FIDO2 Client to Authenticator Protocol (CTAP) standard published


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




FIDO logoI’m thrilled to report that the FIDO2 Client to Authenticator Protocol (CTAP) is now a published FIDO Alliance standard! Together with the now-standard Web Authentication (WebAuthn) specification, this completes standardization of the APIs and protocols needed to enable password-less logins on the Web, on PCs, and on and mobile devices. This is a huge step forward for online security, privacy, and convenience!

The FIDO2 CTAP standard is available in HTML and PDF versions at these locations:

The W3C Web Authentication (WebAuthn) specification is now a standard!


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoI’m thrilled to report that the Web Authentication (WebAuthn) specification is now a W3C standard! See the W3C press release describing this major advance in Web security and convenience, which enables logging in without passwords. Alex Simons, Microsoft Vice President of Identity Program Management is quoted in the release, saying:

“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.”

The release also describes commitments to the standard by Google, Mozilla, and Apple, among others. Thanks to all who worked on the standard and who built implementations as we developed the standard – ensuring that that the standard can be used for a broad Continue reading "The W3C Web Authentication (WebAuthn) specification is now a standard!"

The Spinner’s hack on journalism


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




The Spinner* (with the asterisk) is “a service that enables you to subconsciously influence a specific person, by controlling the content on the websites he or she usually visits.” Meaning you can hire The Spinner* to hack another person.

It works like this:

  1. You pay The Spinner* $29. For example, to urge a friend to stop smoking. (That’s the most positive and innocent example the company gives.)
  2. The Spinner* provides you with an ordinary link you then text to your friend. When that friend clicks on the link, they get a tracking cookie that works as a bulls-eye for The Spinner* to hit with 10 different articles written specifically to influence that friend. He or she “will be strategically bombarded with articles and media tailored to him or her.” Specifically, 180 of these things. All in Facebook, which is built for this kind of thing.

The Spinner* Continue reading "The Spinner’s hack on journalism"

W3C Web Authentication (WebAuthn) advances to Proposed Recommendation (PR)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe World Wide Web Consortium (W3C) has published a Proposed Recommendation (PR) for the Web Authentication (WebAuthn) specification, bringing WebAuthn one step closer to becoming a completed standard. The Proposed Recommendation is at https://www.w3.org/TR/2019/PR-webauthn-20190117/.

The PR contains only clarifications and editorial improvements to the second Candidate Recommendation (CR), with no substantial changes. The next step will be to publish a Recommendation – a W3C standard – based on the Proposed Recommendation.

Second W3C Web Authentication (WebAuthn) Candidate Recommendation (CR)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoW3C has published a second W3C Candidate Recommendation (CR) for the Web Authentication (WebAuthn) specification. The second Candidate Recommendation is at https://www.w3.org/TR/2018/CR-webauthn-20180807/.

This draft contains a few refinements since the first candidate recommendation but no substantial changes. The new CR was needed to fulfill the W3C’s IPR protection requirements. The few changes were based, in part, upon things learned during multiple interop events for WebAuthn implementations. The working group plans to base coming the Proposed Recommendation on this draft.

On our journey to deprecate the password: Public Implementation Draft of FIDO2 Client to Authenticator Protocol (CTAP) specification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




FIDO logoI’m pleased to report that a public Implementation Draft of the FIDO2 Client to Authenticator Protocol (CTAP) specification has been published. This specification enables FIDO2 clients, such as browsers implementing the W3C Web Authentication (WebAuthn) specification, to perform authentication using pairwise public/private key pairs securely held by authenticators speaking the CTAP protocol (rather than passwords). Use of three transports for communicating with authenticators is specified in the CTAP specification: USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Smart/Bluetooth Low Energy Technology (BLE).

This specification was developed in parallel with WebAuthn, including having a number of common authors. This CTAP version is aligned with the WebAuthn Candidate Recommendation (CR) version.

The CTAP Implementation Draft is available at:

Congratulations to the members of the FIDO2 working group for reaching this important milestone. This is a major step in our journey to deprecate the password!

For privacy we need tech more than policy


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




Nature and the Internet both came without privacy.

The difference is that we’ve invented privacy tech in the natural world, starting with clothing and shelter, and we haven’t yet done the same in the digital world.

