Kim correctly observes that the browser is not the place to be typing your password. Indeed. I should have mentioned that.
Clearly any mechanism that can be imitated by a web page is dead in the water. Kim also wants to rule out plugins, I take it, given his earlier reference to toolbar problems. I’m OK with that. We want something that only a highly trusted program can do. That’s been so central to my thinking on this I forgot to mention it. Sorry.
This sounds really positive. Now, just so I don't end up with a different security product from every big web site, I hope Ben's work will include integration with the CardSpace framework. I'm certainly open to discussions about ways we might evolve CardSpace to facilitate this.