Friday, October 26, 2007

Dear Abby

Gerry takes a hard-line on Cardspace assurance. Of self-asserted and managed cards respectively, Gerry writes:

Only in the later case there can be a reasonable level of trust by the RP that the user is actually who he/she claims to be

Well, it depends on just who the user is claiming to be. If they are claiming a specific identity, (e.g. "I am the famous advice columnist Ann Landers") then I agree that self-asserted cards don't cut it - it could be Ann's copycat sister Pauline actually making the claim and the RP wouldn't be able to tell the difference.

But, if the user is making no claim to a specific identity, but merely just that they are the same as before, then self-asserted cards can of course provide real assurance to the RP (with normal caveats about stolen laptops).

No comments: