EU Privacy Authorities Seek Changes in Microsoft 'Passport'
Derek Atkins
derek at ihtfp.com
Tue Jan 28 09:27:35 EST 2003
Single Signon by ITSELF is not a bad technology. But it very much
depends on the architecture and implementation. A Globally
Centralized SSO system like Passport certainly has problems as you
suggest. A locally centralized SSO system like Kerberos is less
of an issue. A Federated SSO system like Shibboleth is much better.
It all depends on your threat model. Don't destroy SSO just because
some company decided to "do it wrong".
-derek
bear <bear at sonic.net> writes:
> The widespread acceptance of something as obviously a bad idea as
> passport really bothers me. I could see a "password manager" program
> to automate the process of password invalidation where you discovered
> a compromise; but the idea of putting everything you do online on the
> same password or credential is just... stupid beyond belief.
>
> Why are single-sign-on systems even legal to sell without warnings?
> Why don't Msoft and the other members of the "Liberty alliance" have
> to put a big warning label on them that says "USE OF THIS PRODUCT WILL
> DEGRADE YOUR SECURITY"? Because that's what we're looking at here;
> drastically reduced security for very marginally enhanced convenience.
>
> But what really gets me about this is that it's totally obvious that
> that's what we're looking at, and people are buying this system
> anyway. That's hard to swallow, because even consumers ought not to
> be that stupid. But it's even worse than that, because people who
> ought to know better (and people who *DO* know better, their own
> ethics and customers' best interests be damned) are even *DEVELOPING*
> for this system. It just doesn't make any damn sense.
>
> Bear
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
--
Derek Atkins
Computer and Internet Security Consultant
derek at ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list