SSO (was Re: biometrics)
Marc Branchaud
marcnarc at rsasecurity.com
Thu Feb 7 13:56:09 EST 2002
Dan Geer wrote:
>
>
> > In the article they repeat the recommendation that you never
> > use/register the same shared-secret in different domains
>
> Compare and contrast, please, with the market's overwhelming
> desire for single-sign-on (SSO). Put differently, would the
> actual emergence of an actual SSO signal a market failure by
> the above analysis?
In most SSO schemes, the password is only used to authenticate to a single
domain, and (a token attesting to) the fact that the authentication succeded
is passed around to other domains. The authenticating domain is typically
akin to the user's "home" domain (as opposed to the user just logging into
some arbitrary domain) so the password isn't widely shared. Most of these
schemes are web-based, and users that first surf to a non-home domain are
redirected (as tranparently as possible) to their local domain for
authentication, and something like an authentication "ticket" is encoded in a
cookie or in a return-redirecting URL.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list