W3C home > Mailing lists > Public > public-webid@w3.org > September 2015

Re: FIDO versus X.509 (was <keygen>)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Tue, 08 Sep 2015 12:56:46 +0000
Message-ID: <CAM1Sok08Aq2KDm+N5Gq45i8mxyFMBaTRfXc63ytN63cOyVLWag@mail.gmail.com>
To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-webid@w3.org
Credentials has potential for greater decentralized.  Yet, imho. X.509 is
useful for an array of devices.  Subject alt.name also useful for
decentralising or using 'rww' methods to store user-data seperately to
provider info, inc. Personalising feeds without mandatorily providing data
to servide provider.

Yet, if its all going to be 'choice of law California', or similar, why
does the technology matter?

Wouldnt we be better off trying to get social security out of facebook or
google?

Imho: we need a knowledge banking industry, and the tools to support it.

Timh.

On 22:32, Tue, 08/09/2015 David Chadwick <d.w.chadwick@kent.ac.uk> wrote:

> If you want to track users, it makes more sense to centralise this (i.e.
> run an IdP) than to distribute it (i.e. require each visited site to
> collude together to compare user attributes)
>
> regards
>
> David
>
> On 06/09/2015 09:20, Anders Rundgren wrote:
> > The FIDO advocates (which nowadays includes the W3C staff), claim that
> > FIDO alliance
> > schemes preserve privacy by building on "The Only True Web Security
> > Model" (SOP) which
> > indeed isolate domains from each other.  HTTPS client-certificates OTOH
> > do not support
> > this concept [1] and can thus be shared with any number of independent
> > domains.
> >
> > The latter is considered as privacy-impeding (supports tracking) which
> > is the primary
> > reason to why it is deprecated (but still working).
> >
> > A thing the FIDO folks tend to not talk about is the fact that most
> > people are
> > moderately fond of having to register at each new site they visit.  And
> > if they do,
> > they typically need a verified e-mail address.  However, after this
> > step, the privacy
> > advantage with FIDO is more or less gone since an e-mail address is
> > nothing but a static
> > Globally Unique ID which can be searched for as well.
> >
> > But there's more this.  Having to verify e-mail address raises the bar
> > to customer
> > acceptance for web-sites so it makes sense to use an IdP instead,
> > right?  Now we
> > have built a system where a single party not only provides unified
> > identities to any
> > number of independent sites, but also knows where we've been.
> >
> > Note: This should NOT be considered as "dissing" FIDO (only setting the
> > record straight),
> > because the FIDO alliance have succeeded creating a standard for
> > low-cost browser-compatible
> > security-tokens while the traditionalists (x.509) have been focusing on
> > $200+ per seat card-
> > solutions for governments.  This is also a reason why x.509
> > authentication on the Web haven't
> > gotten any attention worth mentioning - Governments do neither care
> > about costs nor convenience
> > and if it works for other people is also a non-issue.  NIST have now
> > joined FIDO...
> >
> > Cheers,
> > Anders Rundgren
> >
> > 1] Although the CA filtering capability is useful it addresses another
> > issue, credential selection.
> >
> >
>
>
Received on Tuesday, 8 September 2015 12:57:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:59 UTC