Loading ...
Sorry, an error occurred while loading the content.

De-centralizing single sign on.

Expand Messages
  • Julian Bond
    There are a vast number of web sites that require an ID and password but which have relatively low security requirements. It would make life easier for users
    Message 1 of 25 , Sep 1, 2001
    • 0 Attachment
      There are a vast number of web sites that require an ID and password but
      which have relatively low security requirements. It would make life
      easier for users of those sites if they didn't have to retype all their
      preferences and create a new ID and password.

      What if the registration form or sign on form had three fields
      1) ID
      2) password
      3) get my preferences from this URL

      The site could then use XML-RPC, SOAP or such like to connect to that
      URL, validate the id and password and return a set of preferences/basic
      info.

      This is completely open and allows any and every site to act as the
      master repository for the preference set.

      What's wrong with this picture?

      --
      Julian Bond email: julian_bond@...
      CV/Resume: http://www.voidstar.com/cv/
      WebLog: http://www.voidstar.com/
      HomeURL: http://www.shockwav.demon.co.uk/
      M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
      ICQ:33679568 tag:So many words, so little time
    • Bram Cohen
      ... The problem with single signon is in ironing out the myriad and subtle differences between how different sites view their list of users, and in getting the
      Message 2 of 25 , Sep 2, 2001
      • 0 Attachment
        On Sun, 2 Sep 2001, Julian Bond wrote:

        > There are a vast number of web sites that require an ID and password but
        > which have relatively low security requirements. It would make life
        > easier for users of those sites if they didn't have to retype all their
        > preferences and create a new ID and password.

        The problem with single signon is in ironing out the myriad and subtle
        differences between how different sites view their list of users, and in
        getting the software installed on clients.

        Thankfully, there's no compelling technical reason to have a single
        central database for single signon like microsoft is trying to make
        happen. Whether they manage to force it remains to be seen.

        -Bram Cohen

        "Markets can remain irrational longer than you can remain solvent"
        -- John Maynard Keynes
      • Jonathan Berry
        ... Is this rhetorical? I asked the same sort of question not too long ago. -Jonathan Berry _________________________________________________________________
        Message 3 of 25 , Sep 2, 2001
        • 0 Attachment
          >This is completely open and allows any and every site to act as the
          >master repository for the preference set.
          >
          >What's wrong with this picture?

          Is this rhetorical? I asked the same sort of question not too long ago.

          -Jonathan Berry

          _________________________________________________________________
          Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
        • Julian Bond
          In article , Bram Cohen writes ... Do you mean Client as in Servers that support
          Message 4 of 25 , Sep 2, 2001
          • 0 Attachment
            In article <Pine.LNX.4.21.0109020021000.19110-100000@...>,
            Bram Cohen <BRAM@...> writes
            >The problem with single signon is in ironing out the myriad and subtle
            >differences between how different sites view their list of users, and in
            >getting the software installed on clients.

            Do you mean "Client" as in "Servers that support the standard"?

            There's the usual "Standards" issue of getting this idea supported and
            getting some agreement on the format of data that's returned. Maybe it
            should be a VCF?

            But I'm also concerned about the implications for gaming the system.

            --
            Julian Bond email: julian_bond@...
            CV/Resume: http://www.voidstar.com/cv/
            WebLog: http://www.voidstar.com/
            HomeURL: http://www.shockwav.demon.co.uk/
            M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
            ICQ:33679568 tag:So many words, so little time
          • Dave Winer
            Julian, I wrote about this in July and there was quite a bit of discussion on it. Here s the article and below it is the discussion..
            Message 5 of 25 , Sep 2, 2001
            • 0 Attachment
              Julian, I wrote about this in July and there was quite a bit of discussion
              on it.

              Here's the article and below it is the discussion..

              http://www.xmlrpc.com/discuss/msgReader$1780

              Dave


              ----- Original Message -----
              From: "Julian Bond" <julian_bond@...>
              To: <decentralization@yahoogroups.com>
              Sent: Saturday, September 01, 2001 11:52 PM
              Subject: [decentralization] De-centralizing single sign on.


              > There are a vast number of web sites that require an ID and password but
              > which have relatively low security requirements. It would make life
              > easier for users of those sites if they didn't have to retype all their
              > preferences and create a new ID and password.
              >
              > What if the registration form or sign on form had three fields
              > 1) ID
              > 2) password
              > 3) get my preferences from this URL
              >
              > The site could then use XML-RPC, SOAP or such like to connect to that
              > URL, validate the id and password and return a set of preferences/basic
              > info.
              >
              > This is completely open and allows any and every site to act as the
              > master repository for the preference set.
              >
              > What's wrong with this picture?
              >
              > --
              > Julian Bond email: julian_bond@...
              > CV/Resume: http://www.voidstar.com/cv/
              > WebLog: http://www.voidstar.com/
              > HomeURL: http://www.shockwav.demon.co.uk/
              > M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
              > ICQ:33679568 tag:So many words, so little time
              >
              > To unsubscribe from this group, send an email to:
              > decentralization-unsubscribe@egroups.com
              >
              >
              >
              > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
              >
              >
            • Tony Kimball
              ... Or alternatively, on all servers. A server-side solution is perfectly suitable for the overwhelming majority of sites.
              Message 6 of 25 , Sep 2, 2001
              • 0 Attachment
                Quoth Bram Cohen on Sunday, 2 September:
                :
                : The problem with single signon is in ironing out the myriad and subtle
                : differences between how different sites view their list of users, and in
                : getting the software installed on clients.

                Or alternatively, on all servers. A server-side solution is perfectly
                suitable for the overwhelming majority of sites.
              • Julian Bond
                In article , Dave Winer writes ... Hmmmm?! After going to http://groups.yahoo.com/group/xml-
                Message 7 of 25 , Sep 2, 2001
                • 0 Attachment
                  In article <13ec01c133b0$e5abd970$33a1dc40@murphy>, Dave Winer
                  <dave@...> writes
                  >Julian, I wrote about this in July and there was quite a bit of discussion
                  >on it.
                  >Here's the article and below it is the discussion..
                  >http://www.xmlrpc.com/discuss/msgReader$1780

                  Hmmmm?! After going to http://groups.yahoo.com/group/xml-
                  rpc/messages/3213?threaded=1 and reading the whole thread, I'm no nearer
                  to a conclusion, except to say that the answer seems to be either LDAP
                  or ICEPick.

                  And all (all he says!) I wanted to do was to be able to go to a new site
                  and say "Here's an ID, Password and URL, you figure out the rest".

                  --
                  Julian Bond email: julian_bond@...
                  CV/Resume: http://www.voidstar.com/cv/
                  WebLog: http://www.voidstar.com/
                  HomeURL: http://www.shockwav.demon.co.uk/
                  M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                  ICQ:33679568 tag:So many words, so little time
                • Todd Boyle
                  ... The problem is that the first website who does this will find zero clients who utilize it. You need a model for incremental adoption that will explode so
                  Message 8 of 25 , Sep 2, 2001
                  • 0 Attachment
                    At 06:42 AM 9/2/01, Tony Kimball wrote:
                    >Quoth Bram Cohen on Sunday, 2 September:
                    >:
                    >: The problem with single signon is in ironing out the myriad and subtle
                    >: differences between how different sites view their list of users, and in
                    >: getting the software installed on clients.
                    >
                    >Or alternatively, on all servers. A server-side solution is perfectly
                    >suitable for the overwhelming majority of sites.

                    The problem is that the first website who does this will find
                    zero clients who utilize it. You need a model for incremental
                    adoption that will explode so fast it might get a few percent of
                    the 500 million internet users.

                    You need something that gives compelling benefits to the first user
                    and every succeeding user on an arithmetic basis. Otherwise
                    all the worlds' websites won't have incentive to run the code.

                    Even if large numbers of users want this, most of the high volume
                    commercial websites won't do it. Many of the AOL, Microsoft,
                    Suns, Amazons, Yahoos etc. etc. are interested in immobilizing
                    a client for gods sake, not creating greater mobility. They want
                    to BE the directory not support user sovereignty.

                    As for the vast number of smaller websites, the mivas an
                    coldfusions and frontpages and the dreamweavers etc etc.
                    most of them move very slowly.. it will take most of them
                    forever to get a clue, when better technology exists.

                    Again I see this as a tectonic plates issue. The billion-dollar
                    companies and the great masses of ordinary users are stuck.
                    They are not going to adopt your idea because they have
                    different goals.

                    So as the more advanced, or intelligent internet users gradually
                    understand the potentials of the internet, the forces gradually
                    continue to build among that population for better internet
                    infrastructure, especially in the area of authentication, privacy,
                    and secure client platforms. Eventually the shapes of a broad
                    solution will emerge and in my opinion the development that will
                    trigger a disruptive breakout is the secure, general-purpose
                    signing device. When you can buy a device at Walmart or 7-11,
                    for $10 that has a totally unbreakable vault with keys and
                    certificates, and a little 200x200 pixel screen for receiving and
                    signing arbitrary contracts, and a keypad for your PIN, that will
                    change *everything*. Including these gimmicks you're talking
                    about for single sign-on.

                    People will use these little things for everything from supermarket
                    purchases to train fares, vending machines, signing on to their
                    network resources etc.

