I largely agree, but I still think there's a compelling argument that blinding the issuer implicitly precludes API gatekeeping or censorship. Sites wouldn't need to pre-register with any issuer, nor could the issuer refuse to provide tokens on the basis of where they'll be used.
The key mitigation is that the protocol - as envisioned - is mediated by the user agent; you as a website cannot silently fire off probes that tell you anything.
could easily be done by malicious JS, an ad script, or the website itself, and then as the RP gets the output of 6.4) email and email_verified claims.
I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Like a secure <input Email> element that makes sure there is some user input required to select a saved one, and that the value only goes to the actual server the user wants, that cannot be replaced by malicious JS.
You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.
Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.
Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.
> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.
Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.
The Verified Email Protocol got renamed to BrowserID, and Persona was its reference implementation.
This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.
And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.
My understanding from looking into this two years ago is that it's hit or miss for banks (depending on if they opt into device attestation stuff), no for NFC / Google Wallet, and yes for Uber / Lyft.
Apparently the common workaround for the Google Wallet stuff is to pair a GrapheneOS phone with a stock Android smartwatch.
Apparently the common recommendation these days is to use Curve Pay as a virtual card provider on GrapheneOS, which can then route to arbitrary underlying cards. And evidently Google Wallet does work for things that aren't payment cards (airline tickets, transit passes, etc.) on GrapheneOS.
For me, it was the challenge and allure of doing something relatively difficult and rare. The first time I saw a Stop - Prevent Your Death sign[0] at depth, I knew I wanted the training to go beyond it.
It's also really peaceful underground.
Amusingly enough, I can't handle blue-water or wall dives (vertigo), nor wrecks (those aren't supposed to be there!), but caves are no problem. You've got walls, floor, and ceiling as a frame of reference, and everything is nice and cozy. It's like the Earth is giving you a hug.
I found Florida's caves positively delightful at 21 C; never felt the need to dive dry.
I am envious of the speleothems in Yucatán cenotes. Florida's caves are all phreatic, so you don't get any real decoration beyond scalloping. Still fun to dive, just not much to see aside from water, wet rocks, and a line. And not even that if you blow the viz.
21c sounds nice but I know Floridas geology leads to some comparatively deep caves. Most Cenotes range between 15ft-65ft but from what I hear about the Florida landscape is 85ft is average and some caves go past 300ft, which isn’t going to be warm anywhere.
"It doesn’t matter where you or your business is based. The new rules will apply to you (or your business) if the service you provide has a significant number of users in the UK, or if the UK is a target market."
I’m sure that they can write that. But their actual enforcement mechanism is nonexistent. No country is going to work with the UK to arrest someone that does that when the same thing isn’t illegal under their own law.
Interesting that Apple even allows ICEBlock on the App Store given that 13 years ago they blocked the publication of an app that notified users of American drone strikes abroad as "objectionable" content: https://www.aclu.org/news/national-security/apple-drone-stri...
> “The app displays police locations and we have verified with the Hong Kong Cybersecurity and Technology Crime Bureau that the app has been used to target and ambush police, threaten public safety, and criminals have used it to victimize residents in areas where they know there is no law enforcement,” the statement said.
I think Apple hates the current American leadership enough that they'll take their sweet time to take down this app.
ICE isn't the military, though. Effectively sabotaging American war goals is a bit different from warning American civilians. I can see why they were more uncomfortable with the drone strike app.
Tim Cook was at Trump's inauguration, and donated $1 million to it. While I don't know what his private views are, his public ones are to cozy up Trump.
I mean no one had his tongue farther up the golden hole than Elon and look where that landed him. The donation and inauguration appearance was probably to avoid some - not all - consequences.
Hell, you have Jared Isaacman, who also donated $1 million to Trump's inauguration to show some support, hoping to become NASA admin (for which he'd have been an uncharacteristically decent choice, being someone with a genuine interest in aerospace, and not having been all that outspoken politically).
Only for Trump to throw out the nomination as part of his falling out with Elon, saying Isaacman was a democrat.
reply