Ben Laurie blathering

Get Real

Kim Cameron, bless him, manages to interpret one of my most diabolical hungover bits of prose ever. I am totally with him on the problem of pharming, but the reality is that the average Cardspace user authenticated with nothing better than a password (when they logged into Windows). Furthermore, if you are going to achieve portability of credentials, then you can either do it in dreamland, where all users carry around their oh-so-totally-secure bluetooth credential device, or you can do it in the real world, where credentials will be retrieved from an online store secured by a password. And yes, we’ll encourage people to make sure that’s a passphrase, and they don’t type it in in web cafes, and all that. And the corporate VPN types will use SAML and doohickeys with keypads. And maybe if they’re really smart the “online store” will actually be a USB stick and a backup split between a few of their best friends.

But we have a simple mission: protect that password.

If you believe the Cardspace UI can protect people’s credentials, then surely it can protect a password?

If it really can’t (that is, we cannot come up with UI that people will reliably identify and eschew all imitations), then how will we ever have a workable, scalable system that includes recovery of credentials after loss or destruction of their physical goods?

1 Comment

  1. [...] his latest post, I guess I got the gist of Ben Laurie’s proposal for using what I’ll call [...]

    Pingback by IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer — 26 Feb 2008 @ 19:15

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress