- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 17 Feb 2014 16:35:10 +0100
- To: Melvin Carvalho <melvincarvalho@gmail.com>, Web Payments <public-webpayments@w3.org>
On 2014-02-17 14:54, Melvin Carvalho wrote: > I have a question over whether it's possible to impersonate an identity, say, alice@example.com <mailto:alice@example.com> > > If I have understood correctly web payments identities will be compatible with Persona / BrowserID > > Does this mean they will look up .well-known/browserid in example.com <http://example.com> and if not fall back to the mozilla server? Would that mean that mozilla could then impersonate Alice? > > Just thinking out loud, I might have misunderstood the flow here ... Melvin, I believe any TTP-based identity-provider can impersonate their clients if they really want. U2F could eliminate this since it doesn't build on a central authority. There are though HUGE disadvantages of not using TTPs, particularly if you lose your keys. IMO, U2F's privacy model doesn't pass the litmus test because without a valid e-mail address there's very little a service provider can offer. Anders
Received on Monday, 17 February 2014 15:35:42 UTC