Comparison with WebAuthentication/FIDO?

[cyberphone]

It is to me not entirely clear what HB Secure Services will offer that isn't already a part of FIDO and W3C's WebAuthentication efforts. A comparison list would be much appreciated.

This is however not only a technical issue because the "competing" efforts have browser vendor support and the activity on the public mailing list is very high.

Since we are talking about a 3 year process (at least) before any of this would hit browsers, this question seems pretty fundamental. I hope the answer is not that the intention is to support legacy smart cards because that is something the browser vendors are uninterested in unless they fit nicely into the Web browser architecture which so far haven't been the case.

[vgalindo]

@cyberphone There is already a paragraph mentioning that problem "Position to FIDO and WebAuth standards: this document is focusing on providing web developers means to issue and use identity keys (whether they are X509 certificates or any other cryptographic model with underlying asymmetric cryptography). FIDO standards is related to device authentication: in the FIDO vision, it is up to the relying party to manage the link between the credential and the identity." @sbahloul I suggest we close this issue

[cyberphone]

There's no compelling use-case for SOP-constrained certificates. FIDO is fully sufficient for SOP-constrained authentication.

Adding support for existing (non SOP-constrained) certificates has already been dismissed by the browser vendors who rather want to remove such support with <keygen> as the first example.