Brad, On Wednesday 16 September 2015 17:13:38 Brad Hill wrote: > I think FIDO can live alongside other approaches, but do think that FIDO is > better because a lot of folks, myself included, spent a lot of time and > effort designing it as a way of using public keys for strong authentication > that emphasizes user choice, safety, and privacy, that aligns well with the > rest of the security and privacy features of both the web and the most > common mobile platforms, and which respects and works well with what we've > learned about the architecture and operation of the web at a large scale > over the last 25 years. I think that work deserves a fair assessment based > on what it really is and does, so I'm mostly in this thread to correct > misinformation and misapprehensions about it. Thanks for the clarity. This doesn't sound super exclusive. Meaning we have the following questions (with my opinions): 1/ Is keygen so harmful that browsers should throw it out? As you may understand, I will not contradict my boss Timbl :) 2/ Is FIDO good? Yes, I hate passwords and I promote hoba http://tools.ietf.org/html/rfc7486 3/ Is FIDO excluding all other authentication and security tools No. I believe there is a place for something else that is less dependent on large origins for their trust relation and less limited on SOP. I think that the Web should not ignore e.g. the several eIdentity movements around the world. --Rigo
Received on Thursday, 17 September 2015 12:48:13 UTC