Comments on: Time is ripe for distributed authentication http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/ ...or something along those lines Thu, 29 Mar 2012 17:20:20 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Jay Knight » On Avoiding the Password ‘Explosion’ http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-21 Jay Knight » On Avoiding the Password ‘Explosion’ Mon, 04 Dec 2006 21:05:05 +0000 http://jk3.us/?p=13#comment-21 [...] This just re-iterates what I’ve said before: “Time is ripe for distributed authentication.” [...] [...] This just re-iterates what I’ve said before: “Time is ripe for distributed authentication.” [...]

]]> By: Administrator http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-20 Administrator Sat, 16 Jul 2005 22:58:17 +0000 http://jk3.us/?p=13#comment-20 David... yes, drupal is a step in the right direction... If that guy used his drupal id on all the drupal sites he used (let's assume he uses a lot), then a compromised password could be rememdied by a single change. However, as you said, you still enter your password on every site, which almost defeats the purpose :) David… yes, drupal is a step in the right direction… If that guy used his drupal id on all the drupal sites he used (let’s assume he uses a lot), then a compromised password could be rememdied by a single change. However, as you said, you still enter your password on every site, which almost defeats the purpose :)

]]> By: David Roussel http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-19 David Roussel Sat, 16 Jul 2005 22:26:14 +0000 http://jk3.us/?p=13#comment-19 Note that Drupal already supports distributed authentication. For example look in this thread, http://www.spreadfirefox.com/?q=node/view/16836 search for vwx. See how the guy has logged in with his drupal.org id into the SpreadFirefox.com site. Granted it's not as nice a OpenID, as the password goes through the server. See here for more details http://drupal.org/node/19113 Note that Drupal already supports distributed authentication.

For example look in this thread, http://www.spreadfirefox.com/?q=node/view/16836 search for vwx. See how the guy has logged in with his drupal.org id into the SpreadFirefox.com site.

Granted it’s not as nice a OpenID, as the password goes through the server. See here for more details http://drupal.org/node/19113

]]> By: Administrator http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-18 Administrator Fri, 15 Jul 2005 23:36:36 +0000 http://jk3.us/?p=13#comment-18 Grauw, with <b>distributed</b> authentication (with openid, anyway), you don't have to provide your password to the site author at all, just to your identity server. Then there is no way for all the sites you use to misuse the data (they don't have it). Also, when it's distributed, you really truly have a single password to worry about... Not just using the same one on every site. If you think your password has been compromised, change it. Once. Not "the password of any accounts where you use the same password." Grauw, with distributed authentication (with openid, anyway), you don’t have to provide your password to the site author at all, just to your identity server. Then there is no way for all the sites you use to misuse the data (they don’t have it).

Also, when it’s distributed, you really truly have a single password to worry about… Not just using the same one on every site. If you think your password has been compromised, change it. Once. Not “the password of any accounts where you use the same password.”

]]> By: Laurens Holst http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-17 Laurens Holst Fri, 15 Jul 2005 23:28:46 +0000 http://jk3.us/?p=13#comment-17 Hashing passwords with a hash function like SHA1 or MD5 before storing will of course achieve exactly the same effect, and can easily be implemented... ‘Distributed authentication’ is not the only solution. Problem is, then you are depending on the site author to do The Right Thing. Which apparantly wasn’t the case with SFx. ~Grauw Hashing passwords with a hash function like SHA1 or MD5 before storing will of course achieve exactly the same effect, and can easily be implemented… ‘Distributed authentication’ is not the only solution.

Problem is, then you are depending on the site author to do The Right Thing. Which apparantly wasn’t the case with SFx.

~Grauw

]]> By: Administrator http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-16 Administrator Fri, 15 Jul 2005 23:04:10 +0000 http://jk3.us/?p=13#comment-16 That's pretty good list. I don't claim to be any sort of expert on the subject, but I've read up a little. Here are some thoughts on a few items from your list: Pubcookie: works fairly well for a small set of sites. We implemented at my alma mater for all the many web services available, it's still dependant (I think) on a centralized server, no good for "the whole web" LDAP: Would be a great backend for an identity server, but by itself I'm afraid it would not be simple enough... would you have to log in as ldap://server.com/cn=Name,dc=server,dc=com, or whatever. Identity Commons: it looks like they had the right idea, but 1) I can't find specs and 2) It looks like their site hasn't been updated in a year or so. OpenSSO: Looks like another one aimed at a smaller set of sites, and not the web at large Shibboleth: again, not for web at large SourceID: no comment... can't figure anything out from their site. Several of these are based on <a href="http://en.wikipedia.org/wiki/SAML" rel="nofollow">SAML</a>, which might be a good thing. XML is good, but may be more than is needed for simple identification... it may be good for sharing data between your identity server and some web service. Thoughts? That’s pretty good list. I don’t claim to be any sort of expert on the subject, but I’ve read up a little. Here are some thoughts on a few items from your list:

Pubcookie: works fairly well for a small set of sites. We implemented at my alma mater for all the many web services available, it’s still dependant (I think) on a centralized server, no good for “the whole web”
LDAP: Would be a great backend for an identity server, but by itself I’m afraid it would not be simple enough… would you have to log in as ldap://server.com/cn=Name,dc=server,dc=com, or whatever.
Identity Commons: it looks like they had the right idea, but 1) I can’t find specs and 2) It looks like their site hasn’t been updated in a year or so.
OpenSSO: Looks like another one aimed at a smaller set of sites, and not the web at large
Shibboleth: again, not for web at large
SourceID: no comment… can’t figure anything out from their site.

Several of these are based on SAML, which might be a good thing. XML is good, but may be more than is needed for simple identification… it may be good for sharing data between your identity server and some web service. Thoughts?

]]> By: Rob Lanphier http://jk3.us/2005/07/14/time-is-ripe-for-distibuted-authentication/#comment-15 Rob Lanphier Fri, 15 Jul 2005 22:09:06 +0000 http://jk3.us/?p=13#comment-15 OpenID does seem to have the momentum right now. What are some of the other solutions you've looked into? <a href="http://spectaclar.org/wiki/Authentication_Systems" rel="nofollow">Here's a list of the solutions I've compiled so far</a>, and I'd love it if you could add to it anything that you're aware of. Thanks Rob OpenID does seem to have the momentum right now. What are some of the other solutions you’ve looked into? Here’s a list of the solutions I’ve compiled so far, and I’d love it if you could add to it anything that you’re aware of.

Thanks
Rob

]]>