Insecurity of Cardspace ?

A couple of days ago, I was came across an article that claimed to expose insecurity in Microsoft Cardspace. The site listed steps like waiting for 'x' seconds before performing the actual attack. Reading the detailed steps in the paper explain the attack completely.
In my humble opinion, the attack discussed on the web site could not be called a serious attack.

This has more to do with the "philosophy" and implementation of browser's same-origin policy rather than Cardspace on the whole.

In the attack, we are required to
  1. Poison the DNS server so that the RP URL points to both legit IP and attacker IP. This in itself is a non-trivial task. (Pharming)
  2. Then they fetch the real RP login page by cleaning the DNS poison they set. i.e. they have only the legit entry of RP URL pointing to legit IP.
  3. Since the user already is on the attacker page, the attacker can play around with the target and action attributes of the form. Technically, once the DNS is poisoned so well, we could simply put a phished page and receive the token.
There are many caveats in this attack. Firstly, DNS poisoning is not trivial. If the RP dose not have a valid certificate, the attack does not work. IMHO, this has more to do with the browser's same-origin policy rather than cardspace; cardspace just reuses the same-origin policy from the browser.
Hence, as of today, I would still consider the protocol to be secure, whether or not is it usable. The secure desktop could server as a universal authentication module, permitting other forms of authentication as well.