Re: U2F Demo from Herbert Snorrason on 2014-05-30 (public-webpayments@w3.org from May 2014)

From: Herbert Snorrason <odin@anarchism.is>
Date: Fri, 30 May 2014 10:32:48 +0000
To: public-webpayments@w3.org
Message-ID: <53885E50.9000407@anarchism.is>

On fös 30.maí 2014 06:29, Anders Rundgren wrote:
> Yes, this is the use-case that the established payment industry 
> consider #1 with respect to the user-side of things.
Seems to be more than #1; it is the _only_ use-case FIDO deals with.
Well, though, from all appearances.

> IMO, WebPayments do not have anything similar meeting their (compared
> to PayPal much more advanced) use-case.
Wait, are you thinking of WebPayments as a replacement for PayPal? Then
either you or I got something badly wrong, because WebPayments looks to
me like a mechanism to standardise interfaces so _others_ can try and
replace PayPal. How people authenticate to the PayPal-like thing is out
of scope. How third-party websites can verify that their client is
authenticated, though, is something that probably needs to be looked at.

> Well, to be entirely correct U2F really only fits perfectly for a 
> mega-provider due to its reliance on SOP.  All distributed uses of 
> U2F will force you into OpenID-kind of schemes and NASCAR screens.
U2F, to me, appears at least on the surface intended to be broadly
usable by anyone who wants to use it in their log-in procedure. What,
exactly, makes it suitable in that case only for "mega-providers"?

For distributed use, yes, it requires a federating protocol on top. A
federating protocol is what's being talked about here. So I don't really
understand where you're going with this whole "use U2F instead" thing.

> There's IMO *no point whatsoever* "reinventing" OpenID or try 
> competing with OpenID.
Then we disagree on a pretty fundamental level. OpenID is not
acceptable, nor is any protocol which grants the identity provider the
same level of surveillance capability over its users. A combination of
an identity scheme that allows identity providers to monitor everything
and an oligopoly in identities effectively controlled by US-based
corporations (which is the status quo) is especially worrisome to me.
What happens when the U.S. government goes on one of its quasi-regular
McCarthy-ite political persecution sprees, and issues wildly overbroad
search warrants asking for "everything" about a given account on the
basis of hearsay and/or political affiliation?

You're welcome to argue that such an effort is futile, but arguing that
it is pointless is idiocy.

With greetings,
  Herbert Snorrason

Received on Friday, 30 May 2014 10:33:19 UTC