W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Wed, 17 Jun 2015 15:44:55 +0000
Message-ID: <CAM1Sok1EgnanyhquZbH8W4fLNpZtDNvVBTuppsWude4mHv1zvw@mail.gmail.com>
To: Joerg.Heuer@telekom.de, Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Eric Korb <eric.korb@accreditrust.com>, W3C Credentials Community Group <public-credentials@w3.org>
Examples?

On Thu, 18 Jun 2015 at 1:43 am, Melvin Carvalho <melvincarvalho@gmail.com>
wrote:

> On 17 June 2015 at 17:11, <Joerg.Heuer@telekom.de> wrote:
>
>> Okay, let’s formulate my remark more correctly: It should be possible to
>> store credentials outside of the browser, explicitly to allow for these
>> different preferences. No problem with browsers implementing the same
>> functionality. In essence we are talking about portability now.
>>
>
> Yes, I think that's the case.  And people are doing this already in a
> variety of ways.
>
>
>>
>>
>> *From:* Melvin Carvalho [mailto:melvincarvalho@gmail.com]
>> *Sent:* Mittwoch, 17. Juni 2015 17:05
>> *To:* Heuer, Jörg
>> *Cc:* Eric Korb; W3C Credentials Community Group
>>
>> *Subject:* Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS
>> IS A PROBLEM
>>
>>
>>
>>
>>
>>
>>
>> On 17 June 2015 at 16:57, <Joerg.Heuer@telekom.de> wrote:
>>
>> +1 to definitely not aim at storing credentials in the browser. I’d like
>> to use different browsers on different platforms – and have them synced if
>> I may…
>>
>>
>>
>> That's a design decision and people will have different preferences.
>> It's really important not to impose personal preferences onto others,
>> here.  Mozilla tried to do this and that's one reason Persona failed to
>> become a standard.
>>
>> Estonia solve this quite neatly with the e citizen program by using a
>> card reader.  The browsers have the ability to store credentials
>> externally, which is a nice feature.
>>
>> It seems to have worked very well.  Once finland operate this, both
>> belgium and holland have digital id schemes in the world.  I think
>> estonia/finland is the most advanced.  There will be mounting pressure IMHO
>> on denmark, norway, sweden and then germany to innovate:
>>
>> https://www.youtube.com/watch?v=L4J5yeyGu1A
>>
>> It's been a huge win for Estonia to date
>>
>> Adding the online national census capability cost only the census
>> software, less than €10K, because the infrastructure was already in place
>>
>> compare the US: The 2010 census cost $13 billion, approximately $42 per
>> capita
>>
>>
>>
>>
>>
>> *From:* Timothy Holborn [mailto:timothy.holborn@gmail.com]
>> *Sent:* Mittwoch, 17. Juni 2015 16:52
>> *To:* Eric Korb; Melvin Carvalho
>> *Cc:* Credentials Community Group
>> *Subject:* Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS
>> IS A PROBLEM
>>
>>
>>
>> (Can't respond inline on Google inbox, as far as I can tell...)
>> Re: credentials in the browser.
>> So,
>> How do you reset your tls cert? Say, for nanna...
>> Are you suggesting you think credentials are unnecessary?
>> What's the difference between trusting a data space service with your
>> data vs. your credential access support.
>> Do you think it's global or go home; or,
>> Should every legal entity (and/or bot/agent) be able to "mint" a
>> "credential", and what happens if your computer is stolen, or fails, or
>> someone else is using your account on your computer.
>> How does it support isolation of roles/persona.
>> Communities at all levels share and disagree on an array of values. From
>> images relating to local laws on nudity or gun licensing, to the cost of
>> education.
>> Who says one ring should rule them all...
>>
>>
>>
>> On Thu, 18 Jun 2015 at 12:17 am, Melvin Carvalho <
>> melvincarvalho@gmail.com> wrote:
>>
>> On 17 June 2015 at 14:23, Eric Korb <eric.korb@accreditrust.com> wrote:
>>
>> Interesting article.
>>
>>
>>
>>
>> http://www.fastcompany.com/3044280/one-more-thing/the-ghosts-of-app-permissions-past
>>
>>
>>
>> Yep, it used to be even worse.  They used to phish your password:
>>
>> http://microformats.org/wiki/social-network-anti-patterns
>>
>> Mozilla persona still does this.
>>
>> I prefer to keep credentials in the browser.  This can be done today with
>> X.509 or the web crypto API.
>>
>>
>>
>>
>>
>> ----------------------------------
>>
>> Eric Korb, President/CEO - accreditrust.com
>> <https://www.accreditrust.com>
>>
>>
>>
>
Received on Wednesday, 17 June 2015 15:45:33 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC