Slashdot Mirror
Passport vs. Plan 9
netphilter writes "LinuxWorld is carrying an article about how Apache and Plan 9 are going to defeat Microsoft's Passport. I hate Passport's integration with XP (although that might be because I hate XP). An Open Source single-sign on would be a real blessing. Will we ever get a good single sign-on solution?"
Do we really want a single sign on?
"Will we ever get a good single sign-on solution?"
What about NDS/Single Sign On from Novell? I haven't looked at it in a while, but last I checked, it ran on most server operating systems (including Linux), makes administration a *lot* easier, and is pretty secure. What's not to like? (besides the fact that it's not opensource/freesoftware) I guess I shouldn't be surprised, since Novell's marketing sucks. They have great technology, but have had a lot of trouble turning that into products.
Someone should come up with a catchy quote against that.
"There is no teacher but the enemy."-Mazer Rackham
I certainly don't want a single sign on. Yes, it's a single point of failure. But it's more than that. It's one-stop shopping for anybody who wants to intrude into your life or totally violate your privacy. I don't like passport. I won't like any other system of the same ilk.
I keep differnt account names on different systems. I use multiple passwords that follow rules for mixing case, special chars, and numerics. I never have any programs remember my passwords. It's a hassle to keep up with but I feel a bit more like no one is watching all of what I do.
Am I a paranoid tin-foil hat type? No, I'm an honest up-standing citizen type. I don't think I want to give the keys to my life to anyone, though. I don't want some a hacker breaking in and messing up my life. Nor do I want to be perfectly profiled by a bunch of marketing droids.
Single sign on is great - for a single system. I do not want and will not use single sign on for the internet.
I've seen alot about single sign on with Windows. I have liked the stuff that Novell has put in. I do like some parts, and I don't like other parts. I don't like Passport, only because then it give M$ access to all my personal information(which I wouldn't doubt they already...). But, I've seen a lot about the windows front, and MONO and other projects for GNU/Linux And/or Open Source in general. But... Has anything been done to try and combine the two where you have a single sign on for both *nix and Windows, where you can have the same favorites, address book, etc?? This is what I would like to see happen, as I use GNU/Linux (gentoo/slack) at my house, in my room, but Windows at my church/family computer/ and school. I would like to have it where I could get the same stuff on all of these machines, but I haven't seen anything about combining the two of them yet. Does anyone know if there is such a project going on??
"Single sign-on" does not mean you have to trust some third party with all your records, or that you cannot have a fallback.
To solve the first, keep your authentication cookies on your machine (or other secure hardware local to your person). Just pick a single sign-on solution that allows you to use that. You only need to worry about making it secure from interlopers.
To solve the second, your bank/insurance company/email provider/etc can reissue you an authentication cookie once you prove to them through some other trusted mechanism (say, showing up in person, or answering hard-to-research personal questions over the phone).
("Authentication cookie" could be a password, asymmetric key pair, or whatever.)
It's not like apache and plan9 are looking to make it mandatory. They just want the option available for those instances when it is a useful addition. Like ChiliASP and Tomcat, if you don't need what it provides, just don't add it to your server install. But definately do not gripe that they should do it at all. Such griping is shortsighted and pointless.
/have/ to emerge if we want to see real commerce online, while I don't approve of MS having control of that technology, I recognize that MS is in some sense right...for some transactions to occur, nonrepudiation is a must.
Nonrepudiation and psuedonymic technologies will
The more people who are willing to act as trust servers in that sense, the better. Right now we have MS Hailstorm, XNS and OneName, Sun and the Liberty Alliance, and I see no reason not to add another to the mix, so long as we are moving toward standardization where players can compete on implementation of the standard.
-Tom
Personally, I am against single sign on. I think it is fundamentally dangerous, and ultimately unnecessary. What bothers me though is the degree to which some zealots here are willing to dismiss Microsoft out of hand. As a long time mac user, I know well the feeling of having a superior technology that is dwarfed by the 800 pound gorilla. However, I have never been under the dillusion that MacOS will defeat Microsoft's offerings in the marketplace. And it seems absurd to make such a broad assertion. Better would have been "here is why Plan 9 could (or should) defeat MS..." Quite frankly, if you don't give your competition the respect they deserve and recognize their strengths, you have no hope of defeating them. I'm sure Sun Tzu said something about this. Even MS knows that...look at their efforts to counter open source, etc...they recognize it as a force to be reckoned with.
