Re: Strong authentication for PayPal versus WebPayments from Manu Sporny on 2014-05-15 (public-webpayments@w3.org from May 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 15 May 2014 15:46:24 -0400
To: public-webpayments@w3.org
Message-ID: <53751990.1050208@digitalbazaar.com>

On 05/07/2014 12:54 PM, Anders Rundgren wrote:
>> Why will U2F only work for 2-3 identity providers?
> 
> A certificate using HTTPS Client Cert Auth like in WebID-TLS can be 
> used for login to any properly setup site, right?

Yes. Although, not all of us are sold on the WebID-TLS strategy of using
browser-based client-certs to do login (myself included).

There are plenty of other ways to do it, though. We're currently
building a proof of concept demo to show how you can couple a
decentralized protocol (like Telehash[1]) with the Identity
Credentials[2] spec to get something feature-equivalent, but without
requiring browser-based client certificate support.

> U2F, OTOH, presumes (for privacy reasons) a unique public key for 
> each domain/site enforced by SOP.  Getting around that 
> feature/limitation isn't my cup of tea.

Ok, so you convinced me to finally try to find documentation on U2F and
get myself educated. I had looked for the FIDO Alliance documents
before, but couldn't find much. These are the pre-FIDO Alliance
documents from Google, and I found them useful:

https://sites.google.com/site/oauthgoog/gnubby

I still don't understand why a unique public key for each domain/site is
such a terrible thing. You can still couple that solution w/ a
decentralized identity provider to be able to assert a single identity
w/ specific credentials across multiple websites. That is, I don't see
the one public key per domain/site being a road-blocker issue. What use
case can't we accomplish w/ that setup?

>> I'm assuming that it's going to be for the same reasons that OpenID
>> Connect is probably only going to work for 2-3 identity providers.
> 
> Yes, that's exactly the right comparison.

After spending a few hours reading the U2F documents, I don't think it's
correct any more. U2F doesn't prevent you from switching providers,
OpenID Connect does. Sure, you can't re-use keys between providers, but
that's a good thing wrt. privacy issues. Also, keep in mind that if you
/do/ want to re-use keys, you can always layer that on top of a
U2F-based login to an identity provider. There's nothing to say that the
key you use for login must be the same key that you use for the U2F
device.  That is, you can still have fully decentralized solutions w/
U2F as far as I can see, so what am I missing?

-- manu

[1] https://github.com/telehash/telehash.org/blob/master/protocol.md
[2] https://web-payments.org/specs/source/identity-credentials/

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Thursday, 15 May 2014 19:46:47 UTC