- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 21 Feb 2014 08:13:58 -0500
- To: public-webpayments@w3.org
On 02/17/2014 10:35 AM, Anders Rundgren wrote: > I believe any TTP-based identity-provider can impersonate their > clients if they really want. U2F could eliminate this since it > doesn't build on a central authority. Unless I'm missing something, U2F is still susceptible to the malicious TTP attack. Someone has to hold the list of your public keys, that organization can add new public keys at will. If the organization can add public keys, they can just add their own and fake your identity if they so desire. > There are though HUGE disadvantages of not using TTPs, particularly > if you lose your keys. Yep. > IMO, U2F's privacy model doesn't pass the litmus test because without > a valid e-mail address there's very little a service provider can > offer. I don't understand the specifics of what you're saying, could you elaborate, please? -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Worlds First Web Payments Workshop http://www.w3.org/2013/10/payments/
Received on Friday, 21 February 2014 13:14:27 UTC