W3C home > Mailing lists > Public > public-identity@w3.org > June 2012

Re: NSTIC and Passwords

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sun, 10 Jun 2012 18:44:43 +0200
Message-ID: <4FD4CEFB.6080309@telia.com>
To: public-identity@w3.org, Henry Story <henry.story@bblfish.net>
On 2012-06-10 08:15, Henry Story wrote:
> On 10 Jun 2012, at 08:03, Anders Rundgren wrote:
>> http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
>> It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!
> I recently argued that one could use WebID for eCommerce in this presentation 
> given at the European Identity conference
>    http://bblfish.net/blog/2012/04/30/

I'm not sure exactly what use-cases NSTIC wants to address but eCommerce
seems to split into two lanes, pre-paid and invoiced.  WebID doesn't
address pre-paid since this is not about identity but about payments.
An exception could be PayPal which is like a virtual bank account.

Does WebID address invoiced (B2B-like) eCommerce?  Presumably it could.

My personal interest is moving the traditional on-line bank and on-line
payment scenarios into the 21st century.  3D Secure was a great idea
that didn't work well in practice because "banks do not do browsers".
Revamping Microsoft's Information Cards by blending them with a new
client-side PKI implementation, an enhanced 3D Secure could be as
convenient and secure as local payments using EMV-cards:
After selecting the proper card based on their card image, typing in
a short PIN-code is all that's needed to carry out the transaction.

The cards will though be in the phone because the PC has (since long)
run out of gas as a vehicle for innovation. Yes!  We need yet another
protocol; the phone/PC slave mode.  Previous experiments like emulating
a remote PKCS #11 interface in the phone were IMO conceptually wrong
because a phone is not a smart card; it is a stack of super-smart cards :-)

As I have said numerous times before, going for low-hanging fruit like
WebID is not a bad idea but WebID doesn't invalidate taking firm grip
on the entire infrastructure either...


>> Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.
>> Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
>> this gaping hole in the arsenal.
>> Anders
>> 1] http://www.nist.gov/nstic
> Social Web Architect
> http://bblfish.net/
Received on Sunday, 10 June 2012 16:45:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:48 UTC