- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Sat, 21 Oct 2017 16:05:15 +0000
- To: "public-webid@w3.org" <public-webid@w3.org>
- Message-ID: <CAM1Sok3izJsMt62di6JX=i1B1cHpyvBqYYKVQ-zP=YoFGU4U3g@mail.gmail.com>
2.3 Comparison to OAuth and OAuth2 *"The OAuth and OAuth2 of protocols were designed for a server-to-server security model with the assumption that each application instance can be issued, and keep, an "application secret". This approach is ill-suited to the "app store" security model. Although it is common for services to provision an OAuth-style application secret into their apps in an attempt to allow only authorized/official apps to connect, any such "secret" is in fact shared among everyone with access to the app store and can be trivially recovered thorough basic reverse engineering.* *In contrast, FIDO's facet concept is designed for the "app store" model from the start. It relies on client-side platform isolation features to make sure that a key registered by a user with a member of a well-behaved "trusted club" stays within that trusted club, even if the user later installs a malicious app, and does not require any secrets hard-coded into a shared package to do so. The user must, however, still make good decisions about which apps and browsers they are willing to preform a registration ceremony with. App store policing can assist here by removing applications which solicit users to register FIDO keys to for Relying Parties in order to make illegitmate or fraudulent use of them."* source / specs: https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-v1.1-rd-20161005.html I enjoyed the language ;) Tim.H.
Received on Saturday, 21 October 2017 16:05:57 UTC