On Mon, Feb 2, 2015 at 1:54 PM, Siva Narendra <siva@tyfone.com> wrote:
> Ryan -- if we are able to collaborate and come up with a web
> implementation architecture that not only encompassed FIDO, but also
> equally viable standards such as PIV Derived Credentials [1] and EMV
> Tokenization [2]....and such standards to come in other industries, will
> you be supportive of it. Or, you do not want to support anything other than
> FIDO?
>
> Same question for Anders and Brad.
>
> Best,
> Siva
>
> [1] http://www.nist.gov/manuscript-publication-search.cfm?pub_id=914530
> [2] http://www.emvco.com/specifications.aspx?id=263
>
>
Siva,
I'll echo what I've said publicly for the last three years:
- If a proposal is put forward that can reasonably consider the Web
Security model and fit within the privacy goals, it will be considered.
You've put forward a false dichotomy by suggesting it's "FIDO or legacy"
Without evaluating [1] or [2], if they cannot or do not fit the web
security model, then unquestionably, I oppose and will continue to oppose
them. FIDO respects these goals - and was designed with them first and
foremost in mind - so it absolutely deserves consideration.
There has yet to be a proposal that demonstrates how [1] or [2], or any of
the other legacy APDU systems, can be done in a way that preserves and
respects security and privacy at the right layer (the origin). So
naturally, I see no reason to block FIDO from being exposed, especially
when three years have passed - in which time FIDO was written, implemented,
and made mass-market available - while no such earnest efforts appear to
have happened for legacy.