Ryan --
- I would like to correct an opinion which I was afraid was being
formed.
Contrary to assumed opinion I am **not against** FIDO
**
*instead* I am for a generic framework that would *include* FIDO, but
not just FIDO.
Please refer to Slides 15 & 16 of my presentation from the Sep 2014
workshop:
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/slides/hardwaretokens/tyfone.pdf
- A generic framework that supports FIDO, Tokenization, Derived
Credential (and perhaps others yet to be invented) equally.
There has been years of work that has gone into these standards just as
much as FIDO.
If a legacy system could use the generic framework, so be it
*--*
*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
Taipeiwww.tyfone.com <http://www.tyfone.com>*
*Voice: +1.661.412.2233*
On Mon, Feb 2, 2015 at 1:59 PM, Ryan Sleevi <sleevi@google.com> wrote:
>
>
> On Mon, Feb 2, 2015 at 1:54 PM, Siva Narendra <siva@tyfone.com> wrote:
>
>> Ryan -- if we are able to collaborate and come up with a web
>> implementation architecture that not only encompassed FIDO, but also
>> equally viable standards such as PIV Derived Credentials [1] and EMV
>> Tokenization [2]....and such standards to come in other industries, will
>> you be supportive of it. Or, you do not want to support anything other than
>> FIDO?
>>
>> Same question for Anders and Brad.
>>
>> Best,
>> Siva
>>
>> [1] http://www.nist.gov/manuscript-publication-search.cfm?pub_id=914530
>> [2] http://www.emvco.com/specifications.aspx?id=263
>>
>>
> Siva,
>
> I'll echo what I've said publicly for the last three years:
> - If a proposal is put forward that can reasonably consider the Web
> Security model and fit within the privacy goals, it will be considered.
>
> You've put forward a false dichotomy by suggesting it's "FIDO or legacy"
>
> Without evaluating [1] or [2], if they cannot or do not fit the web
> security model, then unquestionably, I oppose and will continue to oppose
> them. FIDO respects these goals - and was designed with them first and
> foremost in mind - so it absolutely deserves consideration.
>
> There has yet to be a proposal that demonstrates how [1] or [2], or any of
> the other legacy APDU systems, can be done in a way that preserves and
> respects security and privacy at the right layer (the origin). So
> naturally, I see no reason to block FIDO from being exposed, especially
> when three years have passed - in which time FIDO was written, implemented,
> and made mass-market available - while no such earnest efforts appear to
> have happened for legacy.
>