[wsf-dev] ECP test harness

[Cahill, Conor P]

> Maybe. I have never seen a client or talked to anybody that built one.

I think there were a few parties who wrote a LECP.  I'm checking with 
the parties I think were involved to see if I can bring them into this
discussion.  

> I always assumed, though, that as with Cardspace, the way to do ECP
was to
> create a uniform interface to collect the password rather than just
> pass-thru existing pages. I realize that it takes more than that to
stop
> phishing, and that doing it in user-space isn't really an answer, but
I
> assumed part of the point was to make some progress at least.
> 
> Taking that idea a bit farther, I could imagine encrypting the
credentials
> using the key in the IdP's metadata to bypass any use of commercial
SSL as
> a
> means to verify the identity of the IdP site, etc.
> 
> That's the sort of stuff I always had in my head when thinking about
ECP.
> Maybe that was part of my problem.

The issue with changing to this model is that you lock yourself into
text
based authentication protocols.  The redirect the browser model allows
you
to support any authentication model supported by the IdP through the
browser
(yes, the basic of those would be text based, but I could also see
additional
models supported with browser plugins as well).

That said, I do see a Cardspace like model as the future for ECP type 
implementations and would like to see Cardspace (or at least the
Identity
Selector Protocols) supported with documented authentication protocols 
beyond username/password and certificate (which I think are currently
the only ones supported).

Conor