W3C home > Mailing lists > Public > public-webid@w3.org > October 2017

FIDO vs. OAuth2

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sat, 21 Oct 2017 16:05:15 +0000
Message-ID: <CAM1Sok3izJsMt62di6JX=i1B1cHpyvBqYYKVQ-zP=YoFGU4U3g@mail.gmail.com>
To: "public-webid@w3.org" <public-webid@w3.org>
2.3 Comparison to OAuth and OAuth2

*"The OAuth and OAuth2 of protocols were designed for a server-to-server
security model with the assumption that each application instance can be
issued, and keep, an "application secret". This approach is ill-suited to
the "app store" security model. Although it is common for services to
provision an OAuth-style application secret into their apps in an attempt
to allow only authorized/official apps to connect, any such "secret" is in
fact shared among everyone with access to the app store and can be
trivially recovered thorough basic reverse engineering.*

*In contrast, FIDO's facet concept is designed for the "app store" model
from the start. It relies on client-side platform isolation features to
make sure that a key registered by a user with a member of a well-behaved
"trusted club" stays within that trusted club, even if the user later
installs a malicious app, and does not require any secrets hard-coded into
a shared package to do so. The user must, however, still make good
decisions about which apps and browsers they are willing to preform a
registration ceremony with. App store policing can assist here by removing
applications which solicit users to register FIDO keys to for Relying
Parties in order to make illegitmate or fraudulent use of them."*
source / specs:

I enjoyed the language ;)
Received on Saturday, 21 October 2017 16:05:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:06:03 UTC