Re: WebCrypto.Next Conference from Manu Sporny on 2014-09-19 (public-webpayments@w3.org from September 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 18 Sep 2014 21:33:57 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <541B8805.5070905@digitalbazaar.com>

On 09/11/2014 08:50 AM, Anders Rundgren wrote:
> Although it may be a bit early reviewing a conference before it is 
> over I believe that I'm in confidence can tell that the FIDO and 
> WebCrypto folks are not particularly into the distributed (but 
> interconnected) web.
> 
> They rather emphasize that replacing userid/passwords is their main 
> goal and that privacy requires that you have a unique relationship 
> (key-wise) with each domain.  Mozilla and Google show no interest in 
> the existing (and in Europe and Asia relatively successful) eID 
> use-cases where you indeed can use the same credential on multiple 
> sites.

This is all really helpful, thanks for the update Anders.

> This is a problem since these implementations rely on browser
> plugins which soon will be "outlawed" which have forced (for example)
> the banks in Sweden to switch to native applications to cope with
> this issue.
> 
> I'm personally moderately convinced that WebCrypto and FIDO actually
>  address privacy (except on paper) because it is basically
> impossible doing anything serious on the web without having a
> validated e-mail address which means that service providers get a
> Globally Unique (fairly) Static ID which also is Searchable and is
> Exposed in communication with other people.  That is, the NSA and
> other spying entities already have the perfect electronic handle to
> individuals.

Yeah, seems like FIDO's greatest contribution is the elimination of
username/password. The Credentials work is designed to layer on top, so
we can still accomplish all of this.

> In reality FIDO will rather strengthen the super-providers' offers 
> since FIDO doesn't support an improved payment system for a 
> distributed set of banks of the kind I'm targeting. The 
> user-experience for such a use-case is simply put very bad while 
> Apple, Google and Paypal will look both wonderful and be secure.

Keep in mind that FIDO + some sort of credential provider can still
provide the mechanism you're talking about pretty simply. In fact,
that's the approach that the Credentials specs take. FIDO to do good
2-factor auth, then the Credentials process takes over to deliver
trustworthy 3rd party credentials.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Friday, 19 September 2014 01:34:27 UTC