                    Unfortunately it will lead to tremendous concentration in the
                    internet infrastructures for storage, functionality etc. When
                    there is no security risk then *many* web services truly become
                    a commodity. When the internet is fixed, will the crybabies
                    stop crying and use its tremendous potentials? OR like me
                    perhaps, are you stuck in a permanent mode of complaining :-)
                    Do we remember how to do anything else? :-)

                    Let's think now, to understand the unthinkable new age where
                    the internet allows the user the power of total secure control
                    over their stuff, and such delightful choices as blocking any
                    communication of any form, unless it comes from a real person
                    with real reputation. God, will THAT be nice!

                    What this will mean? People will do this. Ordinary people
                    are fed up with todays internet. The billion-dollar companies
                    know this. That's why they fear the endusers rebellion. They
                    will lose the ability to stuff our inboxes with garbage.

                    Don't be a doe in the headlights, build tomorrows internet
                    of high quality, premium content and services for a community
                    of real, authenticated people. Build the reputation systems
                    that anticipate true authentication via $10 signing devices.

                    Finally-- question my assumption. Does any significant
                    population of "intelligent" users exist on the internet who
                    are in a sufficiently diverse products and services and
                    content for each other that they form any kind of a market?
                    If all the "intelligent" users of the internet are a monoculture
                    of livelong web geeks then there is no market and no
                    reason to join. In other words--- as you know---small
                    businesses and proprietors, all of the salt of the earth, are
                    way too busy to be involved in this newsgroup. You will
                    literally have to approach them in person and explain this
                    to them. Most of them don't even use the web anymore,
                    except for email, or buying a book or a airline ticket. They
                    cannot imagine buying and selling on the internet for zero
                    transaction costs, or concepts like decentrallized
                    mechanisms for credit history etc. etc.

                    Todd
                    Todd Boyle CPA 9745-128th Ave NE Kirkland WA
                    tboyle@... 425-827-3107 Oslo [47] 9822-7366
                  • Wesley Felter
                    ... It s not very single-sign-on-y if I have to type my password at every site. Wesley Felter - wesley@felter.org - http://felter.org/wesley/
                    Message 9 of 25 , Sep 2, 2001
                    • 0 Attachment
                      On Sun, 2 Sep 2001, Julian Bond wrote:

                      > There are a vast number of web sites that require an ID and password but
                      > which have relatively low security requirements. It would make life
                      > easier for users of those sites if they didn't have to retype all their
                      > preferences and create a new ID and password.
                      >
                      > What if the registration form or sign on form had three fields
                      > 1) ID
                      > 2) password
                      > 3) get my preferences from this URL

                      It's not very single-sign-on-y if I have to type my password at every
                      site.

                      Wesley Felter - wesley@... - http://felter.org/wesley/
                    • James Hong
                      People aren t going to like this answer but... Many sites want users to go through a sign-up process so they can collect specific demographic/psychographic
                      Message 10 of 25 , Sep 2, 2001
                      • 0 Attachment
                        People aren't going to like this answer but...

                        Many sites want users to go through a sign-up process so they can collect
                        specific demographic/psychographic information alongside. This information
                        enables them to sell advertising/sponsorships at a higher rate. Also, the
                        sign-up process is also the right spot for them to sell co-registrations.

                        Unless the central repository collects and shares this sort of information,
                        you'll see pushback (or rather, non-participation) from websites that rely
                        on advertising. I'm not sure if programs like passport share this sort of
                        information. I imagine that sharing demographic information is not on the To
                        Do list of whoever is working on an open, decentralized network, but if you
                        want wider adoption you may want to put it in (of course, be up front with
                        the user when they are signing on that all their information is shared
                        across the network.)

                        Of course, all the websites that rely heavily on advertising other than AOL,
                        Microsoft, or Yahoo may not exist within another year or so, so this point
                        may be moot.

                        cheers,
                        james



                        ----- Original Message -----
                        From: "Julian Bond" <julian_bond@...>
                        To: <decentralization@yahoogroups.com>
                        Sent: Saturday, September 01, 2001 11:52 PM
                        Subject: [decentralization] De-centralizing single sign on.


