- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Wed, 15 Jun 2011 17:22:00 +0200
- To: Nico Williams <nico@cryptonector.com>
- CC: Yutaka OIWA <y.oiwa@aist.go.jp>, "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, pgut001@cs.aucKland.ac.nz
On 2011-06-15 17:11, Nico Williams wrote: > On Wed, Jun 15, 2011 at 10:08 AM, Anders Rundgren > <anders.rundgren@telia.com> wrote: >> Another alternative is using authentication methods where you only >> (optionally) use local PINs which if snooped by an imitating UI >> doesn't get the attacker very far, at least not on an Internet scale. > > Once you've got a credential manager integrated then this will > typically be the case. > >> PKI is still the champ. > > I don't think PKI has an advantage here, except for smartcard support > the crypto primitives (public key operations) needed for PKI. W3C's WebID is a novel use of PKI that IMO gives OpenID a run for its money. Regarding mutual authentication, it would be piece of cake adding an X.509 extension containing sites/domains that the issuer grants usage with. -- Anders
Received on Wednesday, 15 June 2011 15:22:37 UTC