|
List Info
Thread: BOF proposal: making the web safe and easy forEliot's father
|
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 15:44:32 |
|
|
As an attempt to focus discussion here:
I think we are all agreed that there is no shortage of strong authentication solutions for a network.
What we need is a way to apply those solutions within an internetwork.
SAML solves some of the problems, but it is designed at a different level of generality. WS-* solves similar problems from a slightly different perspective.
In particular I think we need to decide on a single identifier format and a service discovery strategy. We also need to develop a deployment strategy.
There is an internet person identifier: an email address.
There is a service discovery mechanism: DNS SRV.
The ultimate goal of a deployment strategy must be to get support for interoperable strong authentication built into the operating system chrome. Unless we get into the operating systems we are going to be playing turtle stacking games forever.
I think we need to build this tunnel from both sides at once. If everyone is willing to cooperate we can meet in the middle.
Phill
-----Original Message-----
From: Sam Hartman [mit.edu">mailto:hartmans-ietf mit.edu]
Sent: ; Tue May 16 07:59:50 2006
To: ; Cat Okita
Cc: ; ietf-http-authlists.osafoundation.org; learcisco.com
Subject: ; Re: [Ietf-http-auth] BOF proposal: making the web safe and easy forEliot's father
>>>;>> "Cat" == Cat Okita <catreptiles.org> writes:
Cat> On Mon, 15 May 2006, Sam Hartman wrote:
>> Hi. I'm putting together a proposal for a BOF at IETF 66 of
; >> phishing-safe identity for the web an other HTTP applications.
Cat> Hi Sam -
; >> From reading your email, it's not at all clear to me that
>> you're
Cat> talking about identity. It seems like you're discussing
Cat> something much closer to a single sign-on solution. Could
Cat> you elaborate on what your perceptions of identity and
; Cat> authentication are?
Initially I'm talking about binding an identifier to a session; if you
will asserting the identity claim that hartmansmit.edu uniquely
applies to the subject of the session.
I think that long term, protocols will need to scale to support
additional claims. One of my main disagreements with the dix effort
is over whether the complexity associated with managing the privacy of
claims and standardizing claims is a good thing to include in the
first phase of the solution.
I do not believe that is the case.
I'm definitely not talking about single sign-on. Single sign-on
implies that you have one identity. The Laws of Identity paper and
many other presentations make compelling arguments about why you will
have multiple identities. My goal is to create a protocol and
architectural solution so that you need not have more identities than
are necessary.
I'm sure that many identity providers will make claims such as name
available. ; It's not clear to me that needs to be happening in the
same place as we handle authentication to the website until we get to
a point where we start supporting sending an identity to the website
that is not unique. Only at that point does the identity claim set
need to be part of the authentication
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 15:53:20 |
On 16-May-06, at 8:44 AM, Hallam-Baker, Phillip wrote:
> As an attempt to focus discussion here:
>
> I think we are all agreed that there is no shortage of
strong
> authentication solutions for a network.
Agreed
>
> In particular I think we need to decide on a single
identifier
> format and a service discovery strategy. We also need
to develop a
> deployment strategy.
agreed
>
> There is an internet person identifier: an email
address.
This is not a good identifier as it is not opaque, and was
not
created for that purpose. dicksxip.comis a unique
identifier, but it
is also where I receive email. I will often want to uniquely
identify
myself without handing out an identifier that can be used in
another
way.
URLs are great, opaque identifiers that allow retrieval of
meta-data
about the identifier from the resource at the end of the
URL.
>
> There is a service discovery mechanism: DNS SRV.
I think it is also important to anticipate that smart
browsers will
be widely deployed, and that service discovery by the
website may not
be needed.
-- Dick
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 17:37:59 |
>>>>> "Hallam-Baker," ==
Hallam-Baker, Phillip <pbakerverisign.com> writes:
Hallam-Baker,> As an attempt to focus discussion
here: I think we
Hallam-Baker,> are all agreed that there is no
shortage of strong
Hallam-Baker,> authentication solutions for a
network.
Right.
And I don't believe I was proposing inventing a new one.
Hallam-Baker,> What we need is a way to apply those
solutions
Hallam-Baker,> within an internetwork.
Agreed.
Hallam-Baker,> In particular I think we need to
decide on a single
Hallam-Baker,> identifier format and a service
discovery
Hallam-Baker,> strategy.
