- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 26 Aug 2014 20:55:07 -0400
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
On 08/26/2014 07:08 AM, Anders Rundgren wrote: > On 2014-08-26 12:47, Manu Sporny wrote: >> On 08/26/2014 03:34 AM, Anders Rundgren wrote: >>> I think it is important realizing that web-based credential sync >>> is already featured in iOS and in Google Wallet. >> >> Which specific features are you talking about? The auto-credit >> card features? Or request-autocomplete? Or something else? > > Credentials in iOS and Google Wallet only refer to cryptographic > keys or userid/passwords. Got it, thanks. >>> AFAIK, these webs never expose any information to external >>> parties, they are effectively cloud-based smart cards. >> >> Hmm, depends on what you mean by "expose any information", clearly >> some information has to be exposed for the service to be useful. >> Are you talking PKI signatures here, or something else? > > The credential sync maintains private information in a remote server > which in the Google Wallet case only the user is supposed to have > access to. The credentials are supposed to be used with local > applications or the browser using specific protocols like VPNs. > iCloud appears to be a more general solution for synced data: > http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf The identity credentials stuff is usually 3-legged, meaning that there are 3 parties involved. The first is the identity provider, the second is your user agent (browser), the third is the relying party (website that asked for the information). We support the relaying of credentials from identity provider -> browser -> relying party as well as authorizing a relying party to retrieve data from an identity provider on an as-needed basis. The latter is concerning as one could imagine that big and powerful corporations would require all data they collect from you to be up-to-date all the time and thus you may not use their service unless you agree that they can pull your data whenever they feel like it. So, that's something we need to consider. >> There are a number of organizations each targeting something >> slightly different. The use case is trying to capture the general >> theme without being overly prescriptive. If you could elaborate on >> the above (preferably with links) that would help us figure out >> what you consider in scope and out of scope. :) > > I only wanted to highlight what parties like Apple and Google do in > this space. Thanks Anders, that was helpful. We should really do a deep dive into what Google and Apple has at some point. Volunteers to do that? -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Marathonic Dawn of Web Payments http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Wednesday, 27 August 2014 00:55:35 UTC