March 2007

Monthly Archive

Tue 27 Mar 2007

Secure OpenID

Posted by Pete Rowley under identity , user-centric identity , identity 2.0 , OpenID
No Comments 

I’ve been waiting for the first OpenID provider to offer a certificate based, no password ever, service. Not an SSL service, a certficate authentication based service. That is, a service that simply puts a certificate in your database and uses that to authenticate you. Browsers are well versed in the art of the certificate these days, they have had a while to eek out the rough spots. Auto-installation of certificates from a web page is possible and that allows a pretty seemless experience for sign up and “log in.” Prooveme.com very nearly, almost, but not quite gets it right. When I signed up and briefly tested the service I noted three rather serious problems:

  1. I had to click through a certificate security alert dialog because they used a self signed certificate for the page that installs the user certificate. It is just fine to use self signed certificates for user identification in this case, in fact it is the perfect use case, but I should know who is giving me the certificate and I shouldn’t be trained any further in bad browsing habits. Their users are surely worth a $20 certificate.
  2. Upon signing up for a site I discover that I am not asked if I have authorized the site to identify me. If I log in to a site for the first time I want to be alerted to that fact. There needs to be some level of control here so that I can decide to be auto-logged in to a particular site.
  3. After recovering from the shock of being logged in straight away, I noticed my name had been given up too! That is, er, not cool.

I’m a forgiving sort though, so I shall take comfort in the knowledge that this is a relatively new service and it is still working on these things. Clearing up these issues will get us all a whole lot closer to the ideal provider set up, and I think, the minimum required security for the use of OpenID by anyone who cares about their identity.

 

Sun 4 Mar 2007

The umpire delegates back

Posted by Pete Rowley under identity , security , InfoCards , user-centric identity , identity 2.0 , identity gang , CardSpace , identity metasystem
[3] Comments 

Recently Kim Cameron has been defending CardSpace against various assertions that it won’t work offline. As I pointed out some while back, that is pure nonesense. I’ll let you read Kims blog for the details of how such a system might work with CardSpace, but I’ll just say it has to do with delegation. And that’s just a big word for access control, in this case user centric decentralized access control.

There really is no big secret to how this stuff is possible - at some point in time an offline user will be online, and during that time instead of ceding their credentials to the service in the sky (or worse, it happens without choice), they spend the time granting access specific to the service that needs access. That’ll be a statement along the lines of “Pete’s blog is allowed to view this flickr photoset.”, not “here’s my password dude, do as you will”, or indeed “hey, IdP, see that service? That’s me that is.” I have to agree with Kim on the notion of impersonation - at no time should anybody give the required access level for impersonation of themselves, on or offline.

There be dragons.