|
From: | David Sugar |
Subject: | [Auth]Authentitication and anonymity.... |
Date: | Sun, 15 Jul 2001 09:38:51 -0400 |
User-agent: | Mozilla/5.0 (X11; U; Linux 2.2.16-9mdk i686; en-US; m18) Gecko/20001013 |
For example, if one authenticates with .dotgnu.org, and then visits .fungnu.org, an "affiliated site" that trusts .dotgnu.org authentication for purpose of mobile single signin, then what .fungnu.org receives is something that simply says 'this user, I will call him "x" is the same user "x" I authenticated to you before'. This is how I think portable authentication should work, and could do so without revealing who "x" is.
This requires trusts to exist between sites that accept authentication from each other. Perhaps site .dotgnu.org would sign the authentication/certification with it's own private key, and affiliated site "y" would be able to then verify that this is a valid declaration of "x".
Using something like this, it is quite possible to do a portable authentication system like this even entirely within cookies, as the information provided is very small. The key problem with cookies of course is that they are easily tracked, especially if there is a known authentication cookie.
Rather than cookies, it would be nice if the authentication system were unique and done thru a handoff, where an authentication site, such as .dotgnu.org, simply says, here is "user X, this is the same user X I gave you before". Doing it this way prevents the cookie problem, and the id X could be changed or different when presented to different affiliated sites, so the X you have been authenticated as for .fungnu.org is not the same X you are known as in the authentication system at .newsgnu.org.
David
[Prev in Thread] | Current Thread | [Next in Thread] |