On Tue, September 30, 2014 5:47 pm, fhw...@gmail.com wrote: > FIDO has its shortcomings, too, > âand its users can be victims of phishing just as much as anyone else.
While a discussion of FIDO is best suited for the FIDO-specific groups, I would just highlight that you're mistaken in this. You can find the FIDO specifications at https://fidoalliance.org/specifications/download The FIDO protocols bind the authentication token to the origin being authenticated with - that is, the UA is a trusted party in the process and provides origin-binding information to the FIDO device. Yes, this means malware is still in scope. No, this does NOT mean "touch here to continue" is valid or a phishable target. It also means that one origin's access to your FIDO device does not affect or influence the ability of other origin's access or capabilities. This is an important difference compared with client certs, particularly when exposed programatically. Further, by defining a limited signing protocol, as opposed to the common "sign this hash" in smart cards, you avoid issues where your email program has the same access as your tax filing program and as your web page. Nominally, you would use different client certificates and keys for each of these, but the actual practice of this is surprisingly less common. Just wanting to avoid perpetuating misinformation. Cheers _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
