“What it is saying that if you use this open system you can forget about log-in passwords and replace them with strong, certificate-based authentication techniques like smart cards.”

Bzzt. OpenID really doesn’t even touch on smartcards; it’s a URL based scheme with the additional of an identity provider. There’s no smart cards, there’s no certificates (well unless you count HTTPS certificates)

You have it right when OpenID is very open to phishing by its architecture. You must send a site your OpenID. It then redirects you to your identity provider so you can login. So, I can have a simple site which I say is protected by OpenID. You attempt to login and instead of directing you to your identity provider I direct you to my phishing site. Even better if I don’t have a phishing site prepared to look like your IP, well I know who it is, I can scrape in real time and fake it. CardSpace sits in the middle of this, acting as the login provider and getting details from the IP, reducing phishing potential greatly.

Additionally an identity provider can choose to issue a managed card which may be protected by a smartcard, if they wish. How exactly does this relate to chip & pin? Oh that’s right it doesn’t. Chip & Pin has been “hacked” with fake machines and a rather convoluted “submit transaction at exactly the same moment” attack. With your PC or Mac you are controlling it, you should know if it’s safe. Under Windows (and CardSpace isn’t just in Vista, but hey you’ve gotten it wrong so far, what’s another problem) CardSpace pops up in a “secure” desktop, so it’s going to be rather hard to subvert. There’s bugger all here driving smartcards as a necessity for CardSpace; that’s up to the managed card issuer, and your average every day blog ID provider is not going to ask all their users to go get hardware to login.

The only useful implementation can be, if used on a set range of known sites, which deal only with one know IDP. However this isn’t the ultimate goal of OpenID…It’s really becoming dangerous out there… ;-)

Bill Gates said: ‘Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is.

and then ask ‘do you believe this.’ I think it would be fair to say the OpenID community agrees with this and it is one of the reason they created OpenID in the first place to reduce the number of UserName/Passrods that folks have to manage.

With OpenID users get to choose the strength of authentication they want at their Identity Provider. CardSpace is one option they now will have explicitly available.

I see this announcement as positive and invite you to the next Internet Identity Workshop to meet the Microsoft Identity guys and the OpenID guys and contribute to the overall collaboration in the identity space.