                        > There are a vast number of web sites that require an ID and password but
                        > which have relatively low security requirements. It would make life
                        > easier for users of those sites if they didn't have to retype all their
                        > preferences and create a new ID and password.
                        >
                        > What if the registration form or sign on form had three fields
                        > 1) ID
                        > 2) password
                        > 3) get my preferences from this URL
                        >
                        > The site could then use XML-RPC, SOAP or such like to connect to that
                        > URL, validate the id and password and return a set of preferences/basic
                        > info.
                        >
                        > This is completely open and allows any and every site to act as the
                        > master repository for the preference set.
                        >
                        > What's wrong with this picture?
                        >
                        > --
                        > Julian Bond email: julian_bond@...
                        > CV/Resume: http://www.voidstar.com/cv/
                        > WebLog: http://www.voidstar.com/
                        > HomeURL: http://www.shockwav.demon.co.uk/
                        > M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                        > ICQ:33679568 tag:So many words, so little time
                        >
                        > To unsubscribe from this group, send an email to:
                        > decentralization-unsubscribe@egroups.com
                        >
                        >
                        >
                        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                        >
                      • Dave Winer
                        James, that s probably why Microsoft is interested in this. They want control of the demographic information, and they ll probably offer you deals on
                        Message 11 of 25 , Sep 2, 2001
                        • 0 Attachment
                          James, that's probably why Microsoft is interested in this. They want
                          control of the demographic information, and they'll probably offer you deals
                          on everything you do now independently. In a sense they will become your
                          co-publisher.Dave

                          ----- Original Message -----
                          From: "James Hong" <jhong@...>
                          To: <decentralization@yahoogroups.com>
                          Sent: Sunday, September 02, 2001 11:34 AM
                          Subject: Re: [decentralization] De-centralizing single sign on.


                          > People aren't going to like this answer but...
                          >
                          > Many sites want users to go through a sign-up process so they can collect
                          > specific demographic/psychographic information alongside. This information
                          > enables them to sell advertising/sponsorships at a higher rate. Also, the
                          > sign-up process is also the right spot for them to sell co-registrations.
                          >
                          > Unless the central repository collects and shares this sort of
                          information,
                          > you'll see pushback (or rather, non-participation) from websites that rely
                          > on advertising. I'm not sure if programs like passport share this sort of
                          > information. I imagine that sharing demographic information is not on the
                          To
                          > Do list of whoever is working on an open, decentralized network, but if
                          you
                          > want wider adoption you may want to put it in (of course, be up front with
                          > the user when they are signing on that all their information is shared
                          > across the network.)
                          >
                          > Of course, all the websites that rely heavily on advertising other than
                          AOL,
                          > Microsoft, or Yahoo may not exist within another year or so, so this point
                          > may be moot.
                          >
                          > cheers,
                          > james
                          >
                          >
                          >
                          > ----- Original Message -----
                          > From: "Julian Bond" <julian_bond@...>
                          > To: <decentralization@yahoogroups.com>
                          > Sent: Saturday, September 01, 2001 11:52 PM
                          > Subject: [decentralization] De-centralizing single sign on.
                          >
                          >
                          > > There are a vast number of web sites that require an ID and password but
                          > > which have relatively low security requirements. It would make life
                          > > easier for users of those sites if they didn't have to retype all their
                          > > preferences and create a new ID and password.
                          > >
                          > > What if the registration form or sign on form had three fields
                          > > 1) ID
                          > > 2) password
                          > > 3) get my preferences from this URL
                          > >
                          > > The site could then use XML-RPC, SOAP or such like to connect to that
                          > > URL, validate the id and password and return a set of preferences/basic
                          > > info.
                          > >
                          > > This is completely open and allows any and every site to act as the
                          > > master repository for the preference set.
                          > >
                          > > What's wrong with this picture?
                          > >
                          > > --
                          > > Julian Bond email: julian_bond@...
                          > > CV/Resume: http://www.voidstar.com/cv/
                          > > WebLog: http://www.voidstar.com/
                          > > HomeURL: http://www.shockwav.demon.co.uk/
                          > > M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                          > > ICQ:33679568 tag:So many words, so little time
                          > >
                          > > To unsubscribe from this group, send an email to:
                          > > decentralization-unsubscribe@egroups.com
                          > >
                          > >
                          > >
                          > > Your use of Yahoo! Groups is subject to
                          http://docs.yahoo.com/info/terms/
                          > >
                          >
                          >
                          > To unsubscribe from this group, send an email to:
                          > decentralization-unsubscribe@egroups.com
                          >
                          >
                          >
                          > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                          >
                          >
                        • me_vipul@yahoo.co.in
                          I don t know much about this but can t something like Jabber be applied to this?
                          Message 12 of 25 , Sep 2, 2001
                          • 0 Attachment
                            I don't know much about this but can't something like Jabber be
                            applied to this?
                          • Chris Hanson
                            ... A malicious site could also store your user ID, password, and preferences URL and subsequently use your identity. Single sign-on needs a system where you
                            Message 13 of 25 , Sep 2, 2001
                            • 0 Attachment
                              At 7:52 AM +0100 9/2/01, Julian Bond wrote:
                              >What if the registration form or sign on form had three fields
                              >1) ID
                              >2) password
                              >3) get my preferences from this URL
                              >
                              >The site could then use XML-RPC, SOAP or such like to connect to that
                              >URL, validate the id and password and return a set of preferences/basic
                              >info.

