<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
So I got to watch a presentation on <a
href="http://www.usatoday.com/story/cybertruth/2013/10/28/qa-implications-of-the-coming-of-biometric-wave/3286381/">FIDO
</a>yesterday. They're an "industry group" (tm) which is pressing
forward a standard for doing authentication from mobile devices to
websites. Their goal is to define a protocol where you create a
certificate (they refuse to call it a cert, but it's an RSA key)
which you secure locally on your device via a thumbprint (or <a
href="http://www.tomsguide.com/us/iphone-fingerprint-scanner-test,news-17587.html">private-parts
print, if you're Nick</a>). Then you present a little XML file
with "<I used a thumb print><here is my cert>" to
websites which ask for it. They go look for your cert in their
private DB of certs, and authenticate you. And your user experience
is simply opening up the website, and pressing your thumb to
something.<br>
<br>
Here's some issues with it:<br>
<br>
1. The name should really be "FIDONet", for the old timers, right?
:><br>
2. They have PayPal and Google on board. Google already has
google-wallet, and PayPal has paypal and they're competitors and
they're missing the other big player in the mobile space....Apple.
Without Apple, I don't see this going anywhere, and I don't see
Apple joining them, so it's a bit of a dead end. Once they GET Apple
they then have to get both Microsoft and Apache. <br>
3. The technology itself is too simple. There's really nothing to
keep someone from collecting the certs off a phone and re-using
them. <br>
<br>
And in summary, everyone wants remote attestation (aka,
PALLADIUM/NGTCB), but nobody appears to have read or understood the
NGTCB documents who is working in this space. (Or they've read 'em,
and they're ignoring them because of business reasons, which is more
likely.)<br>
<br>
-dave<br>
<br>
</body>
</html>