Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen. Since the bad guy knows what site
you're trying to reach, he can use your usercode to fetch the shared
secret from the real site and present it to you on his fake site. It's
true, the
Imagine if a website could instruct your browser to transparently
generate a public/private keypair for use with that website only and
send the public key to that website. Then, any time that the user
returns to that website, the browser would automatically use that
private key to
Is anyone aware of any third-party usability studies on CardSpace,
OpenID, ...?).
I'm not. It would be a good opportunity for security usability
researchers to contribute though.
[0] I'm not sure whether putting CardSpace and Liberty in such close
proximity in the above line was a
On Mon, 12 Jun 2006, David Wagner wrote:
As far as I can tell, WAPI (the Chinese proposal) uses proprietary
unpublished cryptographic algorithms. The specification is secret and
confidential. It uses the SMS4 block cipher, which is secret and
patented. [*]
According to a legal friend who
