Re: FIDO versus X.509 (was <keygen>) from David Chadwick on 2015-09-08 (public-webid@w3.org from September 2015)

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Tue, 8 Sep 2015 13:30:31 +0100
To: public-webid@w3.org
Message-ID: <55EED4E7.40503@kent.ac.uk>

If you want to track users, it makes more sense to centralise this (i.e.
run an IdP) than to distribute it (i.e. require each visited site to
collude together to compare user attributes)

regards

David

On 06/09/2015 09:20, Anders Rundgren wrote:
> The FIDO advocates (which nowadays includes the W3C staff), claim that
> FIDO alliance
> schemes preserve privacy by building on "The Only True Web Security
> Model" (SOP) which
> indeed isolate domains from each other.  HTTPS client-certificates OTOH
> do not support
> this concept [1] and can thus be shared with any number of independent
> domains.
> 
> The latter is considered as privacy-impeding (supports tracking) which
> is the primary
> reason to why it is deprecated (but still working).
> 
> A thing the FIDO folks tend to not talk about is the fact that most
> people are
> moderately fond of having to register at each new site they visit.  And
> if they do,
> they typically need a verified e-mail address.  However, after this
> step, the privacy
> advantage with FIDO is more or less gone since an e-mail address is
> nothing but a static
> Globally Unique ID which can be searched for as well.
> 
> But there's more this.  Having to verify e-mail address raises the bar
> to customer
> acceptance for web-sites so it makes sense to use an IdP instead,
> right?  Now we
> have built a system where a single party not only provides unified
> identities to any
> number of independent sites, but also knows where we've been.
> 
> Note: This should NOT be considered as "dissing" FIDO (only setting the
> record straight),
> because the FIDO alliance have succeeded creating a standard for
> low-cost browser-compatible
> security-tokens while the traditionalists (x.509) have been focusing on
> $200+ per seat card-
> solutions for governments.  This is also a reason why x.509
> authentication on the Web haven't
> gotten any attention worth mentioning - Governments do neither care
> about costs nor convenience
> and if it works for other people is also a non-issue.  NIST have now
> joined FIDO...
> 
> Cheers,
> Anders Rundgren
> 
> 1] Although the CA filtering capability is useful it addresses another
> issue, credential selection.
> 
>

Received on Tuesday, 8 September 2015 12:31:04 UTC