W3C home > Mailing lists > Public > public-identity@w3.org > June 2012

Re: NSTIC and Passwords

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 10 Jun 2012 20:16:30 +0200
Cc: public-identity@w3.org
Message-Id: <9E2C8A97-6D74-4C0E-9D1A-22D84F9FD7F4@bblfish.net>
To: Anders Rundgren <anders.rundgren@telia.com>

On 10 Jun 2012, at 18:44, Anders Rundgren wrote:

> On 2012-06-10 08:15, Henry Story wrote:
>> 
>> On 10 Jun 2012, at 08:03, Anders Rundgren wrote:
>> 
>>> http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
>>> 
>>> It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!
>> 
>> I recently argued that one could use WebID for eCommerce in this presentation 
>> given at the European Identity conference
>> 
>>   http://bblfish.net/blog/2012/04/30/
> 
> I'm not sure exactly what use-cases NSTIC wants to address but eCommerce
> seems to split into two lanes, pre-paid and invoiced.  WebID doesn't
> address pre-paid since this is not about identity but about payments.
> An exception could be PayPal which is like a virtual bank account.
> 
> Does WebID address invoiced (B2B-like) eCommerce?  Presumably it could.

yes, and the presentation explains how one can also use linked data to create
trust in commercial web sites such as banks, shops (small and big), 
universities, and other web sites in a distributed way. This is a key missing
piece in TLS and X509 certificates currently.


> 
> My personal interest is moving the traditional on-line bank and on-line
> payment scenarios into the 21st century.  3D Secure was a great idea
> that didn't work well in practice because "banks do not do browsers".
> Revamping Microsoft's Information Cards by blending them with a new
> client-side PKI implementation, an enhanced 3D Secure could be as
> convenient and secure as local payments using EMV-cards:
> After selecting the proper card based on their card image, typing in
> a short PIN-code is all that's needed to carry out the transaction.
> 
> The cards will though be in the phone because the PC has (since long)
> run out of gas as a vehicle for innovation. Yes!  We need yet another
> protocol; the phone/PC slave mode.  Previous experiments like emulating
> a remote PKCS #11 interface in the phone were IMO conceptually wrong
> because a phone is not a smart card; it is a stack of super-smart cards :-)
> 
> As I have said numerous times before, going for low-hanging fruit like
> WebID is not a bad idea but WebID doesn't invalidate taking firm grip
> on the entire infrastructure either...

yes, WebID is not exclusive for sure. I just hope that they take into
account the types of possibilities made available by linked data based
identity  and tryst schemes.

> 
> Anders
> 
>> 
>> 
>> 
>>> 
>>> Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.
>>> 
>>> Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
>>> this gaping hole in the arsenal.
>>> 
>>> Anders
>>> 
>>> 1] http://www.nist.gov/nstic
>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
>> 
> 

Social Web Architect
http://bblfish.net/
Received on Sunday, 10 June 2012 18:17:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 10 June 2012 18:17:02 GMT