                              A malicious site could also store your user ID, password, and
                              preferences URL and subsequently use your identity.

                              Single sign-on needs a system where you authenticate to your
                              authentication provider, provide other parties with an authentication
                              token of some sort, and have your provider validate that token.
                              (This is the Kerberos model.)

                              I've been wondering if this might be possible with cookies somehow;
                              the problem is that cookies only get sent to the site that set the
                              cookie.

                              -- Chris

                              --
                              Chris Hanson <cmh@...>
                              bDistributed.com: Making Business Distributed
                            • Michael Herman (Parallelspace)
                              Re: It s not very single-sign-on-y if I have to type my password at every site. ...and I ll bet most of us the same 1 or 2 passwords for *all* the web sites we
                              Message 14 of 25 , Sep 2, 2001
                              • 0 Attachment
                                Re: It's not very single-sign-on-y if I have to type my password at
                                every site.

                                ...and I'll bet most of us the same 1 or 2 passwords for *all* the web
                                sites we need to login to.

                                It was a huge eye-opener for me recently when I picked up my
                                registration materials at a conference only find they were for a
                                different Michael Herman and the conference organizer, in the spirit of
                                being "helpful", printed our reg site password on the back of the name
                                badges. I had the other person's personal password and they had mind
                                ...not only for the reg site but for 80% of the other Internet sites I
                                use. All of the reg clerks also had these passwords at their disposal.
                                Very scary.

                                "Weakest link" theory at work at its best. I can't wait for single
                                sign-on for most of the sites I visit. I've been happy with the small
                                number that use Passport.

                                Cheers,
                                Michael Herman
                                CTO, Parallelspace Corporation
                                http://www.parallelspace.net


                                -----Original Message-----
                                From: Wesley Felter [mailto:wesley@...]
                                Sent: Sunday, September 02, 2001 1:51 PM
                                To: decentralization@yahoogroups.com
                                Subject: Re: [decentralization] De-centralizing single sign on.


                                On Sun, 2 Sep 2001, Julian Bond wrote:

                                > There are a vast number of web sites that require an ID and password
                                > but which have relatively low security requirements. It would make
                                > life easier for users of those sites if they didn't have to retype all

                                > their preferences and create a new ID and password.
                                >
                                > What if the registration form or sign on form had three fields
                                > 1) ID
                                > 2) password
                                > 3) get my preferences from this URL

                                It's not very single-sign-on-y if I have to type my password at every
                                site.

                                Wesley Felter - wesley@... - http://felter.org/wesley/



                                To unsubscribe from this group, send an email to:
                                decentralization-unsubscribe@egroups.com



                                Your use of Yahoo! Groups is subject to
                                http://docs.yahoo.com/info/terms/
                              • Dave Winer
                                Crime & Courts Woman charged in e-mail case An ISU student allegedly accessed a former friend s e-mail account and impersonated him. By STACI HUPP Register
                                Message 15 of 25 , Sep 2, 2001
                                • 0 Attachment
                                  Crime & Courts

                                  Woman charged in e-mail case
                                  An ISU student allegedly accessed a former friend's e-mail
                                  account and impersonated him.
                                  By STACI HUPP
                                  Register Staff Writer
                                  08/29/2001


                                  --------------------------------------------------------------------
                                  Ames, Ia. - An Iowa State University graduate student allegedly
                                  tapped into a former friend's e-mail and impersonated him to turn down a
                                  $200,000-a-year technology job.

                                  King Chong Iris Fung, a student in ISU's math department, is
                                  charged with electronic eavesdropping. The charge carries a one-year jail
                                  term.

                                  ISU campus police would not disclose the name of the alleged
                                  victim but said he met Fung at a Wisconsin college and now lives in
                                  Virginia. Fung, 36, is a doctoral candidate from Hong Kong, investigators
                                  said.

                                  Fung had been viewing the e-mails of her friend and his wife for
                                  nine months, ISU police said. Fung accessed one or both e-mail accounts at
                                  least 33 times, nearly half of which were from a computer laboratory on
                                  campus.

                                  "The exact nature of their relationship has not been
                                  determined," said Jerry Stewart, interim director of ISU's campus police
                                  department. "I don't think they've seen each other for several years."

                                  Fung became a suspect after officials of the unnamed company
                                  called her former friend, saying they were disappointed that he'd turned
                                  down the job, Stewart said. The friend called ISU police, who have
                                  investigated the case since July.

