Slashdot Mirror
E-commerce Single Sign-On Not Dead Yet
FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."
Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?
Computers are useless. They can only give you answers.
-- Pablo Picasso
"Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."
As opposed to "...will ensure children's personal information is kept confidential...".
Hack once, use everywhere.
Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)
Underholdning.info
May i suggest you take a look at KeePass Store all your passwords in a single database that you can access with either one master-password, or combined with a key-disk that you have to insert first.
Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password.
Linux is not Windows
There's also YaPS for Palm OS.
Lasso is another free (GPL) implementation of the liberty specs. It is still in heavy development but compatibility against SourceID (PingID solution) has been achieved.
.NET actually), integration in existing website is easy (well, it will be much easier when the documentation is completed).
The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything
There is another interesting project too :-) : Lasso http://lasso.entrouvert.org/. It is a C implementation of the Liberty Alliance specifications with a lot of bindings (python, java, PHP, C#). I'm one of the developers of Entrouvert http://www.entrouvert.com/, a french free software company. We are trying to offer a free SSO solution. We have also a framework to test it called Souk http://lasso.entrouvert.org/souk. Enjoy with it !
What the fuck do you mean?
Or worse, they get written down on a piece of paper under the keyboard.
There is nothing wrong with writing passwords down.
Identity management:
I cannot ever see the need for uniqueness online, and in saying that I require is you are asaying that I may ahve intent to commit a crime, which isn't work the risk of your ability to control what I can do.
Training:
Well, you don't need training really, it's all in the software, all my passwords are already encrypted with kwallet, and I expect that if I use kmail it will automaticly sign my emails.
All I need is for a signiture tag to be added to the xforms or xhtml specification and my browser can transparently sign any data that I post.
(I would also add a date field to the post data so that you know when the message was sent, this will prevent a duplicate message being send by a hacker.)
The main problem I can see is viruses and trojons because as soon as someone has broken into your pc your identity is stolen, and that is going to be the problem with any time of identity management system you can think of.
thank God the internet isn't a human right.
Solution: classes of passwords.
- The stuff that you really care about (your bank account, your login at your computer at home,
...) all gets different passwords
- The stuff that you care a little bit less about (bug reporting sites for various software, Slashdot, wikipedia, etc.) share a password. Note: when vandalizing wikipedia, you should use different passwords for your different trolling accounts, because they can (and do...) correlate various trolls by their passwords. So you just use login concatenated with your_common_password.
- The stuff that you care even less about (NYT, other online papers,
...) share another password
- That stuff that you care still less about (password at work,
...) yet another one
Stuff of same "security level" shares same password, so things stay manageable, while still keeping reasonable security.Not to bang on these guys, but for an open, non-commercial, distributed identity system, with working code, see Identity Commons.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
In "the real world" I have several different ID numbers:
SSN
Bank account number (more than one)
Credit card number (more than one)
Employee ID
Student ID
Drivers license number
Supermarket loyaty discount card number
Blockbuster/Movie Gallery number
Library Card number
Auto/Home/Medical insurance ID
Voter Registration ID
I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.
While I agree with you, some of the principles of the Liberty Alliance are that it is a distributed system. I don't know much about it, honestly, but the list of companies on board are competitors and rivals who certainly wouldn't want to share databases, if they could help it. They wouldn't want Microsoft to hold their data, that's for sure.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.