- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 6 Sep 2015 10:20:57 +0200
- To: public-webid@w3.org, W3C Credentials Community Group <public-credentials@w3.org>
The FIDO advocates (which nowadays includes the W3C staff), claim that FIDO alliance schemes preserve privacy by building on "The Only True Web Security Model" (SOP) which indeed isolate domains from each other. HTTPS client-certificates OTOH do not support this concept [1] and can thus be shared with any number of independent domains. The latter is considered as privacy-impeding (supports tracking) which is the primary reason to why it is deprecated (but still working). A thing the FIDO folks tend to not talk about is the fact that most people are moderately fond of having to register at each new site they visit. And if they do, they typically need a verified e-mail address. However, after this step, the privacy advantage with FIDO is more or less gone since an e-mail address is nothing but a static Globally Unique ID which can be searched for as well. But there's more this. Having to verify e-mail address raises the bar to customer acceptance for web-sites so it makes sense to use an IdP instead, right? Now we have built a system where a single party not only provides unified identities to any number of independent sites, but also knows where we've been. Note: This should NOT be considered as "dissing" FIDO (only setting the record straight), because the FIDO alliance have succeeded creating a standard for low-cost browser-compatible security-tokens while the traditionalists (x.509) have been focusing on $200+ per seat card- solutions for governments. This is also a reason why x.509 authentication on the Web haven't gotten any attention worth mentioning - Governments do neither care about costs nor convenience and if it works for other people is also a non-issue. NIST have now joined FIDO... Cheers, Anders Rundgren 1] Although the CA filtering capability is useful it addresses another issue, credential selection.
Received on Sunday, 6 September 2015 08:21:33 UTC