I think the broader goals Jonas has articulated probably belong in their own 
group, perhaps chartered along with some of what comes out of the upcoming Web 
Crypto Next Steps workshop.  

http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers.html

I'll say by way of indicating possible conflict-of-interest that the FIDO 
Alliance is also working on parts of this problem space 
(https://fidoalliance.org) but is focusing more specifically on enabling strong 
authentication without passwords.  We (FIDO) are presenting a paper at the 
workshop.

Ideally, then, without being too optimistic, I'd like to see passwords replaced 
entirely by better technology rather than continuing to kludge upon them.  
They're still a fundamentally broken technology in many important respects even 
with better management tools.

Also, we should be careful in decomposing our targets here.  Federation is a 
different layer than replacing passwords or password management.  There are 
already a number of standards in that area which could be given "native" 
support in a browser without having to re-invent the wheel.  (e.g. SAML2, 
WS-Federation, OpenID Connect / OAuth2, etc.)

-Brad


On Aug 18, 2014, at 4:45 AM, Mike West <mk...@google.com> wrote:

> On Tue, Aug 12, 2014 at 10:19 PM, Jonas Sicking <jo...@sicking.cc> wrote:
> > One- or two-click sign _up_, on the other hand, will likely be more
> > difficult given the complexities of authorization (scopes, etc).
> 
> I'm not sure what you count as sign-up? Today, if I visit a new
> website that I've never visited before, I can log in to that website
> in two clicks using identity providers as facebook/twitter/google. I
> don't think anything more than that is going get the support we need.
> 
> You're right. I was thinking about username/password flows for sign-up, which 
> can be significantly more complex than IDP's general "pick an IDP, then grant 
> access" flows.
> 
> I'd like to support both, for what it's worth.
> 
> -mike
> 
> --
> Mike West <mk...@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 


Reply via email to