[Authentication] And then came U2F...Mozilla Persona, lessons learned
Anders Rundgren
anders.rundgren.net at gmail.com
Sun Feb 16 03:48:29 PST 2014
Hi Guys,
This should be a bit interesting.
http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0086.html
What does "bank-ready" mean you may wonder?
Well, Google have also concluded that a Security API doesn't get you far (enough), you need a Security Architecture as well:
http://fidoalliance.org/specs/fido-u2f-application-isolation-through-facet-identification-v1.0-rd-20140209.pdf
"Windows and Mac OS are in the process of being able to isolate and identify applications
similar to mobile operating systems. Until such mechanisms become available, we
can provide best-effort app identification (but obviously with much lower reliability)."
The remaining "fly in the soup" is that there's no consensus on how Keys, Applications, Relying parties and the Security Architecture are supposed to interact.
My own brainchild the SKS, also presumes a Security Architecture but uses a rather different trust model compared to U2F.
In fact it is essentially a rip-off of GlobalPlatform where the stack has been pushed one step up which may not be "optimal" from a security-point of view but offers major deployment advantages which I think is crucial for adoption.
However, given the lack of action in this space I guess both GP and SKS are pretty dead.
Google won. They did never really had a competitor.
Anders
More information about the Authentication
mailing list