                                  Fung got access to her former friend's e-mail account by
                                  guessing his password "after numerous attempts," Stewart said.

                                  Fung turned herself in to campus police Monday and was released
                                  on her promise to be in court next month. She has no criminal history in
                                  Story County, officials said.

                                  The alleged victim can sue Fung if he loses the job offer,
                                  Stewart said.

                                  A knock at the door of Fung's Ames apartment went unanswered
                                  Tuesday. Three neighbors said they didn't know her.

                                  Fung is a research assistant who taught in the math department,
                                  ISU officials said. The math professor she works for, Dan Ashlock, did not
                                  return a telephone call Tuesday. Another professor described her as a smart
                                  woman with a good personality.

                                  "She seemed reasonably outgoing, and she's articulate," said
                                  Stephen Willson, a math professor.

                                  ISU officials would not disclose how long Fung has been at ISU.
                                  Student records typically are public information, but Fung signed a privacy
                                  form that limits her records to university employees, according to the ISU
                                  registrar.

                                  Officials from ISU's dean of students office will review the
                                  case, said Pete Englin, interim dean of students. Possibilities range from
                                  no action to suspension, Englin said.



                                  http://www.dmregister.com/news/stories/c4788993/15730305.html


                                  ----- Original Message -----
                                  From: "Michael Herman (Parallelspace)" <mwherman@...>
                                  To: <decentralization@yahoogroups.com>; <wesley@...>
                                  Sent: Sunday, September 02, 2001 4:41 PM
                                  Subject: RE: [decentralization] De-centralizing single sign on.


                                  > Re: It's not very single-sign-on-y if I have to type my password at
                                  > every site.
                                  >
                                  > ...and I'll bet most of us the same 1 or 2 passwords for *all* the web
                                  > sites we need to login to.
                                  >
                                  > It was a huge eye-opener for me recently when I picked up my
                                  > registration materials at a conference only find they were for a
                                  > different Michael Herman and the conference organizer, in the spirit of
                                  > being "helpful", printed our reg site password on the back of the name
                                  > badges. I had the other person's personal password and they had mind
                                  > ...not only for the reg site but for 80% of the other Internet sites I
                                  > use. All of the reg clerks also had these passwords at their disposal.
                                  > Very scary.
                                  >
                                  > "Weakest link" theory at work at its best. I can't wait for single
                                  > sign-on for most of the sites I visit. I've been happy with the small
                                  > number that use Passport.
                                  >
                                  > Cheers,
                                  > Michael Herman
                                  > CTO, Parallelspace Corporation
                                  > http://www.parallelspace.net
                                  >
                                  >
                                  > -----Original Message-----
                                  > From: Wesley Felter [mailto:wesley@...]
                                  > Sent: Sunday, September 02, 2001 1:51 PM
                                  > To: decentralization@yahoogroups.com
                                  > Subject: Re: [decentralization] De-centralizing single sign on.
                                  >
                                  >
                                  > On Sun, 2 Sep 2001, Julian Bond wrote:
                                  >
                                  > > There are a vast number of web sites that require an ID and password
                                  > > but which have relatively low security requirements. It would make
                                  > > life easier for users of those sites if they didn't have to retype all
                                  >
                                  > > their preferences and create a new ID and password.
                                  > >
                                  > > What if the registration form or sign on form had three fields
                                  > > 1) ID
                                  > > 2) password
                                  > > 3) get my preferences from this URL
                                  >
                                  > It's not very single-sign-on-y if I have to type my password at every
                                  > site.
                                  >
                                  > Wesley Felter - wesley@... - http://felter.org/wesley/
                                  >
                                  >
                                  >
                                  > To unsubscribe from this group, send an email to:
                                  > decentralization-unsubscribe@egroups.com
                                  >
                                  >
                                  >
                                  > Your use of Yahoo! Groups is subject to
                                  > http://docs.yahoo.com/info/terms/
                                  >
                                  >
                                  >
                                  >
                                  > To unsubscribe from this group, send an email to:
                                  > decentralization-unsubscribe@egroups.com
                                  >
                                  >
                                  >
                                  > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                                  >
                                  >
                                • Michael Herman (Parallelspace)
                                  Re: They want control of the demographic information, and they ll probably offer you deals on everything you do now independently. Dave, You re obviously
                                  Message 16 of 25 , Sep 2, 2001
                                  • 0 Attachment
                                    Re: They want control of the demographic information, and they'll
                                    probably offer you deals on everything you do now independently.

                                    Dave,

                                    You're obviously entitled to your (non-Passport unauthenticated ;-)
                                    opinion but I see the above as speculation. If Passport was to do as
                                    you suggest, they wouldn't have a hope. Plse checkout their privacy
                                    policy @ http://www.passport.com/Consumer/PrivacyPolicy.asp

                                    Cheers,
                                    Michael.

