I posted this on the InfoCard - Deep Architechture thread, but got no response.

---

this whole concept sounds awesome, and very secure. and from what i gather no one can hack into my remote STS or my desktop and get my sensitive info.

but one this is missing:
what keeps an attacker from creating a website that asks me for an infocard, and it requires the type that will tell them my SSN or other sensitive info?

as an example, take something that is done today:
i get an email from some spammer that says "this new great bank will pay you a zillion dollars for opening an account!" i click the link and go through the sign-up process, and up comes the infocard dialog. now as secure as this process is, this is still a bank (or so i think), so i have to send them the kind of infocard that will tell this particular "relying party" my SSN, mother's maiden name and so on. and so now i've just handed over all my sensitive info to some attacker.

shouldn't there be some sort of authentication of the relying party, to make sure they are a ligitamate(sp?) business?

---

anyone know if they will (or have) fixed this? because i see this whole concept as almost a whole new way of doing business on the internet.
Imagine, anyone who has an e-commerce site of any type, will have to register with some authority, and purchase a "digital business license". that way, if some nut from nigeria wants your credit info, InfoCard will inform you that this business does not have a license, and therefore you won't ever give away sensitive info to anyone who will use it maliciously.

or is this just too far fetched?

SlackmasterK This Space Intentionally Left Blank

May 23, 2006 at 7:11 PM

* crickets *
Zeo Channel 9 :)

May 24, 2006 at 3:59 AM

even more crickets....
dhogan

May 24, 2006 at 4:44 AM

Basically you are asking "does InfoCard prevent phishing?"

"No"... is the answer.

However it would be possible to set up a system where you could only provide your ID to pre approved 3rd parties.

By analogy, it would be possible to set up a bank that only allowed its customers to spend their deposited funds with pre-approved (by the bank) shops. This would be very secure... but potentially very inconvenient/restricting.

Websites could work like this too. They could be "Verisign secured" and your Verisign supplied InfoCard could only be decrypted if that 3rd party website had been approved by Verisign. In the case where the 3rd party was faking, even if you submitted your card it would not be able to be decrypted as they would not have the correct keys from Verisign.
pringles sup?

May 24, 2006 at 11:34 AM

well thank you for that answer.

and apparently that was a stupid question.
dhogan

May 24, 2006 at 8:01 PM

pringles wrote:

and apparently that was a stupid question.

I don't understand the "crickets" think either.

Thread Closed

This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.

InfoCard vs. Illegitimate businesses

Thread Closed