hellekin
2013-12-24 03:13:30 UTC
http://www.cs.ru.nl/~jhh/ubikima.html
UbiKiMa is a system that proposes to replace password authentication
on the Web with an out-of-band cryptographic authentication using a
smartphone app.
I didn't read the paper, just got curious about it as its author will
be present at the 30c3, with a talk that is likely to be more
interesting than this:
https://events.ccc.de/congress/2013/Fahrplan/events/5214.html
Just so my first impression is recorded: as I do not trust smartphones
to deliver any kind of security for its bearer, due to a large number
of documented flaws (insecure protocols, built-in surveillance and
tracking, OS and hardware design flaws / proprietary backdoors, etc.),
I don't see myself granting such a device the key(s) to my online
activity.
The IRMA concept, on the other hand, appears to be rich of
potentialities: "Attribute Based Credentials in Practice" is likely to
dim local-instantaneous surveillance capabilities, as it would avoid
giving full identity when only e.g., your age is required by law.
Such an approach would as well be better implemented on credentials
delegation on the Web: when I want to post a comment to a blog
article, and I am offered to sign in with Twitter in order to do that,
I cannot accept giving the comment application read access to my
contact list, and read-write access to my timeline. I'm willing to
post a comment to a blog article! Stay away from my Twitter feed!
Disqus: you suck.
Merry HacksMess
==
hk
UbiKiMa is a system that proposes to replace password authentication
on the Web with an out-of-band cryptographic authentication using a
smartphone app.
I didn't read the paper, just got curious about it as its author will
be present at the 30c3, with a talk that is likely to be more
interesting than this:
https://events.ccc.de/congress/2013/Fahrplan/events/5214.html
Just so my first impression is recorded: as I do not trust smartphones
to deliver any kind of security for its bearer, due to a large number
of documented flaws (insecure protocols, built-in surveillance and
tracking, OS and hardware design flaws / proprietary backdoors, etc.),
I don't see myself granting such a device the key(s) to my online
activity.
The IRMA concept, on the other hand, appears to be rich of
potentialities: "Attribute Based Credentials in Practice" is likely to
dim local-instantaneous surveillance capabilities, as it would avoid
giving full identity when only e.g., your age is required by law.
Such an approach would as well be better implemented on credentials
delegation on the Web: when I want to post a comment to a blog
article, and I am offered to sign in with Twitter in order to do that,
I cannot accept giving the comment application read access to my
contact list, and read-write access to my timeline. I'm willing to
post a comment to a blog article! Stay away from my Twitter feed!
Disqus: you suck.
Merry HacksMess
==
hk