                                    -----Original Message-----
                                    From: Dave Winer [mailto:dave@...]
                                    Sent: Sunday, September 02, 2001 3:01 PM
                                    To: decentralization@yahoogroups.com
                                    Subject: Re: [decentralization] De-centralizing single sign on.


                                    James, that's probably why Microsoft is interested in this. They want
                                    control of the demographic information, and they'll probably offer you
                                    deals on everything you do now independently. In a sense they will
                                    become your co-publisher.Dave

                                    ----- Original Message -----
                                    From: "James Hong" <jhong@...>
                                    To: <decentralization@yahoogroups.com>
                                    Sent: Sunday, September 02, 2001 11:34 AM
                                    Subject: Re: [decentralization] De-centralizing single sign on.


                                    > People aren't going to like this answer but...
                                    >
                                    > Many sites want users to go through a sign-up process so they can
                                    > collect specific demographic/psychographic information alongside. This

                                    > information enables them to sell advertising/sponsorships at a higher
                                    > rate. Also, the sign-up process is also the right spot for them to
                                    > sell co-registrations.
                                    >
                                    > Unless the central repository collects and shares this sort of
                                    information,
                                    > you'll see pushback (or rather, non-participation) from websites that
                                    > rely on advertising. I'm not sure if programs like passport share this

                                    > sort of information. I imagine that sharing demographic information is

                                    > not on the
                                    To
                                    > Do list of whoever is working on an open, decentralized network, but
                                    > if
                                    you
                                    > want wider adoption you may want to put it in (of course, be up front
                                    > with the user when they are signing on that all their information is
                                    > shared across the network.)
                                    >
                                    > Of course, all the websites that rely heavily on advertising other
                                    > than
                                    AOL,
                                    > Microsoft, or Yahoo may not exist within another year or so, so this
                                    > point may be moot.
                                    >
                                    > cheers,
                                    > james
                                    >
                                    >
                                    >
                                    > ----- Original Message -----
                                    > From: "Julian Bond" <julian_bond@...>
                                    > To: <decentralization@yahoogroups.com>
                                    > Sent: Saturday, September 01, 2001 11:52 PM
                                    > Subject: [decentralization] De-centralizing single sign on.
                                    >
                                    >
                                    > > There are a vast number of web sites that require an ID and password

                                    > > but which have relatively low security requirements. It would make
                                    > > life easier for users of those sites if they didn't have to retype
                                    > > all their preferences and create a new ID and password.
                                    > >
                                    > > What if the registration form or sign on form had three fields
                                    > > 1) ID
                                    > > 2) password
                                    > > 3) get my preferences from this URL
                                    > >
                                    > > The site could then use XML-RPC, SOAP or such like to connect to
                                    > > that URL, validate the id and password and return a set of
                                    > > preferences/basic info.
                                    > >
                                    > > This is completely open and allows any and every site to act as the
                                    > > master repository for the preference set.
                                    > >
                                    > > What's wrong with this picture?
                                    > >
                                    > > --
                                    > > Julian Bond email: julian_bond@...
                                    > > CV/Resume: http://www.voidstar.com/cv/
                                    > > WebLog: http://www.voidstar.com/
                                    > > HomeURL: http://www.shockwav.demon.co.uk/
                                    > > M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                                    > > ICQ:33679568 tag:So many words, so little time
                                    > >
                                    > > To unsubscribe from this group, send an email to:
                                    > > decentralization-unsubscribe@egroups.com
                                    > >
                                    > >
                                    > >
                                    > > Your use of Yahoo! Groups is subject to
                                    http://docs.yahoo.com/info/terms/
                                    > >
                                    >
                                    >
                                    > To unsubscribe from this group, send an email to:
                                    > decentralization-unsubscribe@egroups.com
                                    >
                                    >
                                    >
                                    > Your use of Yahoo! Groups is subject to
                                    > http://docs.yahoo.com/info/terms/
                                    >
                                    >


                                    To unsubscribe from this group, send an email to:
                                    decentralization-unsubscribe@egroups.com



                                    Your use of Yahoo! Groups is subject to
                                    http://docs.yahoo.com/info/terms/
                                  • Wesley Felter
                                    ... Passport does this... ... ...using cookies, redirects, and some swiss numbers IIRC. (A swiss number is an unguessable random number, which can come in
                                    Message 17 of 25 , Sep 2, 2001
                                    • 0 Attachment
                                      On Sun, 2 Sep 2001, Chris Hanson wrote:

                                      > Single sign-on needs a system where you authenticate to your
                                      > authentication provider, provide other parties with an authentication
                                      > token of some sort, and have your provider validate that token.
                                      > (This is the Kerberos model.)

