.org
> Subject: Re: [OpenID] PKI
>      --
> Hallam-Baker, Phillip wrote:
>  > PKI is being successful at allowing users to identify  > 
> organizations. That is currently the most important  > task 
> in stopping phishing attacks where the phishing  > gang is 
> impersonating the bank.
> No it is not.
> For example, for a long time e-gold had certificate that 
> contained organization information that would have been 
> meaningless and surprising to most users, had they looked at 
> it, which obviously they did not, and for some time their 
> organization information pointed to an expired shell company.
> None of this had the slightest effect on their business.
> End users simply are not looking at the organization 
> information, and if they did, then in many cases they would 
> be surprised, confused, and misled.
>  > PKI is also used in a billion smart cards to  > 
> authenticate customers to their bank in the European  > Chip 
> and PIN scheme.
>  >
>  > These are billion dollar plus infrastructures that  > 
> secure trillions of dollars of trade annually. That is  > a 
> success.  There being no identity infrastructure  > 
> ubiquitously deployed in the Internet we cannot make  > any 
> conclusion as to the relative advantages of  > different 
> primary authentication schemes. The lack of  > such an 
> infrastructure to date appears to be due to  > lack of 
> perceived demand rather than lack of  > technology.
>  >
>  > The user authentication support in SSL was an  > 
> afterthought, the user experience miserably executed  > and 
> poorly thought out. CardSpace changes that.
> The user hostile experience is inherent in third party true 
> name idenfification.  Cardspace merely shifts the
> user hostility to a different part of the process.   Our
> primary reason to support proof of truename is to provide 
> proof of relationship, and true names are an inherently 
> clumsy way of doing his - hence the propensity of businesses 
> to concoct true names that are obscure and little known, and 
> the irritation of consumers when asked to provide proof of true name.
>      --digsig
>           James A. Donald
>       6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>       dpcbOHXyE+NwMYsvDNWT1cB2r3j/EhswL1O9+CbO
>       4wm9LikXKHyU8FmdwiNVEkXLKiMSdNqphphWPecs1

More information about the general mailing list