Re: [Auth]Another weakness of Passport

[Norbert Bollow]

John le'Brecage <address@hidden> wrote:

> Hmmm... password and username for Passport stored as clear text?
> 
> http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814881,00.html
> 
> Real dangerous move for Microsoft? Real nice bit of PRopoganda for us.

Before we get too self-confident... let's be aware that this isn't
just a blunder of Microsoft, but rather a fundamental problem
for every single-login system.

The secret information that gives access to the auth server(s)
must be stored somehow on the client computer.

If you want to protect this information reasonably well, e.g. in
a way similar to how GnuPG protects your secret key,  then you
have some inconvenience with the passphrase and all that.

On the other hand, if you want a very convenient system, then
you will have security problems.  Microsoft could have obscured
it a bit, to make it more difficult to figure out, but I don't
think that there is any way in which they can make it
fundamentally more secure without inconveniencing their users.

It is an essential part of the DotGNU vision to provide a
reasonably secure virtual identities system.  This security can
be achieved for example by using GnuPG for digitally signing
every request to the authentication server.  This however is an
inconvenience for the user, who will have to type in the
passphrase.

This strategy will work for DotGNU but it wouldn't work for
Microsoft.  If they did things this way, there'd be no chance of 
.NET and Passport ever taking off.

Greetings, Norbert.

-- 
A member of FreeDevelopers and the DotGNU Steering Committee: dotgnu.org
Norbert Bollow, Weidlistr.18, CH-8624 Gruet   (near Zurich, Switzerland)
Tel +41 1 972 20 59       Fax +41 1 972 20 69      http://thinkcoach.com
Your own domain with all your Mailman lists: $15/month  http://cisto.com