Only in the later case there can be a reasonable level of trust by the RP that the user is actually who he/she claims to be
Well, it depends on just who the user is claiming to be. If they are claiming a specific identity, (e.g. "I am the famous advice columnist Ann Landers") then I agree that self-asserted cards don't cut it - it could be Ann's copycat sister Pauline actually making the claim and the RP wouldn't be able to tell the difference.
But, if the user is making no claim to a specific identity, but merely just that they are the same as before, then self-asserted cards can of course provide real assurance to the RP (with normal caveats about stolen laptops).
Post a Comment