FIDO versus X.509 (was <keygen>)

The FIDO advocates (which nowadays includes the W3C staff), claim that FIDO alliance
schemes preserve privacy by building on "The Only True Web Security Model" (SOP) which
indeed isolate domains from each other.  HTTPS client-certificates OTOH do not support
this concept [1] and can thus be shared with any number of independent domains.

The latter is considered as privacy-impeding (supports tracking) which is the primary
reason to why it is deprecated (but still working).

A thing the FIDO folks tend to not talk about is the fact that most people are
moderately fond of having to register at each new site they visit.  And if they do,
they typically need a verified e-mail address.  However, after this step, the privacy
advantage with FIDO is more or less gone since an e-mail address is nothing but a static
Globally Unique ID which can be searched for as well.

But there's more this.  Having to verify e-mail address raises the bar to customer
acceptance for web-sites so it makes sense to use an IdP instead, right?  Now we
have built a system where a single party not only provides unified identities to any
number of independent sites, but also knows where we've been.

Note: This should NOT be considered as "dissing" FIDO (only setting the record straight),
because the FIDO alliance have succeeded creating a standard for low-cost browser-compatible
security-tokens while the traditionalists (x.509) have been focusing on $200+ per seat card-
solutions for governments.  This is also a reason why x.509 authentication on the Web haven't
gotten any attention worth mentioning - Governments do neither care about costs nor convenience
and if it works for other people is also a non-issue.  NIST have now joined FIDO...

Anders Rundgren

1] Although the CA filtering capability is useful it addresses another issue, credential selection.

Received on Sunday, 6 September 2015 08:21:33 UTC