Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^2: Concerning Single Sign-on, Bitcard (TypeKey), and OpenID, CACERT client certificate

by jettero (Monsignor)
on Feb 25, 2007 at 22:41 UTC ( [id://602055]=note: print w/replies, xml ) Need Help??


in reply to Re: Concerning Single Sign-on, Bitcard (TypeKey), and OpenID, CACERT client certificate
in thread Concerning Single Sign-on, Bitcard (TypeKey), and OpenID

I don't wish to advocate OpenID exactly (although I do think it's neat). I actually like Bitcard better, but nobody besides rt.cpan uses it as far as I know.

...most single signon technologies the registration process is the most challenging part...

How hard would it be to switch identities and change which info you share with each site? I don't think CA/PKI is really set up for that kind of identity management. But the real problem is, I can't see my mom signing up for and maintaining a keyring of x509 signatures — dealing with keys and dealing with the expirations — but I can see her using things like OpenID.

There's a video of a guy setting up a myopenid account in 8 seconds. He then uses it to log into a wiki.

The CACERT stuff will never actually be included in MSIE, but it's a nice idea. One way it blows OpenID out of the water is that if your identity server goes down, you can't log into anything; which obviously isn't true with CA/PKI (aside from revocations).

Someone just pointed out to me that it's almost worse than I just said. If you use the OpenID authentication delegation so you can use your own URL as your identity, then if either site goes down you can't log into anything.

-Paul

  • Comment on Re^2: Concerning Single Sign-on, Bitcard (TypeKey), and OpenID, CACERT client certificate

Replies are listed 'Best First'.
Re^3: Concerning Single Sign-on, Bitcard (TypeKey), and OpenID, CACERT client certificate
by varian (Chaplain) on Feb 26, 2007 at 09:05 UTC
    There are people that would vote for centralized authentication management and others that favor decentralized systems. To speak for myself I am a little wary of the centralized approach.

    The single point of failure that you mentioned yourselves is one reason. If the central authentication server fails then all dependent servers have become inaccessable as well.

    The second, even more compelling, reason is that if the central system gets compromised then the intruder can find ways to freely obtain id's and subsequently can access any server that relies on the central authentication process. This means that the central authentication service must be protected by extreme measures to provide some level of protection against intrusion.

    The third reason is one of trust and accountability. Would you trust the access to your server to a third party controlled authentication process? Now if the third party is under heavy government supervision one might be inclined to accept the risk, but otherwise...

    This is why I like public key certificates. It is a decentralized authentication procedure, server and browser only interact with each other. Still the same client certificate can be used to present an ID for as many servers as one likes. The ID carries a digital signature of both the user and a co-signing central root authority which relates to level of trustworthiness. In principle the enduser would need to manage only one client certificate.

[reply]
      Again, I don't wish to be the OpenID advocate, but I appear to be in that role again...

      This technology is really only meant to replace the account setup and user email portion of the registration process. The crypto systems employed are to prevent spoofing mostly. The idea is to lower the bar so people can join your site without any effort. Really, if I have to sign up for another forum to make one post I'm going to explode.

      If you used your OpenID to log into a bank, the openid is really just in place of the email for the signup. It also transmits a few signup details for you (like email, real name, nickname, etc) and then the bank would ask you to configure a second factor for secure signon. First, they'd have to verify your identity matched, and then they'd ask you to set up another password (a secure one or a USB key, or a certificate or whatever) that you'd use to access your bank software.

      So the single point of failure isn't an end user security problem, only a sign-on problem.

      What we're having here is a semantic argument about Authentication vs Authorization. They're different, but when we say authentication we usually and implicitly mean both.

      -Paul

[reply]
Re^3: Concerning Single Sign-on, Bitcard (TypeKey), and OpenID, CACERT client certificate
by ask (Pilgrim) on Sep 23, 2007 at 21:44 UTC
    I don't wish to advocate OpenID exactly (although I do think it's neat). I actually like Bitcard better, but nobody besides rt.cpan uses it as far as I know.

    The NTP Pool and CPAN Ratings are other notable users.

    I'm planning to add OpenID support to Bitcard, too. The big advantage/difference with Bitcard is that the email addresses you get from Bitcard will be verified etc already, so you can do away with logic to do that in your application. If you just need an identifier that doesn't change then OpenID is all you need.

    - ask

    ask bjoern hansen, http://www.askbjoernhansen.com/
[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://602055]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (7)
As of 2024-04-24 09:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found