Today most of the identity oriented transactions on the Internet are done via plain old HTML forms and, if we're lucky, over SSL. And once again, something that seemed sufficient at first, is showing strain as usage grows. HTML/HTTP ends up providing a pretty clumsy and inadequate way to do identity transactions. It offers a poor user experience and wasn't really designed with security in mind. This has contributed to much of the grief over fraud, phishing, etc. Our primary defense mechanism against such threats has historically been the SSL certificate, but we know users don't read those. We also know users don't look too carefully at URLs (even when they are not obsfucated). Some of the more risk prone sites have resorted to different site authentication gimmicks like image recognition, though these, too, seem to fail to improve the situation much.
The point is that we've reached a time when (finally) there seems to be enough pressure to drive us to adopt some better (or at least improved) methods of handling identity data. Certainly, we've seen this before, though most of the previous efforts have been very enterprise focused (which doesn't help the average guy trying to buy a camera off some Internet merchant or auction site). Two particular efforts seem to be gaining traction: Microsoft's Cardspace and an open effort called OpenID. These both provide significant improvements in usability and security model. It remains to be seen if they will be widely adopted and how well the design holds up against attack long term.
While a detailed security analysis of each of these efforts would be interesting, it's a little beyond the length of the average blog entry here. But it is educational to take a look at how each effort deals with the issue of site authentication. I think this is one of the key security considerations of any identity solution. Even if the system itself is very strong, once I decide to give my information to someone, I need to trust that it will be handled it properly. To do that I need to know who I'm dealing with.
Cardspace uses extended validation certificates to address the problem of site authentication. The general notion of an EV cert is that there is more validation done before it is given, and that browsers will indicate if an EV cert is present or not to guide the user. I don't really think this is going to solve the problem much, if at all. First, better validation is a trade off. Stronger validation often ends up squeezing out the (legitimate) little guy. Yet, if you lower the requirements to accommodate a broader group, you open up potential for the bad guys to more easily get certified. This has been pointed out by several people in the security community. It's also questionable if users will even pay attention to the extended information. A recent paper suggests that it will offer little improvement.
In the OpenID model, there has been discussion of risks where a user connects to a malicious merchant who then basically phishes their authentication credentials to the OpenID server. This would allow the phisher to later connect to other sites with the user's credentials. The core of this problem, of course, is the user's ability to authenticate the site (or at least the OpenID server). Last week at RSA there was an interesting announcement about OpenID and Cardspace working together. One thing this would allow is the use of Cardspace authentication between the user and the OpenID server. Because Cardspace authentication is not based on simple username/password it would not allow the phisher to capture and reuse authentication information. The general notion of movement away from user/pass would be good a thing, though we'll see how this gets implemented. This still doesn't solve the mutual authentication problem, but it does limit the damage that would be done in such a phish scenario.
Finally, I'm not sure we've really seen a good solution to the "site authentication" problem yet. Certainly moving away from user/pass and other easily captured credentials is a good step. But it still doesn't help me know who I'm talking to and if (or how much) I should trust them. I don't think EV certs are going to solve that problem. I think we'll need to do something more.