Add to that the effort required to attack a website
using it in an automated fashion when the website is using JavaScript to call for
the selector, and it would certainly be prohibitive by many orders of magnitude.
Even with the advent of farms of low-wage workers in disadvantaged countries
solving graphical CAPTCHAs for mere fractions of a cent per click for spam purposes,
CardSpace has an additional mitigation: The tokens coming from a single
card to a relying party would have the same Private Personal Identi?¬?er (PPID)
and card issuer??™s public key. The phraud-farmhand would need to constantly
create new cards, a process that is far from instantaneous, and thanks to the protected
desktop that CardSpace executes in, extremely dif?¬?cult to automate.
Final answer: Maybe.
274 Guidance for a Relying Party
Putting CardSpace to Work
Internet applications and websites are as varied in style and
execution as they are in the content they provide. It is a trivial
exercise to visit a dozen different websites and ?¬?nd a dozen
different ways to authenticate. Although each website is certainly
entitled to design from the ground up how authentication
is presented, there nonetheless are consistent patterns and practices
that users have come to rely upon.
Pages:
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406