[Cryptography] YubiKeys / FIDO / U2F ??
Bill Cox
waywardgeek at gmail.com
Tue Nov 3 19:11:49 EST 2015
On Tue, Nov 3, 2015 at 10:18 AM, Dirk-Willem van Gulik <dirkx at webweaving.org
> wrote:
> On 02 Nov 2015, at 18:27, Tony Arcieri <bascule at gmail.com> wrote:
>
>
> FIDO in general is trying to build authentication systems designed from
> the ground-up to work on the web. This most notably involves following the
> Same Origin Policy or having explicit means of using credentials across
> origins where both origins must agree and the origin a credential is
> provisioned on provides an explicit policy for cross-origin use.
>
> Following SOP has the nice side effect of being both privacy-preserving
> (certificates are origin-bound) and solving "cross-protocol attacks" where
> an attacker convinces a victim to sign a challenge/response used for auth
> in a non-auth context
>
>
> While SOP is well designed, captures all we’ve learned, has a lot of very
> nice properties (and we may get forced into it regardless - given the
> eagerness by which other things are forefully retired from the specs) — one
> may want to review it in the light of the open web principles.
>
Dumb question: what's SOP stand for?
> The web was successful because it was open - and did not require
> permission of an entity to set up a site; or to ‘point to’ another site.
> Allowing newcomers a relatively level playing field with established
> forces. And allowing scale-free power ‘grabs' to be quite fluid and
> changing.
>
> In my personal opinion SOP changes that balance considerably.
>
In a better world, IMO, we would register our devices semi-anonymously with
web sites, and passwords/pins/fingerprints would only be used to
authenticate you to your devices. In such a world, there would be less
need for a third party to provide authentication services. I resisted
using "Login with Facebook" and such in the past, but it seems hackers are
gaining ground, and I am close to giving in. By moving to device based
authentication, which FIDO and some other techniques support, we can keep
the web safe enough for smaller sites to continue managing their own user
authentication.
So, in a way, I think FIDO may help promote the level playing field that
made the Internet awesome.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151103/1d275c74/attachment.html>
More information about the cryptography
mailing list