- From: Mitar <mmitar@gmail.com>
- Date: Mon, 22 Feb 2016 22:01:30 -0800
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tim Berners-Lee <timbl@w3.org>
Hi! On Mon, Feb 22, 2016 at 8:45 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > The first step was removing the support for plugins. The "<keygen>" tag you > mention is also considered "evil" and is now about to go: > https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html This is really sad to read. Instead of improving upon it, we are removing things. :-( > Nowadays the browser vendors recommend using FIDO alliance schemes which > were explicitly designed for the Web: https://fidoalliance.org/ To my understanding the issue here is that you have to trust the website/app to correctly link your public key identity with some other identity. I think FIDO is not suitable for government use because of this. Because why would I trust the website/app to do this linking correctly. By government having a CA, they can control issuing of public keys and linking them to the identity. In that case website/apps are consumers. FIDO really address different use cases. Issues of how to not be tracked, have stronger authentication, and so on. Client-side certificates are addressing the question of what if you do want to have your identity persistent. If you do want to not be anonymous because you are doing your taxes online? To me it even feels like USA-centric standardization happening here. > In the latest incarnation of the Swedish "Mobile BankID", you cannot only login > (and sign) to hordes of public sector e-services and a bunch of banks, but transfer > money to 40-50% of the population using a phone number only. All powered by a > single mobile eID. The issue with those approaches is that they are not standard. Concretely, I wanted to create a simple petition website where people could sign a petition with their state issues certificates. In contrast with many other websites for petitions, this one would be legally bounding to the government. And in Europe this is pretty simple to do because some countries have such certificates. So one would guess this is easy to do. You make a site, you prompt user to sign a piece of text (petition), you store the signature. Everyone can verify all signatures (using state CA certificate). You count them. You deliver them to your government and you do active democracy (instead of liking posts on Facebook). And then you discover that this is not possible. Not just that, even browser extensions cannot access those certificates. This is in my opinion really limiting usefulness of web platform. If we are talking about web being used for democracy. Not possible. Let's have Facebook like activism, but not real democracy and real democratic platforms? Mitar -- http://mitar.tnode.com/ https://twitter.com/mitar_m
Received on Tuesday, 23 February 2016 06:02:00 UTC