Kim Cameron and Dick Hardt debating the pluses and minuses of OpenId and Infocards. I agree with Kim that these are largely apples and oranges, sure there is some use case overlap, but they are designed to solve different identity problems. One of the big advantages I see in Infocards' approach that is particularly valuable for medium to high assurance systems, is that there is flexibility to treat certain identity communications in band and out of band. If you think about a lot of the security and privacy issues we see (like phishing, mitm, session playback), a lot of them are related to single band communications that, once breached, crumbles (or worse propagates). SOAP's support for many different communication protocols and WS-Security support for multiple token formats create a useful enabling technology for security architectures - the ability to move portions of identity conversations in and out of different bands.
At the OWASP conference last spring Andrew van Der Stock described a large banks design options for dealing with phishing. They wanted to go to two factor authN. They were looking at USB dongles, but they assessed that 2/3 of their customer's PC had some malware on them, so they did not want to put their "good stuff" (the dongle) into their customer's bad stuff. So instead they sent authZ codes via SMS to the customer's cellphone. "Perfect" security? No. Nice, incremental improvement over current state? Ya sure, ya betcha.
Comments