W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 17 Jun 2015 17:04:47 +0200
Message-ID: <CAKaEYhK6RGpZW4vnNZ7+vFnKavWqfOmv4tXOXcRR5zDRAi6w+Q@mail.gmail.com>
To: Joerg.Heuer@telekom.de
Cc: Eric Korb <eric.korb@accreditrust.com>, W3C Credentials Community Group <public-credentials@w3.org>
On 17 June 2015 at 16:57, <Joerg.Heuer@telekom.de> wrote:

> +1 to definitely not aim at storing credentials in the browser. I’d like
> to use different browsers on different platforms – and have them synced if
> I may…
>

That's a design decision and people will have different preferences.  It's
really important not to impose personal preferences onto others, here.
Mozilla tried to do this and that's one reason Persona failed to become a
standard.

Estonia solve this quite neatly with the e citizen program by using a card
reader.  The browsers have the ability to store credentials externally,
which is a nice feature.

It seems to have worked very well.  Once finland operate this, both belgium
and holland have digital id schemes in the world.  I think estonia/finland
is the most advanced.  There will be mounting pressure IMHO on denmark,
norway, sweden and then germany to innovate:

https://www.youtube.com/watch?v=L4J5yeyGu1A

It's been a huge win for Estonia to date

Adding the online national census capability cost only the census software,
less than €10K, because the infrastructure was already in place

compare the US: The 2010 census cost $13 billion, approximately $42 per
capita


>
>
> *From:* Timothy Holborn [mailto:timothy.holborn@gmail.com]
> *Sent:* Mittwoch, 17. Juni 2015 16:52
> *To:* Eric Korb; Melvin Carvalho
> *Cc:* Credentials Community Group
> *Subject:* Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS
> IS A PROBLEM
>
>
>
> (Can't respond inline on Google inbox, as far as I can tell...)
> Re: credentials in the browser.
> So,
> How do you reset your tls cert? Say, for nanna...
> Are you suggesting you think credentials are unnecessary?
> What's the difference between trusting a data space service with your data
> vs. your credential access support.
> Do you think it's global or go home; or,
> Should every legal entity (and/or bot/agent) be able to "mint" a
> "credential", and what happens if your computer is stolen, or fails, or
> someone else is using your account on your computer.
> How does it support isolation of roles/persona.
> Communities at all levels share and disagree on an array of values. From
> images relating to local laws on nudity or gun licensing, to the cost of
> education.
> Who says one ring should rule them all...
>
>
>
> On Thu, 18 Jun 2015 at 12:17 am, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
> On 17 June 2015 at 14:23, Eric Korb <eric.korb@accreditrust.com> wrote:
>
> Interesting article.
>
>
>
>
> http://www.fastcompany.com/3044280/one-more-thing/the-ghosts-of-app-permissions-past
>
>
>
> Yep, it used to be even worse.  They used to phish your password:
>
> http://microformats.org/wiki/social-network-anti-patterns
>
> Mozilla persona still does this.
>
> I prefer to keep credentials in the browser.  This can be done today with
> X.509 or the web crypto API.
>
>
>
>
>
> ----------------------------------
>
> Eric Korb, President/CEO - accreditrust.com <https://www.accreditrust.com>
>
>
Received on Wednesday, 17 June 2015 15:05:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC