[cap-talk] Webkeys vs. the web
raould at gmail.com
Thu Apr 2 12:21:43 EDT 2009
> hold that opinion, given the examples you've used! :-) if it is just
> "less likely" that i'll accidentally send you direct access to my
> Schwab account, or to the write cap of my blog, rather than it being
> "simply not doable", that makes me wonder just how much "less" it
> really is. if not much then that doesn't seem like a good goal.
hmm, i guess a counter point is to ask: how can somebody accidentally
expose their rights with current systems, vs. with webkeys? if today
it is easy for somebody to accidentally share a right, then a webkey
thing with "less likely"hood wouldn't be /worse/ at least.
today, i'd have to send you at least a userid + password / in some
cases just a cookie + url / in some cases uid+pwd+url / in really
pedantic places i'd have to give you my little rsa one time key
generating card thingy or read it live out loud over the phone to you.
i /ass/ume there are no places where a url on its own would literally
get me into something important.
so it isn't like a user cannot screw themselves today, but i think
apart from the cookie stealing instance / phishing / csrf stuff (which
can be quite effective of course), it is usually clear that "oh i'm
typing my user id and password into this email, i can't really later
claim i didn't know this would give access"?
(ideally of course i'd want any new approach to web security+rights to
be /way better/ if possible, rather than just sorta not worse. :-)
More information about the cap-talk