On Feb 3, 2015 2:36 AM, "Rigo Wenning" <r...@w3.org> wrote: > > Just a question, how would the webcrypto system connect to systems like the > German passport with its eID functions? Would they have to conform to FIDO to > be able to connect into the browser? > > --Rigo
This is the crux of the question, isn't it? On one hand, we have vocal people who would like to bring such legacy, insecure systems to the web. On the other, you have those arguing that any new system exposed to the web must respect the foundations of web technologies - ranging from the priority of constituencies to the origin-based security model. I know of zero eID schemes that properly preserve privacy - and that is including PIV's notion of derived credentials - and so if the question is "Can we bring these, as-is, to the web", then the answer is and should be a resounding no. That is fundamentally the tension of the discussion here - who has to change and bend. I consider any solution that requires weakening the web model for security, privacy, or user control to be unacceptable - no legacy technology is worth such a dastardly trade-off.
