RE: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM

Okay, let’s formulate my remark more correctly: It should be possible to store credentials outside of the browser, explicitly to allow for these different preferences. No problem with browsers implementing the same functionality. In essence we are talking about portability now.

From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
Sent: Mittwoch, 17. Juni 2015 17:05
To: Heuer, Jörg
Cc: Eric Korb; W3C Credentials Community Group
Subject: Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM



On 17 June 2015 at 16:57, <Joerg.Heuer@telekom.de<mailto:Joerg.Heuer@telekom.de>> wrote:
+1 to definitely not aim at storing credentials in the browser. I’d like to use different browsers on different platforms – and have them synced if I may…

That's a design decision and people will have different preferences.  It's really important not to impose personal preferences onto others, here.  Mozilla tried to do this and that's one reason Persona failed to become a standard.
Estonia solve this quite neatly with the e citizen program by using a card reader.  The browsers have the ability to store credentials externally, which is a nice feature.
It seems to have worked very well.  Once finland operate this, both belgium and holland have digital id schemes in the world.  I think estonia/finland is the most advanced.  There will be mounting pressure IMHO on denmark, norway, sweden and then germany to innovate:

https://www.youtube.com/watch?v=L4J5yeyGu1A

It's been a huge win for Estonia to date

Adding the online national census capability cost only the census software, less than €10K, because the infrastructure was already in place

compare the US: The 2010 census cost $13 billion, approximately $42 per capita


From: Timothy Holborn [mailto:timothy.holborn@gmail.com<mailto:timothy.holborn@gmail.com>]
Sent: Mittwoch, 17. Juni 2015 16:52
To: Eric Korb; Melvin Carvalho
Cc: Credentials Community Group
Subject: Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM

(Can't respond inline on Google inbox, as far as I can tell...)
Re: credentials in the browser.
So,
How do you reset your tls cert? Say, for nanna...
Are you suggesting you think credentials are unnecessary?
What's the difference between trusting a data space service with your data vs. your credential access support.
Do you think it's global or go home; or,
Should every legal entity (and/or bot/agent) be able to "mint" a "credential", and what happens if your computer is stolen, or fails, or someone else is using your account on your computer.
How does it support isolation of roles/persona.
Communities at all levels share and disagree on an array of values. From images relating to local laws on nudity or gun licensing, to the cost of education.
Who says one ring should rule them all...

On Thu, 18 Jun 2015 at 12:17 am, Melvin Carvalho <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>> wrote:
On 17 June 2015 at 14:23, Eric Korb <eric.korb@accreditrust.com<mailto:eric.korb@accreditrust.com>> wrote:
Interesting article.

http://www.fastcompany.com/3044280/one-more-thing/the-ghosts-of-app-permissions-past


Yep, it used to be even worse.  They used to phish your password:

http://microformats.org/wiki/social-network-anti-patterns

Mozilla persona still does this.
I prefer to keep credentials in the browser.  This can be done today with X.509 or the web crypto API.


----------------------------------
Eric Korb, President/CEO - accreditrust.com<https://www.accreditrust.com>

Received on Wednesday, 17 June 2015 15:12:14 UTC