Re: [hb-secure-services] vs Web Authentication

On 2016-12-21 16:22, Rigo Wenning wrote:
> Anders,
> On Wednesday, December 21, 2016 3:21:59 PM CET Anders Rundgren wrote:
>> Since the browser vendors obviously are busy with Web Authentication, you
>> can safely assume that YOUR team will have to implement everything
>> themselves.
> Web authentication is just a different branding for the FIDO approach. It was
> clear from the beginning of this work that both approaches are very different,
> namely that the smart card approach includes identity management while FIDO
> relies on large internet estates to do it.

Hi Rigo,

This is not entirely correct, FIDO is considered by many governments as
an alternative to traditional smart cards and PKI.  I'm pretty sure the
"France Connect" identity portal will eventually be powered by FIDO.

That is, FIDO is a direct competitor having wide industry support.

"Signed transactions" are moved to the "Cloud" supported by a recent CEN
standard which was created because the traditional scheme failed.

> I don't know what Gemalto does.

Neither do I but if they (and partners) don't implement this themselves which
will cost at least 300,000 EUR, this work might as well be abandoned since
the browser vendors do not have any stakes in smart cards.  There are still
no guarantees that such an implementation would be accepted.

> I see them involved in both. But for me, both
> approaches are not in competition. Except that not doing this approach will
> make large internet estates even more important and thus contribute to the
> concentration and re-centralization of the Web. So doing FIDO as such is not
> the issue. But not allowing ID management via something other than passwords
> is. Especially as not doing it would mean the government would have to do his
> identity management like some large californian companies. This would mean EU
> governments would have to revise their entire legislation on identity
> management.
> I think making a browser that can do hb-security is cheaper.

Maybe a constructive first step would be asking the browser vendors if they
even would like to see this spec. implemented inside of *their* products?


>  --Rigo

Received on Wednesday, 21 December 2016 16:31:13 UTC