Re: A Somewhat Critical View of SOP (Same Origin Policy)

>
>
> are you telling me that FIDO is good strong authentication and keygen
> bad strong authentication?


I don't think you'll find any fans of passwords in this thread.  Public key
authentication is a good idea, but not all ways to use public keys are
equally workable.  <keygen> and client certificates in general have been
around for a long time and have failed to gain any substantial traction,
for a lot of reasons.  I'm not particularly invested in it going away, it
actually doesn't concern me much, but if almost no applications want to use
it, and browsers don't want to keep it around, maybe it's because it's bad?
 (and not because they're conspiratorially acting in bad faith as has been
repeatedly imputed by everyone from TimBL on down)

I think FIDO can live alongside other approaches, but do think that FIDO is
better because a lot of folks, myself included, spent a lot of time and
effort designing it as a way of using public keys for strong authentication
that emphasizes user choice, safety, and privacy, that aligns well with the
rest of the security and privacy features of both the web and the most
common mobile platforms, and which respects and works well with what we've
learned about the architecture and operation of the web at a large scale
over the last 25 years. I think that work deserves a fair assessment based
on what it really is and does, so I'm mostly in this thread to correct
misinformation and misapprehensions about it.

Received on Wednesday, 16 September 2015 17:14:16 UTC