EU Privacy Authorities Seek Changes in Microsoft 'Passport'

Derek Atkins derek at ihtfp.com
Tue Jan 28 09:27:35 EST 2003 

Single Signon by ITSELF is not a bad technology.  But it very much
depends on the architecture and implementation.  A Globally
Centralized SSO system like Passport certainly has problems as you
suggest.  A locally centralized SSO system like Kerberos is less
of an issue.  A Federated SSO system like Shibboleth is much better.

It all depends on your threat model.  Don't destroy SSO just because
some company decided to "do it wrong".

-derek

bear <bear at sonic.net> writes:

> The widespread acceptance of something as obviously a bad idea as
> passport really bothers me.  I could see a "password manager" program
> to automate the process of password invalidation where you discovered
> a compromise; but the idea of putting everything you do online on the
> same password or credential is just...  stupid beyond belief.
> 
> Why are single-sign-on systems even legal to sell without warnings?
> Why don't Msoft and the other members of the "Liberty alliance" have
> to put a big warning label on them that says "USE OF THIS PRODUCT WILL
> DEGRADE YOUR SECURITY"?  Because that's what we're looking at here;
> drastically reduced security for very marginally enhanced convenience.
> 
> But what really gets me about this is that it's totally obvious that
> that's what we're looking at, and people are buying this system
> anyway.  That's hard to swallow, because even consumers ought not to
> be that stupid.  But it's even worse than that, because people who
> ought to know better (and people who *DO* know better, their own
> ethics and customers' best interests be damned) are even *DEVELOPING*
> for this system.  It just doesn't make any damn sense.
> 
> 			Bear
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek at ihtfp.com             www.ihtfp.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list