Loading ...
Sorry, an error occurred while loading the content.

3815Re: [decentralization] De-centralizing single sign on.

Expand Messages
  • Chris Hanson
    Sep 2, 2001
      At 7:52 AM +0100 9/2/01, Julian Bond wrote:
      >What if the registration form or sign on form had three fields
      >1) ID
      >2) password
      >3) get my preferences from this URL
      >
      >The site could then use XML-RPC, SOAP or such like to connect to that
      >URL, validate the id and password and return a set of preferences/basic
      >info.

      A malicious site could also store your user ID, password, and
      preferences URL and subsequently use your identity.

      Single sign-on needs a system where you authenticate to your
      authentication provider, provide other parties with an authentication
      token of some sort, and have your provider validate that token.
      (This is the Kerberos model.)

      I've been wondering if this might be possible with cookies somehow;
      the problem is that cookies only get sent to the site that set the
      cookie.

      -- Chris

      --
      Chris Hanson <cmh@...>
      bDistributed.com: Making Business Distributed
    • Show all 25 messages in this topic