Google's Ben Laurie bookends our dialog (work back from here) with a really clear statement:
Kim correctly observes that the browser is not the place to be typing your password. Indeed. I should have mentioned that.
Clearly any mechanism that can be imitated by a web page is dead in the water. Kim also wants to rule out plugins, I take it, given his earlier reference to toolbar problems. I’m OK with that. We want something that only a highly trusted program can do. That’s been so central to my thinking on this I forgot to mention it. Sorry.
This sounds really positive. Now, just so I don't end up with a different security product from every big web site, I hope Ben's work will include integration with the CardSpace framework. I'm certainly open to discussions about ways we might evolve CardSpace to facilitate this.
Hey Now Kim,
Interesting point that I didn't think of before. We shouldn't type passwords in browsers. It may be quite some time before this happens.
Thx 4 the info,
Catto