[JDEV] Single Sign-on and stuff
iainshigeoka at yahoo.com
Mon Oct 8 10:05:26 CDT 2001
At 02:28 PM 10/7/2001 +0100, you wrote:
>OK, this has turned into a rant, for which I apologise, but a rant it will
>be. I see this all the time: developers sacrificing usability for security,
>in the mistaken belief that black hats will tear people to pieces unless
>it's 100% impenetrable. Not true. At the end of the day, SSI is about
>convenience. I'd like to use one password to sign in to all my websites and
>yes in the future FTP servers and other things too. I'd like to type in my
>username and password once, and then for the network to remember all this
>and not prompt me again. This opens the system up to abuse of course, even
>if it's just my little brother sitting down at the keyboard while I'm out of
>the room and looking at my eGroups preferences. But I'm willing to accept
>less security for more convenience, and many other people are too. It's a
>compromise at the end of the day between the ultra-tight security of
>Kerberos and a real world implementation that's easy to use and develop for.
>I stick by it.
Hoorah! I also agree that convenience and ease of use are just as
important as "security" when designing real world systems (except when
working for the NSA or other places where they can expect you to go through
the extra hassles of "solid security"). The trick really is to balance the
two forces... hopefully allowing users the ability to adjust how secure
they need to be (but even that introduces complexity and so may not be
I have been thinking that perhaps we should look at jabber security (and
SSO) in a different light. Right now, sign-on is equivalent to unlocking
the gates. Once inside, we have unlimited access to whatever we're
authorized to do. It is all or nothing and you have to unlock the gate to
But signing on to a Jabber server really isn't that big a deal. So you use
up a connection on the server. Is that really that important? And what
about updating presence. Is it that disastrous that someone can overcome
your sign-on and make it look like you're online? For most the answer is no.
So perhaps it should be simple simple simple to sign on, update presence,
and send/read "insecure" messages. Like web browsing.
It should be a little more difficult to read and send secure messages
(confidentiality and nonrepudation (signatures)... where most people are
concerned about security).
And it should be hard to break in (and a little more work to use) "really
secure" things like digital wallets when we have that on jabber.
This seems to suggest a "key ring" with various keys (credentials) and
differing levels of security. Name and password say to signon once (this
is not that valuable a sign on but is universal and simple... SSO). Then
the client must use a separate key (perhaps requiring another passphrase)
to decrypt/encrypt "secure messages". Finally, a separate passphrase and
separate security system to transact financial exchange...
I wonder if it is practical.
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the JDev