At this point, I'm not sure where this post is going or what my original point was. But to repsond more directly to some of your questions: I don't have a problem with integration of passport in XP. Its their operating system. For those that need that functionality, having it tightly integrated into the OS can make sense. Having said that, if using XP requires you to use passport, it is one more reason I would personally avoid XP. I don't trust Microsoft, but I use them when it makes sense. I use Office v.X (the office suite unfortunately named after a powerful nerve gas) because it rocks. Say what you will about feature bloat, but it has the features everyone in my office needs. No one uses all of them (or nearly all) but everyone has different needs and I know with Office those needs will be met. And I can disable clippy.
In summary: Single sign-on bad. Microsoft good and bad. Rabid zealotry bad. Any questions?
Do not taunt Happy Fun Ball(TM)
I agree with the insecurity thing of single point of failure. But I personally think the issue at hand is much greater here: the fact that one single entity (company) has the power to sign you on to anything on earth from Subway cars (a-la retina scan in Minority Report) to your home computer just rings the bells of fascism to me.
The saying goes: deviate and inch, and lose a thousand miles. If we let this kind of centralization intrude our lives now (early on, while we still have some say over it), we eventually might never be able to break loose of it.
But that's just me.
I suggest living in a cabin in the woods somewhere with no utilities where you grow your own food? That's about the only way you can be even remotely "private"
And even then, They know where you are. Because there's a land deed somewhere with your name on it and you aren't showing up in any of Their databases as consuming goods, so the cabin is the only place you could be!
And while in the big picture you're correct, it doesn't matter unless you're important, the reality is that there is stuff I don't want getting out willy nilly. Does it matter if someone has my name and telephone number? Only if they're a telemarketer. What about medical records? Should your employer be able to access them and let you go if they believe you're too high a cost? Do you want your neighbors or coworkers knowing how much you make?
I don't really have an issue with a centralized database of this stuff, simply because I think it'll be a wash if done properly. No, I don't think we'll have an infallible system, but the current system isn't infallible either. And right now most of the data people worry about is already available - go pull your credit report at Equifax, Experian, or TransUnion. You may be amazed at just what they know about you, at least within the last 10 years of your life. And that data is nowhere near as secure as you think it is.
And the issue about companies selling your information is a red herring. It's already done, it's regulated, and it works fine most of the time. See above for the names of the companies doing this as their main profit center for 50 years now.
Design a good secure system with limitations on who can access what data and you're already ahead of the game. I know with absolute certainty that it's better than what we have now.
I would consider a single login system if I could physically hold the key in my hand instead of storing it on some ubersever in some datacenter ill never see.. maybe a pda type thing with a bluetooth adapter you could use to login to the bank terminal, mail account, etc
What we do need is some consitency between the information sites ask for. If sites were consistent about asking for, say, a 10 character mixed case username, a 10 character mixed case alphanumeric password, a 6 digit numeric passcode or whatever (the numbers are arbitary & not intended to represent any ideal of security) then it would be easy to just have a few passwords etc. which are used for different trust levels.
I guess most people do this already, but I'm always getting thrown by being asked for subtle variants of this information. Now if the sites were kind enough to display a number of my choosing on the login screen(to remind me which password to use) and maybe the date I last changed my password life would be much more simple. There are some sites that I have lost count of how many times I have registered because I can't recall which varient of my username I entered.
The chief problem would be keeping usernames unique - although I'm not convinced this is a problem so long as the combined credentials are unique(?)
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
I work for a large bank, one of the largest. A few years back we adopted a single-signon technology to try and apease the 6000+ users in the company who were complaining that they had to remember 20 different passwords that had different requirements and all expired at different intervals.
Actually we didn't adopt it, it cost us millions of dollars. The company that sold it to us said it would put an end to our password woes and we would reap the rewards by cutting our support staff and lessening the load on our call-centre. It did no such thing... Our call-centre volume tripled, the cost of implementation (not to mention training) was horrendous and our support staff were overwhelmed.
Fast forward to now, 4 years later. We have an entire department dedicated to customizing our in-house applications (and some purchaced via the regular sources) to work with this beast, the helpdesk and support staff are still inindated with calls to do with our single-signon menace and management won't get rid of the thing because it would mean admitting a mistake was made that cost us millions and having to retrain our user population would cost even more!
And security!? It used to be when a password was guessed and a system compromised, the guesser still had to guess the password(s) to any application(s) they needed to do any real damage. Now...we've eliminated that inconvenience.
Now I like Windows XP. Yet I don't use hotmail. I don't even have a Passport. So what's all this about needing one for WinXP?
"You are not a beautiful and unique snowflake."...Tyler Durden