julian_bond at voidstar.com
Mon Oct 13 20:18:39 UTC 2003
Parker Thompson <parkert at uclink.berkeley.edu> wrote:
>I have concerns about the Drupal model of sigle sign on with respect to
>the security model.
>With respet to authentication, I myself am partial to the Liberty Alliance
>model (federated autentication)
Marc Canter <marc at broadbandmechanics.com> wrote:
>We're planning on using PingID's open source implementation - called
>"SourceID" for single sign-on authentication and FOAF.
Liberty & PingID (and I guess Passport) work on the basis that there is
a prior, strong agreement between sites with some sort of shared secret.
This also introduces a strong trust and reputation link between the
sites. This lets you do strong authentication with industrial strength
security. If you want it. The problem is the need for the prior
arrangement. This works against the individual and introduces all sorts
of roadblocks. Unfortunately protocols built round this sort of approach
also seem to attract complexity as participants try and solve every
possible scenario. One possible exception to this is
http://php.weblogs.com/universal which is a simple xmlrpc system for
federated identity but using a push approach.
The Drupal (and SEA) pull approach starts at the opposite end of the
spectrum. It effectively says that anyone can provide an authentication
service with no prior setup. All that's needed is an agreed protocol.
The issue here is not security because that's just a question of how
much effort you put into the protocol. The issue is how much you trust
an authentication service you've never used before. My view is that
there are many, many situations now where we don't actually care. And
secondly that it's an interesting problem in de-centralization.
Bring this back to FOAF. FOAF actually has similar issues. How much do
we trust the data contained in it? How much do we trust the Foaf data
from a particular source?
Julian Bond Email&MSM: julian.bond at voidstar.com
Personal WebLog: http://www.voidstar.com/
M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
More information about the foaf-dev