I think we also need mandatory to
implement solutions, because I think that's the only
way we're
going to get away from passwords for the web. Getting
away from
sending tokens to websites that can be replayed to third
parties
is critical in solving the phishing problem.
We also need to develop a deployment
Hallam-Baker,> strategy.
Agreed.
Hallam-Baker,> There is a service discovery
mechanism: DNS SRV.
Mmm. I agree we need discovery. I agree that discovery
needs to work
given only an identifier. I agree SRV is excellent for some
uses. I
think that asserting SRV at this stage is perhaps getting
our
implementation details mixed in our requirements.
Hallam-Baker,> The ultimate goal of a deployment
strategy
must be Hallam-Baker,> to get support for interoperable
strong
Hallam-Baker,> authentication built into the operating
system
Hallam-Baker,> chrome. Unless we get into the operating
systems
Hallam-Baker,> we are going to be playing turtle stacking
games
Hallam-Baker,> forever.
I think I agree with you.
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 18:10:30 |
On Tue, 16 May 2006, Dick Hardt wrote:
>> I think we are all agreed that there is no shortage
of strong
>> authentication solutions for a network.
> Agreed
Indeed.
>> There is an internet person identifier: an email
address.
>
> This is not a good identifier as it is not opaque, and
was not created for
> that purpose. dicksxip.comis a unique identifier, but it is
also where I
> receive email. I will often want to uniquely identify
myself without handing
> out an identifier that can be used in another way.
This is a dreadful identifier. Email addresess are not
unique across
time, are often reused, and very easily mistaken - I'm sure
I'm not the
only person that's received email for a previous owner - or
had their
email sent to the current owner of any given address.
cheers!
============================================================
==============
"A cat spends her life conflicted between a deep,
passionate and profound
desire for fish and an equally deep, passionate and profound
desire to
avoid getting wet. This is the defining metaphor of my life
right now."
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 18:19:54 |
>>>>> "Cat" == Cat Okita
<catreptiles.org> writes:
Cat> This is a dreadful identifier. Email addresess
are not
Cat> unique across time, are often reused, and very
easily
Cat> mistaken - I'm sure I'm not the only person
that's received
Cat> email for a previous owner - or had their email
sent to the
Cat> current owner of any given address.
Perhaps, but consider how well it works in practice. There
are many
many websites that will be happy to reset a password and
send it to an
email address.
If you need high assurance out of a particular identifier
then use an
identity provider that provides that assurance. I doubt
that banks
will ever allow identities issued by non-banks as an example
because
doing so would open them up to huge liability.
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
| BOF proposal: making the web safe and
easy forEliot's father |
|
2006-05-16 18:40:46 |
On Tue, 16 May 2006, Sam Hartman wrote:
>>>>>> "Cat" == Cat Okita
<catreptiles.org> writes:
> Cat> This is a dreadful identifier. Email
addresess are not
> Cat> unique across time, are often reused, and
very easily
> Cat> mistaken - I'm sure I'm not the only
person that's received
> Cat> email for a previous owner - or had their
email sent to the
> Cat> current owner of any given address.
> Perhaps, but consider how well it works in practice.
There are many
> many websites that will be happy to reset a password
and send it to an
> email address.
I'm not sold on that being a feature ;> Having my
password sent to
somebody else isn't my idea of a good thing.
> If you need high assurance out of a particular
identifier then use an
> identity provider that provides that assurance. I
doubt that banks
> will ever allow identities issued by non-banks as an
example because
> doing so would open them up to huge liability.
Do banks in your country not require at least some form of
government
issued identification in order to open an account?
cheers!
============================================================
==============
"A cat spends her life conflicted between a deep,
passionate and profound
desire for fish and an equally deep, passionate and profound
desire to
avoid getting wet. This is the defining metaphor of my life
right now."
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
| Identifiers -- Re: BOF proposal: making
the web safe and easy forEliot's father |
|
2006-05-16 18:41:01 |
So, first an admission:
The problem really wasn't just Eliot's dad, but Eliot
himself.
Now to restate the problem that he/I have:
There are too many damn passwords and keys. This says very
little about
identifiers at all. In fact, web browsers and mail readers
do a darn
good job at remembering identifiers, and if they do that
much and no
more to solve the problem I don't see a security concern.
The problem
remains the password. If you solve only that problem and do
so securely
you've moved the ball substantially.
Eliot
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
|
|
[1-7]
|
|