The problem to be solved is this. Spoofed sites can acquire user credentials, especially passwords, and then use those to impersonate the user on the real sites. With paypal and e-gold, this allows stealing real money. Using client certificates to authenticate would solve this, because even if the user got fooled and authenticated to the spoofed site, the attacker wouldn't learn the client cert secret key and so would not be able to masquerade as the user. The problem (among others) is that this allows a virus to steal the client cert. If it is protected by a password, the malware must hang around long enough for the user to unlock the cert (perhaps because the malware sent a spoofed email calling for the user to visit the site, even the real site!). It can then read the user's keystrokes and acquire the password. Now it has the cert and password and can impersonate the user at will. The solution to this is Palladium (NGSCB). You'd want each ecommerce site to download a Nexus Computing Agent into the client. This should be no more difficult than downloading an Active-X control or some other DLL. The NCA has a manifest file associated with it that contains the ecommerce site's signing key. This allows the NCA to be effectively locked to that key. The user's site-specific client certificate would be sealed to this NCA. That means that no other NCA could get access to the client cert for that site, nor could any legacy software. All this is protected by the Palladium hardware and software. If a password is used for further security, to unlock the client cert (in addition to the NCA-specific encryption), it can use a secure channel to the NCA so that no keystroke loggers can steal the password. (However, as mentioned in a previous mail, this may not stop rogue NCA's from fooling the user by pretending to be the ecommerce site's NCA and picking up the password. It's not clear that adding a password really increases security. Fortunately the NCA security itself is already vastly stronger than anything available on a PC today.) In short, if Palladium comes with the ability to download site-specific DLLs that can act as NCAs, it should allow for solving the spoofed-site problem once and for all. When you login to paypal or e-gold, you would authenticate yourself using a cert that only those sites could see. This can be done in the framework of standard SSL, but would require a Palladium-aware browser.