Web & Payment
How do you want to pay?
W3C Workshop - 24-25 March 2014
Session #6 - Identity, Security and Privacy
Technical merits of an identity scheme in the OWP
Gregory Estrade (@Torlus) - Lyra Network
The mandatory "state of the art"
Concerns about centralized systems and organizations
The Web is by nature a decentralized platform, but...
No clear winner in decentralized solutions
- At browser level: Mozilla Persona.
- Standards: WebID, OpenID...
- Platforms (related to payments, or not): Diaspora et al. Many things you've already heard of, before or during this workshop.
What's cooking?
There's a lot of innovation, on the hardware side, but not only.
Frontiers between retail and e-commerce processing shrink.
- Smart[phones|cards] with Secure Elements, NFC, Biometry.
- mPOS, Beacon (BLE), Host-Card Emulation. Geolocation.
- FIDO alliance's specifications. Identity Credentials.
There are some issues that need to be addressed.
- Data aggregation.
- Credentials copying across devices.
- Multiple points of failure.
Identity and Privacy concerns
- Your Identity is defined by what other people or organizations know about you.
- Identity is the matter of being, Privacy is about choosing what you want to disclose or not.
- Identity and Privacy are a matter of trust which is subjective.
Handing back control to the user
- Let him/her create its web-of-trust. The key point here is Education. Encourage the user to add an Internet-savvy person in this group. Example: Facebook's Trusted Contacts.
- Let him choose what he/she wants to disclose to a given entity or service provider.
Thoughts about Credentials Sharing
- Shamir's Secret Sharing Scheme.
- As the user (should) know that he/she will share sensitive data, it's more likely that he/she will perform properly the first Identity checks.
- Use the IoT for secret sharing. Objects, wearable devices become part of your Identity (as they are IRL).
- Use a quorum so that UX is adapted to the situation.
Thank you!
Gregory Estrade (@Torlus) - Lyra Network