W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2014

WebCrypto.Next Conference

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 11 Sep 2014 05:50:51 -0700
Message-ID: <54119AAB.1070704@gmail.com>
To: Web Payments CG <public-webpayments@w3.org>
Although it may be a bit early reviewing a conference before it is over
I believe that I'm in confidence can tell that the FIDO and WebCrypto folks
are not particularly into the distributed (but interconnected) web.

They rather emphasize that replacing userid/passwords is their main
goal and that privacy requires that you have a unique relationship
(key-wise) with each domain.  Mozilla and Google show no interest
in the existing (and in Europe and Asia relatively successful) eID use-cases
where you indeed can use the same credential on multiple sites.

This is a problem since these implementations rely on browser plugins which
soon will be "outlawed" which have forced (for example) the banks in Sweden
to switch to native applications to cope with this issue.

I'm personally moderately convinced that WebCrypto and FIDO actually address
privacy (except on paper) because it is basically impossible doing anything serious
on the web without having a validated e-mail address which means that service
providers get a Globally Unique (fairly) Static ID which also is Searchable and is
Exposed in communication with other people.  That is, the NSA and other spying
entities already have the perfect electronic handle to individuals.

In reality FIDO will rather strengthen the super-providers' offers since FIDO doesn't
support an improved payment system for a distributed set of banks of the kind I'm targeting.
The user-experience for such a use-case is simply put very bad while Apple, Google
and Paypal will look both wonderful and be secure.

Anders
Received on Thursday, 11 September 2014 12:51:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:39 UTC