Today most of the identity oriented transactions on the Internet are done via plain old HTML forms and, if we're lucky, over SSL. And once again, something that seemed sufficient at first, is showing strain as usage grows. HTML/HTTP ends up providing a pretty clumsy and inadequate way to do identity transactions. It offers a poor user experience and wasn't really designed with security in mind. This has contributed to much of the grief over fraud, phishing, etc. Our primary defense mechanism against such threats has historically been the SSL certificate, but we know users don't read those. We also know users don't look too carefully at URLs (even when they are not obsfucated). Some of the more risk prone sites have...
