Passport vs. Plan 9

netphilter writes "LinuxWorld is carrying an article about how Apache and Plan 9 are going to defeat Microsoft's Passport. I hate Passport's integration with XP (although that might be because I hate XP). An Open Source single-sign on would be a real blessing. Will we ever get a good single sign-on solution?"

Re:Solaris 2.9 is the current version?

[Loligo]

>Correct me if I'm wrong, but isn't Solaris on
>version 9 or something?

"Solaris 7", "Solaris 8", and "Solaris 9" are actually 2.7, 2.8, and 2.9 respectively.

To add confusion, internally it's SunOS 5.x.

-l

Single Sign On (SSO) worked within a limited realm

[plcurechax]

Single Sign On (SSO) works within a limited realm under the same control, such as within the scope of a government agency, a corporation, or a school. These bodies already exist deal with issues of various policies including privacy policies within the scope of the "realm" (i.e. the laws of the nations a multinational corporation is functioning within).

Universial SSO, such as this plan and Passport, breaks that and cannot be consistant since different companies want different privacy policies, are governed by different government legistation, yet are suppose to "control" and use the same information (the online identity credientials).

So the goal of only needing one online identity, whether a username/password, or a PIN and smartcard, within a given controlled realm such as your university does make sense. This is possible through sensible use of existing services like directory services and secure network authentication. The use of directory services such as X.400, RADIUS, and more recently LDAP (and LDAP perversions like Active Directory) can help towards this. As well as secure network authentication like Kerberos.

Universial SSO does not make sense, because of the shift of power and control is not carefully thought out in the contexts of legal issues (privacy, evidence, children online protection), contractual issues, limited and total revocation, ownership, and other issues.

Universial identities for an unlimited number of purposes does not make sense, it is a nightmare of management logistics, a total lack of correctness, legal quandary, and telemarketing hell.

Re: yep 40 accounts, is so simple...

[GigsVT]

haahhhhahahah

i love keeping track of 40 accounts/passwords.

Who said you had to do that?

We have already solved the problem of single password authentication, it is built right into SSH. Basically, you send you public key to anyone you want to authenticate to. Your private key resides on your computer and is password protected. A local key agent manages your private key. When you authenticate the first time, your key agent asks you for your private key's password. Note that this password is never transmitted over the network, neither is the private key. The key agent makes it unnecessary to enter the password again for any site that has your public key, a real single sign on for any system that has your public key.

Even if your system is compromised, your private key is protected by the passphrase you set for it. If the Internet sites are compromised, all the attacker gets are worthless public keys.

Why hasn't someone implemented this instead of this passport silliness? The technology has been around to do this right, why do people keep trying to do it wrong?

How to disable Passport integration with XP

[Drakonian]

Remove Windows Messenger by running this command:

Start/Run/RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

This worked for me. It finally stopped telling me to register my .NET Passport, and doesn't run Messenger all the time.

Here is a site with more info: http://www.kellys-korner-xp.com/xp_messenger.htm

PS: Am I violating the DMCA by posting this? Well I'm not an American citizen, but if I was?

SSO: The Corruptor of Good Companies

[guttentag]

SSO is like "The Ruling Ring" in Lord of the Rings. Anyone who wears it will be overcome by its evil power and will ultimately be driven to enslave the End Users (a people closely related to humans).

I once joined a startup that was based on a good idea that incorporated SSO, but the VP of Engineering swore to me the company would never abuse that power. Within months, marketing managers were telling me that end users "wanted" us to abuse SSO "for their own good." For legal reasons, I won't go into more detail, but the company I left was not the company I joined -- all because of the temptation SSO brings.

End Users believe that SSO is a gift from heaven because it allows them to mindlessly go through the "troublesome" task of authenticating themselves. This has several implications:

• Authentication is designed to require you to use your brain. It's like the roughed-up pavement that precedes many toll booths, saying, "you're going to need to wake up now."
  
  
• Authentication is designed to require you to use your brain. It helps ensure that you are the only one who has access to certain data. You should not be entrusting this to a conscience-free multinational who has no qualms about "sharing" your access with all its employees, partners and anyone who pays them enough money.
  
  
• One of the places most consumers often see authentication forms are on shopping sites. When you are going to buy something, you have to go through the steps of entering your username and password, entering your credit card number, your address, etc. It's a protective speed bump that makes you think before you purchase. With SSO (or One-Click), you have no way of knowing when you've "authorized" a charge to your credit card. You assume that it's only when you click a button, but the fact is you've authorized the company to charge your card whenever it claims you want to buy something.
  
  
• Single point of failure. Enough said.
  
  
• Memory decay. When you use SSO, you tend to forget your user names and passwords because you don't need them. Then when your SSO provider does something you don't like and you decide to leave, you feel like you can't. You're trapped because you can't remember that data -- you think you need that service to continue accessing your other services. Even if the SSO service provides a method of retrieving your passwords, most users are unaware of it.
  
  
• Then, of course, there are the tracking issues. The SSO provider will track all the sites you visit, sell that data and market appropriately. Common sense, yet commonly ignored by the common End User.
  
  

A wise wizard would do well to distance himself and everyone he can from this evil.

Re:Thank god

[KewlPC]

Plan 9 is an operating system.

To say that you've never heard of it, and because of that it is therefore worthless, is awfully presumptuous.

You can get Plan 9 from CheapBytes.

It was supposed to be the next evolution of UNIX, even created by the guys who came up with UNIX in the first place. But UNIX was too popular, and Plan 9 never really caught on.

But this article seems a bit outdated, or maybe the author has been living in the stone age. Solaris 2.9? 3.0? Unless I'm gravely mistaken, we're at Solaris 9 right now, and I don't see a lot of shops running Plan 9.

Plan9 not Open Source/Free/Libre/Whatever

[Xtifr]

Paul Murphy (the LW author of the article) seems to have been fooled by the Plan9 folk's self-proclaimed status as "Open Source". However, neither the OSI nor the FSF agrees. The FSF has even posted a detailed analysis of the problems with the Plan9 license.

Now, depending on your own philosophy (or lack thereof), you may or may not care personally whether this code is truly free/OSS/whatever, but in practical terms, what it means is that neither Red Hat nor Debian is going to buy into this solution, which pretty much means that it's probably dead in the water. Oh, I suppose it might be accepted by the UnitedLinux folks, but I'm not holding my breath on that.