|
|
|
|
|
|
by EFruit
1865 days ago
|
|
|
I'm all for eliminating (re)CAPTCHAs, and I'm glad someone is working on the problem, but this proposal seems a little iffy on a few fronts, with two main areas of concern. First, I don't like the idea of having Cloudflare as the sole judge of the trusted key set; a more open model like the CA-Browser forum would be much easier to trust, as it helps reduce perverse incentives (for example, forcing token manufacturers to implement/ignore features, block certain platforms, give kickbacks, etc.) Second, it's hard to support a proposal where a full deployment would require every person on the internet to buy AT LEAST a new security token (from an Approved™ vendor), which may not even be compatible with their platform, or may be impossible to acquire (because of export restrictions, poverty, someone inventing a cryptocurrency that requires a hardware token to mine...) |
|
|
The article doesn't say so, but the approved vendor list is actually not determined by Cloudflare. They defer to the FIDO Alliance's Metadata Service [0], which maintains a list of certified suppliers.
[0] https://fidoalliance.org/metadata/