When we go outside in the digital world, most of us are still walking around naked. Worse, nearly every commercial website we visit plants tracking beacons on us to support the extractive economy in personal data called adtech: tracking-based advertising.

In the natural world, we also have long-established norms for signaling what’s private, what isn’t, and how to respect both. Laws have grown up around those norms as well. But let’s be clear: the tech and the norms came first.

Yet for some reason many of us see personal privacy as a grace of policy. It’s like, “The answer is policy. What is the question?”

Two such answers arrived with this morning’s  Continue reading "For privacy we need tech more than policy"

Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. These are Facebook’s true customers, whom it works hard to please.”

Giant Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: surveillance-based advertising. These pubs don’t just open the kimonos of their readers. They treat them as naked beings whose necks are bared to vampires ravenous for the blood of personal data, all ostensibly so those persons can be served with “interest-based” advertising.

With no control by readers (beyond tracking protection which relatively few know how to use), and damn little care or control by the publishers who bare those readers’ necks to the vampires,

Continue reading "Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing"

W3C Web Authentication (WebAuthn) specification has achieved Candidate Recommendation (CR) status


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe W3C Web Authentication (WebAuthn) specification is now a W3C Candidate Recommendation (CR). See the specification at https://www.w3.org/TR/2018/CR-webauthn-20180320/ and my blog post announcing this result for the WebAuthn working group at https://www.w3.org/blog/webauthn/2018/03/20/candidate-recommendation/.

This milestone represents a huge step towards enabling logins to occur using privacy-preserving public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

Fixing the Five Problems of Internet Identity


This post is by Phil Windley's Technometria from Phil Windley's Technometria


Click here to view on the original site: Original Post




Summary: Sovrin capitalizes on decades of cryptographic research and the now widespread availability of decentralized ledger technology to rethink identity solutions so that we can have scalable, flexible, private interactions with consent despite the issues that distance introduces.

Credential Exchange

Andy Tobin has a great presentation that describes five problems of Internet identity. Our claim is that self-sovereign identity, and Sovrin in particular, solve these five problems:

The Proximity Problem—The proximity problem is as old as the familiar cartoon with the caption "On the Internet, nobody knows you're a dog." Because we're not interacting with people physically, our traditional means of knowing who we're dealing with are useless. In their place we've substituted username-password-based authentication schemes. The result is that people's identity information is replicated in multiple identity silos around the Internet.

The Scale Problem—Digital identity currently relies on hubs of identity information. We login using Facebook or Google—huge Continue reading "Fixing the Five Problems of Internet Identity"

Equifax and Correlatable Identifiers


This post is by Phil Windley's Technometria from Phil Windley's Technometria


Click here to view on the original site: Original Post




Summary: We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.

Yesterday word broke that Equifax had suffered a data breach that resulted in 143 million identities being stolen. This is a huge deal, but not really too shocking given the rash of data breaches that have filled the news in recent years.

The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where Continue reading "Equifax and Correlatable Identifiers"

Daily Tab for 2016_06_07


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




away2remember2manytabsFor today’s entries, I’m noting which linked pieces require you to turn off tracking protection, meaning tracking is required by those publishers. I’m also annotating entries with hashtags and organizing sections into bulleted lists.
#AdBlocking and #Advertising

Have we passed peak phone?


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




2017-03-27_subwayphones I should start by admitting I shot this picture with my phone. Also that on my rectangle with the rest of these people through most of this very typical subway trip yesterday. I don’t know what they were doing, though it’s not hard to guess. In my case it was spinning through emails, texting, tweeting, checking various other apps (weather, navigation, calendar) and listening to podcasts. We shape our tools and then they shape us. That’s what Marshall McLuhan’s main point was. And then we shape society, policy and the rest of civilization. People won’t stop staring at their phones, so a Dutch town put traffic lights on the ground, Quartz reports. In less than two years, most of the phones used by people in this shot will be traded in, discarded or re-purposed as iPods or whatever. And most of us will be tethered to Apple, Google and
250px-mediatetrad-svg
Continue reading "Have we passed peak phone?"

