Kim wants to help, and Pat Patterson puts flesh on the bones of my proposal in an infocards context.
To summarise Pat’s proposal, what happens is you go to wherever you want to log in, you fetch your username/password for that site from your IdP, encrypted using the public key for that site. That way, only the IdP and the site know the password. I’m pretty impressed that this can be done without modifying the WS-* protocols, but there’s still a little work left to be done…
In particular, we’re presumably going to be migrating to this from an existing login – in the process we should change the password from whatever phishable nastiness was in use to a nice strong, random password. Or one derived from a master password and the site’s name. Failure to do this would not improve the phishing situation.
Also, if we use the latter scheme, we can eliminate the IdP and do the whole thing locally, using the master password. This gives you portability (without worrying about the grander problem of porting all credentials) for free.
And, of course, this all needs to happen without much work or comprehension on the part of the user. But it’s definitely a step in the right direction!
Kim correctly observes that the browser is not the place to be typing your password. Indeed. I should have mentioned that.
Clearly any mechanism that can be imitated by a web page is dead in the water. Kim also wants to rule out plugins, I take it, given his earlier reference to toolbar problems. I’m OK with that. We want something that only a highly trusted program can do. That’s been so central to my thinking on this I forgot to mention it. Sorry.
Kim Cameron, bless him, manages to interpret one of my most diabolical hungover bits of prose ever. I am totally with him on the problem of pharming, but the reality is that the average Cardspace user authenticated with nothing better than a password (when they logged into Windows). Furthermore, if you are going to achieve portability of credentials, then you can either do it in dreamland, where all users carry around their oh-so-totally-secure bluetooth credential device, or you can do it in the real world, where credentials will be retrieved from an online store secured by a password. And yes, we’ll encourage people to make sure that’s a passphrase, and they don’t type it in in web cafes, and all that. And the corporate VPN types will use SAML and doohickeys with keypads. And maybe if they’re really smart the “online store” will actually be a USB stick and a backup split between a few of their best friends.
But we have a simple mission: protect that password.
If you believe the Cardspace UI can protect people’s credentials, then surely it can protect a password?
If it really can’t (that is, we cannot come up with UI that people will reliably identify and eschew all imitations), then how will we ever have a workable, scalable system that includes recovery of credentials after loss or destruction of their physical goods?
Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?
Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.
In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.
The Guardian has a nice article about Wikileaks today. This was triggered by bizarre behaviour on the part of Bank Julius Baer‘s lawyers, Lavely and Singer (“Attack Dogs of L.A. Law”), who asked Wikileaks to remove documents without specifying what documents or who their client was and then got an injunction to have the wikileaks.org domain deleted.
The documents are still available, of course.
One thing I should correct, though. The article says
Those behind Wikileaks include … Ben Laurie, a mathematician living in west London who is on the advisory board.
I’m not a mathematician (any more), and I’m not behind Wikileaks. I think its a good idea, and I did comment on an early design for the technical infrastructure (which, I must say, was cool), but I am otherwise uninvolved. Everyone thinks this is just a cunning ploy to distance myself from it, but really, its true.
Pamela is freaked out by sites that gather all your logins. So am I. But this is exactly why a group of us got together to create OAuth. OAuth allows you to delegate access to your various accounts without revealing your username and password. All we need now is for all these sites to start using it.
It seems MySpace’s developer launch today is causing Caja to get splattered all over the place.
So, Egg are shedding customers they think are a bad risk. I wonder what happens if this becomes fashionable? Since the worst offenders are in the habit of moving their debt from one free offer to the next, presumably whoever moves last will end up with the credit card equivalent of the sub-prime mortgage disaster. Buy Egg, sell HSBC!
Comments Off on Eggonomics