On 5/23/19 10:24 AM, stan via devel wrote:
On Mon, 20 May 2019 14:33:57 -0400
Przemek Klosowski via devel <devel(a)lists.fedoraproject.org> wrote:
> Right, but it's just a stepping stone to a world with universal
> authentication, and granular authorization based on credentials from
> that universal authentication.
I hope that world never arrives. That would be absolutely terrible for
privacy.
Well, I am all for privacy as well. Here, however, we're talking about
our activity in the open forum: our hobbies or jobs. Right now , to use
my favorite analogy, we treat our computer accounts as pets---but the
technology results in so many of them that we need to learn to treat
them as cattle. I DO want to federate all (or at least most) of my
computer accounts under my 'official' identity. If I wanted to hide my
crocheting activities hidden from the world at large, I should still be
able to create a separate identity.
And if, heaven forbid, the universal authentication became
compromised, it would destroy an individual.
The single authentication does not have to be a single point of failure:
access to individual resources could still be gated by per-resource
passwords or other secret identifiers. This is all still in flux :
nobody knows how to do it correctly in a way that is both secure and
convenient---maybe it'll take some sort of hardware security tokens like
Yubico or RSA, or maybe software credential stores that use built-in
security mechanisms like TPM and/or ARM TrustZone.
The current situation of completely separate authentication schemes is
unsustainable, and has to change into some more-like-herding-cattle scheme.