W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Solutions to the NASCAR problem?

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 23 Nov 2015 19:14:18 +0100
To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
Message-ID: <5653577A.7000601@gmail.com>
On 2015-11-23 17:47, David Chadwick wrote:
>
<snip>
>> Agreed.  I was actually referring to "my model" where key metadata plays a
>> major role.  A scaled-down version of this can be found in this one-page
>> doc:
>> http://webpki.org/papers/decentralized-payments.pdf
>> The certificate could surely be replaced by an account-ID, but I'm
>> old-school you know :-)
>>
>
> Your model is similar to mine, but is dealing with a step after mine has
> completed.

To me they look pretty different.  There's no "before-step" in my model.

When you have received your virtual credit-card, you can start shopping
wherever you want.

> Mine deals with presenting a credentail/assertion, then
> stops. FIDO already has a process for OKing a transaction.
> Comparing our models, your wallet is my authz module, your cert is
> replaced by a FIDO key pair, so no identity is associated with the
> public key.

I still don't understand how your (per/site) credential bootstrap
process works from a users perspective.

> The web site sends its authz policy to the wallet/authz module and it
> compares this to the credentials held by the user. It either presents
> matching ones for the user to choose between (more than one match) or
> consent to (exactly one match) or say Sorry you cannot proceed
> (insufficient credentials).

I think I have got that.

Regards,
Anders

>
> regards
>
> David
>>
>>> Usability is always hard to get right, but we have experimented with a
>>> GUI for over a year and think it is intuitive and easy to use.
>>
>> *This* is the thing I'm Interested in.  How is the consumer key sent to
>> the issuer from a user perspective?
>>
>>
>>> I am not aware of any additional security issues with this scheme that
>>> are not always present when users and technology are involved.
>>
>> You're probably right :-)
>>
>> Regards
>> Anders
>>>
>>> regards
>>>
>>> David
>>>>
>>>> Regards
>>>> Anders
>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> David
>>>>>>
>>>>>> Anders
>>>>>>
>>>>
>>>>
>>
>>
Received on Monday, 23 November 2015 18:14:56 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC