Ben Laurie blathering

A Concrete Proposal

Kim wants to help, and Pat Patterson puts flesh on the bones of my proposal in an infocards context.

To summarise Pat’s proposal, what happens is you go to wherever you want to log in, you fetch your username/password for that site from your IdP, encrypted using the public key for that site. That way, only the IdP and the site know the password. I’m pretty impressed that this can be done without modifying the WS-* protocols, but there’s still a little work left to be done…

In particular, we’re presumably going to be migrating to this from an existing login – in the process we should change the password from whatever phishable nastiness was in use to a nice strong, random password. Or one derived from a master password and the site’s name. Failure to do this would not improve the phishing situation.

Also, if we use the latter scheme, we can eliminate the IdP and do the whole thing locally, using the master password. This gives you portability (without worrying about the grander problem of porting all credentials) for free.

And, of course, this all needs to happen without much work or comprehension on the part of the user. But it’s definitely a step in the right direction!


  1. You just described Site Password

    If you want “all [this] to happenw ithout much work or comprehension on the p art of the user” then PassPet would appear to get pretty close to the mark.

    Comment by Toby — 29 Feb 2008 @ 1:33

  2. Better yet, try the GPL/LGPL licensed PasswordMaker that also dynamically generates your passwords based on a master passphrase, info from the site, and any other details you may want to include. And for those that don’t like plugins and extensions, they have a fat client or stand alone javascript implementation as well.

    Comment by meeas — 29 Feb 2008 @ 19:53

  3. […] raises the bootstrap question, and also says (paraphrasing slightly) “If we derive an RP password from a master password and the RP […]

    Pingback by More on CardSpace Password Management « Superpatterns — 18 Sep 2010 @ 0:29

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress