Re: SQRL from Kingsley Idehen on 2013-10-16 (public-webpayments@w3.org from October 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 16 Oct 2013 09:23:20 -0400
To: public-webpayments@w3.org
Message-ID: <525E9348.80300@openlinksw.com>

On 10/16/13 8:32 AM, Matt Morgan wrote:
> http://security.stackexchange.com/questions/43374/could-sqrl-really-be-as-secure-as-they-say 
>
>
> Check out, in particular, the first two high-rated answers. The answer 
> from user tyleri I think is especially useful; the main point being 
> that compared to proper use of keepass or lastpass, for example, SQRL 
> differs mainly in that your entire online identity is kept on your 
> smartphone, which can easily get lost or stolen. It's harder for 
> someone to get full control over your keepass db, especially if you 
> keep it in a dropbox folder or something like that.
>
> On the other hand, the arguments in favor of SQRL are more along the 
> lines of "how many people are actually capable of using keepass 
> properly? Isn't SQRL more likely to be used by more people?" And the 
> counter-argument to that is "OK, but if we're talking about people who 
> don't understand how it works, they'll be more susceptible to MITM 
> attacks and social engineering."
>
> Basically, it's one of those ideas that sounds good until you 
> stress-test it.
>
> Best,
> Matt 
A few points:

1. There's nothing wrong with your security credentials being stored on 
a phone or other computing device
2. There's a lot wrong if Drobpox (or any other cloud storage services 
provider) is you sole identity credentials safe.

As has already been demonstrated by PKI, you need asymmetric keys which 
enable distribution of credentials i.e., everything isn't in one public 
or private box.

The best solution I know boils down to making PKI web-like (or webby). 
That's what the entire WebID and WebID+TLS protocol is all about. In 
addition, there is nothing about WebID [1], WebID+TLS, that's 
incompatible with related efforts such as Web Keys [2].

Back to SQRL:

The problem is that it puts its entire pitch into the QRCode basket, and 
in doing so imposes QRCode decoding into the client authentication 
process, when at best it should simply be an option.

Links:

[1] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
[2] https://payswarm.com/specs/source/http-keys/
[3] http://youid.openlinksw.com -- an example of WebID, WebID+TLS 
compatible iOS app
[4] http://bit.ly/19McSik -- G+ note about YouID 1.3.0 .

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 16 October 2013 13:23:45 UTC