[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]Greetings...
From: |
John Pugh |
Subject: |
Re: [Auth]Greetings... |
Date: |
Tue, 23 Oct 2001 09:50:15 -0600 |
Zero Knowledge implemented a system that is identical to Novell's Digitalme.
With Digitalme a user can have multiple identities and choose who see's what
information, if any.
It provides all this thru a directory called eDirectory. The directory has all
the methods mentioned in earlier threads that allows for multiple auth methods
and already has fault tolerance, replication and is built on multiple open
standards.
The one thing I'm seeing with this effort is that one thing is missing. The
foundation for any effort such as this is a directory. A database can be
modified to provide some capabilities of a true directory service, but it will
never be optimized and as complete as a directory...no matter how many people
put time into creating it. Novell's eDirectory already has what you are
attempting to create from a database. It is already optimized for reading
information, has self management capabilities built-in, has multiple
authentication methods as well as fault tolerance thru replication.
What's missing is the personal aspect. What's needed is the ability to have a
personal directory and choose what, if anything, you want others to see. This
aspect is what is missing from those ventures such as liberty and passport (and
digitalme...for now).
So ".Net" is pretty useless...we've seen that. dotgnu is the effort that needs
to look at the personal side since the biz side is fairly wrapped up and it
must look at the integration side since there is NO one system that can do the
complete job.
JP
>>> Mike Warren <address@hidden> 10/19/01 04:04PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just joined this list and haven't seen any traffic yet, so this is
sort of a test ;)
I am interested in seeing a system like that implemented (and recently
discontinued) by Zero Knolwedge (see http://opensource.zeroknowledge.com for
some code).
Basically, it allowed one to create anonymous identities (they called
these ``Nyms''). These were used with the rest of their system, mostly
for encrypted email. The interesting aspects of their system:
. there was an untraceable way to purchase Nyms via a ``nym-token'' sort
of digital cash -- one bought some nym tokens with a credit card or
cash and then later redeemed these tokens for a Nym (or whatever else
one could buy with the nym-tokens).
. It was not possible to determine who owned which Nym, nor where the
person using a Nym was on the network. ZK maintained a system of
servers (freedon.net) to accomplish this. The code for these servers
is GPL.
I think the ZK system would mesh well with what I understand the goals
of DotGNU (specially the Virtual Identities stuff) to be. On the
free-developers list, I proposed an authentication system modeled
after the ZK freedom network.
For those who haven't read those posts, briefly:
. multiple authorities could issue identity certificates
. each user would typically have lots of different identification
certificates, each reflecting a different amount of information
revealed (i.e. one might contain just a name, one might also have an
address, one might also have a credit card).
. DotGNU-services companies would decide how much they trust each
certificate-issuing authority.
. DotGNU-service providers would obtain information about users
through their certificates. A DotGNU provider would never have to
maintain personal information in a database. (If the service-provider
needs information about subscribed users [i.e. a login-id], then the
service provider issues their own certificate to the user with such
information; then they must only keep a database of valid login-ids).
. certificates would be encrypted.
. users have much choice: they could issue themselves certificates for
use where providers don't need a trusted provider, or choose to get a
certificate from a highly-trusted provider. For example, the FSF might
be a certificate-provider which has some method of showing that users
are who they say they are (perhaps via a small credit-card
transaction system like PayPal uses).
This addresses the following goals of DotGNU:
. users' have sole control over how much information they provide
. providers can insist on verified information, if they like. This
gives service-providers a lot of confidence in their transaction, and
would allow for, for example, anonymous users paying via credit
card. How? A trusted-certificate provider -- after verifying a
particular user is who they say they are -- could issue a sort of
digital-cash token which could be redeemed at the
service-provider. The service-provider never has to know the true
identity of the user; they just have to be satisfied that the
certificate-provider has billed the user correctly. This means users
would only have to trust ONE authority with their credit-card
information, instead of trusting everyone with whom they do business.
. such a system might quickly gain ground; it has significant
advantages over Microsoft's system (anonymity, user-confidence,
multiple identity providers).
. allows a convenient system for authentication within the DotGNU
user/provider framework (just the sending of a certificate).
Of course, I've left out many details (which I haven't really fleshed
out myself). I'm not a cryptography expert, but what understanding I
have leads me to believe that such a system could be made workable and
secure.
Best of all, there is existing GPL code for at least part of the
system (the anonymizing-network) and numerous white-papers (at ZK)
outlining security concerns and potential and actual workarounds.
Anyway. This turned out a little longer than I expected ;) A little
about me:
I am a 24-year-old recent comp.sci graduate currently working at a
pipeline company doing leak-detection in Calgary, Alberta. I would be
keen to work on a virtual-identities system if it looks like a Good
Thing.
Cheers,
- --
address@hidden
<URL:http://www.mike-warren.com>
GPG: 0x579911BD :: 87F2 4D98 BDB0 0E90 EE2A 0CF9 1087 0884 5799 11BD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard
<http://www.gnupg.org/>
iD8DBQE70KODEIcIhFeZEb0RAgKTAKC1aHDF5Aa1p3SG8l9irb6riet+mgCfWRkq
kphXVtThzS2fr9NRYnAg2+I=
=TT2L
-----END PGP SIGNATURE-----
_______________________________________________
Auth mailing list
address@hidden
http://subscribe.dotgnu.org/mailman/listinfo/auth
- [Auth]Greetings..., Mike Warren, 2001/10/19
- Re: [Auth]Greetings..., Norbert Bollow, 2001/10/20
- [Auth]macs, Andromeda, DotGNU, and you, Mario D. Santana, 2001/10/20
- [Auth]Re: macs, Andromeda, DotGNU, and you, Norbert Bollow, 2001/10/20
- [Auth]Re: macs, Andromeda, DotGNU, and you, mds, 2001/10/21
- [Auth]Re: macs, Andromeda, DotGNU, and you, Norbert Bollow, 2001/10/22
- Re: [Auth]Greetings...,
John Pugh <=