- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Wed, 09 Aug 2017 19:07:04 +0000
- To: public-webauthn@w3.org
While @AngeloKai's use-case in the original posting is a valid one, the right way to address this problem is through a business transaction, and to keep the authentication protocol true to one of its core principles: preserving a user's privacy. I fear that the compromise of web-applications at one site may be used to exploit FIDO credentials at another site if this privacy barrier is broken at the protocol layer. When _acquirer.com_ merges with/buys out _acquisition.net_, there is a legitimate need to know that John Doe at acquirer.com is the same as John D. at acquisition.net. However, once the merger has concluded, it is better for a business web-application on each site to request the authenticated user on their site, to identify themselves from the other company from the merger, so they can combine "assets" and provide a better experience for the user on both sites. The merger of user-data is for **business** purposes, so it should appropriately be relegated to a business-transaction flow. FIDO protocols are good. Authenticators have been implemented to store/manage from 10 to Unlimited number of key-pairs. Having multiple key-pairs on the Authenticator - one for each domain - is not the end of the world for devices that are likely to be "free" in 18-24 months. But to start adding technological/protocol baggage for business transactions that get done/undone/redone is (to flog the same old horse) going down the path of PKI again. PKI - at its core - was as elegant as FIDO once upon a time (from a cryptographical and data-structure pov). When ill-conceived business functions were added to digital certificates (through extensions, constraints, attribute certificates, etc.), it became the proverbial Gordian Knot. And, that is why FIDO exists today. While I don't track all the conversations on this forum - except for occasional catches like this - please use this litmus test when evaluating whether a protocol/specification change is necessary: _Is the problem being solved a BUSINESS function?_ If so, please stop right there and let business-application developers solve it where it belongs - in their applications. Thank you. -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/458#issuecomment-321351865 using your GitHub account
Received on Wednesday, 9 August 2017 19:07:05 UTC