Exploring the business behind digital media’s invisibility cloaks


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




  amsterdam-streetImagine you’re on a busy city street where everybody who disagrees with you disappears. We have that city now. It’s called media—especially the social kind. You can see how this works on Wall Street Journal‘s Blue Feed, Red Feed page. Here’s a screen shot of the feed for “Hillary Clinton” (one among eight polarized topics): blue-red-wsj Both invisible to the other. We didn’t have that in the old print and broadcast worlds, and still don’t, where they persist. (For example, on news stands, or when you hit SCAN on a car radio.) But we have it in digital media. Here’s another difference: a lot of the stuff that gets shared is outright fake. There’s a lot of concern about that right now: fakenews Why? Well, there’s a business in it. More eyeballs, more advertising, more money, for more eyeballs for more advertising. And so on. Those ads are aimed
Continue reading "Exploring the business behind digital media’s invisibility cloaks"

A few words about trust


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




cropped-wst-logo-mainSo i was on a panel at WebScience@10 in London (@WebScienceTrust, #WebSci10), where the first question asked was, “What are two aspects of ‘trust and the Web’ that you think are most relevant/important at the moment?” My answer went something like this:::: 1) The Net is young, and the Web with it. Both were born in their current forms on 30 April 1995, when the NSFnet backed off on its forbidding commercial traffic on its pipes. This opened the whole Net to absolutely everything, exactly when the graphical Web browser became fully useful. Twenty-one years in the history of a world is nothing. We’re still just getting started here. 2) The Internet, like nature, did not come with privacy. And privacy is personal. We need to start there. We arrived naked in this new world, and — like Adam and Eve — still don’t have clothing Continue reading "A few words about trust"

The problem for people isn’t advertising, and the problem for advertising isn’t blocking. The problem for both is tracking.


This post is by Doc Searls from Doc Searls Weblog


Click here to view on the original site: Original Post




Ingeyes Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking, @JuliaAngwin and @ProPublica unpack what the subhead says well enough: “Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names.” Here’s a message from humanity to Google and all the other spy organizations in the surveillance economy: Tracking is no less an invasion of privacy in apps and browsers than it is in homes, cars, purses, pants and wallets. That’s because our apps and browsers are personal and private. So are the devices on which we use them. Simple as that. (HT to @Apple for digging that fact.) To help online advertising business and the publications they support understand what ought to be obvious (but isn’t yet), let’s clear up some misconceptions:
  1. Tracking people without their clear and conscious permission is wrong. (Meaning The Castle Doctrine Continue reading "The problem for people isn’t advertising, and the problem for advertising isn’t blocking. The problem for both is tracking."

The Giant Zero


This post is by Doc Searls from Doc Searls Weblog » Doc Searls Weblog »


Click here to view on the original site: Original Post




The Giant Zero

The world of distance

Fort Lee is the New Jersey town where my father grew up. It’s at the west end of the George Washington Bridge, which he also helped build. At the other end is Manhattan.

Even though Fort Lee and Manhattan are only a mile apart, it has always been a toll call between the two over a landline. Even today. (Here, look it up.) That’s why, when I was growing up not far away, with the Manhattan skyline looming across the Hudson, we almost never called over there. It was “long distance,” and that cost money.

There were no area codes back then, so if you wanted to call long distance, you dialed 0 (“Oh”) for an operator. She (it was always a she) would then call the number you wanted and patch it through, often by plugging a cable between two holes in a

Continue reading "The Giant Zero"

Some thoughts on privacy


This post is by Doc Searls from Doc Searls Weblog » Doc Searls Weblog »


Click here to view on the original site: Original Post




Somebody280px-Do_not_disturb.svg on Quora asked, What is the social justification of privacy? adding, I am trying to ask about why individual privacy is important to society. Obviously it is preferable to individuals for a variety of reasons. But society seems to gain more from transparency. Rather than leave my answer buried there, I thought I’d share it here as well:
Society is comprised of individuals, and is thick with practices and customs that respect individual needs. Among these is privacy. All but those of us who live outside and walk around naked have a need for clothing and shelter, both of which are means of expressing and guarding spaces we call “private.” One would hardly ask to justify the need for privacy before the Internet came along; but it is a question now, because the Internet, like nature in the physical world, doesn’t come with privacy. We are naked by Continue reading "Some thoughts on privacy"