- From: Dave Raggett <dsr@w3.org>
- Date: Mon, 08 Aug 2011 10:35:59 +0100
- To: Henry Story <henry.story@bblfish.net>
- CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 07/08/11 23:43, Henry Story wrote: > On 7 Aug 2011, at 21:47, Dave Raggett wrote: > >> I plan to work on extending webkit and Mozilla to support this, as working code is always more compelling than just talk. However, to realize the trust models we need to discuss what is needed to support a culture of credentials that match up to real world requirements. > what are you planning to do there? The work on privacy friendly strong authentication and plans for further work are described in http://www.w3.org/2011/D1.2.3/#anonymous_credentials The bigger challenge is to broaden the discussion for what is needed for online trust models. To counter phishing, we need a means for the browser to verify that this website is the same as the one you set up your account with. That isn't too demanding, e.g. the browser could check that the site's public key is the same*. Establishing trust in the first place is harder, and currently relies on faith in DNS in conjunction the bank's domain name passed to you via the letters the bank sent you in the post. In other circumstances, we need a way to establish trust online, and the current CA system doesn't suffice. This is where we need further debate about the possibilities, and an analysis about the various approaches that have already been tried. This is less about technology and more about society. * we also need to break free of the current user id/password mess, but I didn't want to go into that here. -- Dave Raggett<dsr@w3.org> http://www.w3.org/People/Raggett
Received on Monday, 8 August 2011 09:36:24 UTC