Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jabber Takes On MS Passport

Posted by timothy on from the lower-fat dept.

Lord Prox writes "Jabber Ticket Authentication is a method of authenticating with HTTP servers using your jabber identification. This allows you to login to websites using your jabber address in a single sign-on fashion similar to .NET Passport, but unlike .NET Passport is not locked into a single authentication provider. Tickets also mean the jabber ticket provider and the web server do not need to be tightly integrated for authentication to work, also because its not tightly integrated it means webmasters do not need to setup their own jabber server to provide tickets, they can use a third party provider even a central "tickets.jabber.org". Also because tickets are not tightly integrated it makes it far easier for webmasters to integrate with Jabber, it also makes web farms far more scalable and reliable." Update: 02/11 19:22 GMT by T : The link to jabber.org has been fixed; thanks to reader Laurence Withers.

5 of 32 comments (clear)

  1. OpenPGP based single-sign-on by Anonymous Coward · · Score: 4, Interesting

    I'd really like to see OpenPGP key infrastructure used as a SSO mechanism. Perhaps this can be integrated into
    the key-exhange mechanism of this Jabber project
    and the SASL client side.

    The public OpenPGP keys could be fetched from public keyservers/jabber servers/LDAP servers.

    Complex stuff, but still important missing stuff IMO.

    Walden

  2. Requires a client plugin - for web services? by Bazzargh · · Score: 4, Interesting

    If you look at what is proposed, it describes clients sending tokens like this:

    GET http://www.webserver.com/webpage.html HTTP/1.1
    Authorization: JabberTicket 54yudvjhssa76dta6sgdst78r4sadsfjdhs...

    now apart from the nitpicking complaint that they should use example.com as the test domain (follow link to see why), its obvious that this needs client-side support. With browser rollouts being mindnumbingly s l o w, that means they are probably targeting web services, or non-browser clients, or must be building a browser extension?

    Secondly, the spec for the client request for a ticket doesnt include any authentication info whatsoever. Ok, this means they must be doing that in 'some other protocol' (presumably Jabber + SASL). They could be a bit clearer... this part basically requires you to have a fairly complete XMPP implementation in order to get at the apparently simple ticket service.

    Mark me down as unconvinced. Take a look at Shibboleth and OpenSAML to see what others are doing in this space - they are already doing single sign on, and it already works (OpenSAML does have the downside of being affected by a free-to-license RSA patent).

    We have integrated sites into Athens (SSO for the UK EDU/GOV sectors), which is similar to Shibboleth in scope, and doesn't require browser changes.

  3. Kerberos?? by Visigothe · · Score: 5, Interesting

    I may be totally out of line, but the idea of single sign-on through tickets/tokens already works rather well with Kerberos. Why not incorporate Kerberos into the Jabber system?

    Many people think that Kerberos is very difficult to implement properly, but it doesn't have to be so. Currently Apple makes authentication via Kerberos rather simple.

    Perhaps I just don't see a benefit of going with something new/different when something battle tested will fit the bill.

    --
    Blocklevel: Practical Information Architecture
    1. Re:Kerberos?? by kelnos · · Score: 4, Interesting

      i would agree with this, except for one caveat. (this may not be an issue, as i haven't RTFAed, but...)

      kerberos is designed with the concept of a single authoritative authentication directory in mind. that seems to be pretty much at odds with jabber's goals here.

      now, it _is_ possible to form "trust relationships" between disparate kerberos realms, but that isn't really an oft-used feature, and it seems to me to be something that was almost tacked on last minute without being truly designed into the system.

      now, what i'd really like to see is a fundamental redesign of kerberos (version 6, anyone?) that takes into account some of the open, decentralised concepts that jabber seems to be pushing here.

      of course, the final issue is application support. despite being around forever, kerberos still has little to no support in web browsers. certainly none of the major browsers (moz, IE, safari) support kerberos auth. other kerberised apps are hard to come by - sure, the krb5 distribution comes with kerberised telnet, ftp, rsh, etc., but GUI clients are hard to come by. and they want to add _yet another_ authentication protocol? who's going to support it?

      i think something like this is a great idea, but unfortunately i believe that you'd need some major corporate backing to get this into current applications.

      --
      Xfce: Lighter than some, heavier than others. Just right.
  4. Re:Jabber is good stuff... by AJWM · · Score: 2, Interesting

    More serious question: since Cougaar is Java-based, howcome you're using Ruby and not a Java wrapper or something like JSO (Jabber Streaming Objects)?

    (Speaking of which, for those in the Denver area, Peter Saint-Andre and Matt Miller will be talking about Jabber and JSO at the Denver Java Users Group (www.denverjug.org) tonight.)

    --
    -- Alastair