Brad,
On Wednesday 16 September 2015 17:13:38 Brad Hill wrote:
> I think FIDO can live alongside other approaches, but do think that FIDO is
> better because a lot of folks, myself included, spent a lot of time and
> effort designing it as a way of using public keys for strong authentication
> that emphasizes user choice, safety, and privacy, that aligns well with the
> rest of the security and privacy features of both the web and the most
> common mobile platforms, and which respects and works well with what we've
> learned about the architecture and operation of the web at a large scale
> over the last 25 years. I think that work deserves a fair assessment based
> on what it really is and does, so I'm mostly in this thread to correct
> misinformation and misapprehensions about it.
Thanks for the clarity.
This doesn't sound super exclusive. Meaning we have the following questions
(with my opinions):
1/ Is keygen so harmful that browsers should throw it out?
As you may understand, I will not contradict my boss Timbl :)
2/ Is FIDO good?
Yes, I hate passwords and I promote hoba
http://tools.ietf.org/html/rfc7486
3/ Is FIDO excluding all other authentication and security tools
No. I believe there is a place for something else that is less dependent on
large origins for their trust relation and less limited on SOP. I think that
the Web should not ignore e.g. the several eIdentity movements around the
world.
--Rigo