                                      Passport does this...

                                      > I've been wondering if this might be possible with cookies somehow;
                                      > the problem is that cookies only get sent to the site that set the
                                      > cookie.

                                      ...using cookies, redirects, and some swiss numbers IIRC.

                                      (A "swiss number" is an unguessable random number, which can come in handy
                                      in surprisingly many situations. I will also head off the nit-pickers by
                                      pointing out that "unguessable" and "random" are very tricky concepts that
                                      have caused sleepless nights for many a cryptographer.)

                                      Wesley Felter - wesley@... - http://felter.org/wesley/
                                    • Simon Fell
                                      If you want to come up to speed on how passport works, then the slides from Keith Brown s presentation on passport at conference.NET are available from
                                      Message 18 of 25 , Sep 2, 2001
                                      • 0 Attachment
                                        If you want to come up to speed on how passport works, then the slides
                                        from Keith Brown's presentation on passport at conference.NET are
                                        available from
                                        http://www.develop.com/conferences/conferencedotnet/materials/W7.pdf

                                        Cheers,
                                        Simon
                                        www.pocketsoap.com

                                        Sunday, September 02, 2001, 7:52:15 PM, you wrote:

                                        > On Sun, 2 Sep 2001, Chris Hanson wrote:

                                        >> Single sign-on needs a system where you authenticate to your
                                        >> authentication provider, provide other parties with an authentication
                                        >> token of some sort, and have your provider validate that token.
                                        >> (This is the Kerberos model.)

                                        > Passport does this...

                                        >> I've been wondering if this might be possible with cookies somehow;
                                        >> the problem is that cookies only get sent to the site that set the
                                        >> cookie.

                                        > ...using cookies, redirects, and some swiss numbers IIRC.

                                        > (A "swiss number" is an unguessable random number, which can come in handy
                                        > in surprisingly many situations. I will also head off the nit-pickers by
                                        > pointing out that "unguessable" and "random" are very tricky concepts that
                                        > have caused sleepless nights for many a cryptographer.)

                                        > Wesley Felter - wesley@... - http://felter.org/wesley/


                                        > To unsubscribe from this group, send an email to:
                                        > decentralization-unsubscribe@egroups.com



                                        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                                      • Lucas Gonze
                                        The size of the pool of users is the most important factor. There already exist pools of users that are large enough to prevent plausible competition from any
                                        Message 19 of 25 , Sep 4, 2001
                                        • 0 Attachment
                                          The size of the pool of users is the most important factor. There already exist
                                          pools of users that are large enough to prevent plausible competition from any
                                          new system. AOL and MS are building off their respective IM user pools combined
                                          with all their account-holding web users. The only decentralized pool of user
                                          identities that is large enough to compete is email.

                                          - Lucas
                                        • Bill Kearney
                                          ... want ... you deals ... your ... That s just more FUD. There s nothing stopping a site that uses hailstorm from collecting their OWN data, independent of
                                          Message 20 of 25 , Sep 5, 2001
                                          • 0 Attachment
                                            > James, that's probably why Microsoft is interested in this. They
                                            want
                                            > control of the demographic information, and they'll probably offer
                                            you deals
                                            > on everything you do now independently. In a sense they will become
                                            your
                                            > co-publisher.Dave

                                            That's just more FUD. There's nothing stopping a site that uses
                                            hailstorm from collecting their OWN data, independent of anything up
                                            on passport.
                                          • Lucas Gonze
                                            IMO demographic info is a nice add-on, but strategic control leading to a rent-not-own revenue model is the point. In any event, it doesn t matter who owns the
                                            Message 21 of 25 , Sep 5, 2001
                                            • 0 Attachment
                                              IMO demographic info is a nice add-on, but strategic control leading to a
                                              rent-not-own revenue model is the point.

                                              In any event, it doesn't matter who owns the data as long as there exists a
                                              standard user ID that different sites can use to cross-tabulate.

                                              > > James, that's probably why Microsoft is interested in this. They
                                              > want
                                              > > control of the demographic information, and they'll probably offer
                                              > you deals
                                              > > on everything you do now independently. In a sense they will become
                                              > your
                                              > > co-publisher.Dave
                                              >
                                              > That's just more FUD. There's nothing stopping a site that uses
                                              > hailstorm from collecting their OWN data, independent of anything up
                                              > on passport.
                                              >
                                              >
                                              >
                                              > To unsubscribe from this group, send an email to:
                                              > decentralization-unsubscribe@egroups.com
                                              >
                                              >
                                              >
                                              > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                                              >
                                              >
                                              >
                                            • steve jenson
                                              ... Except for the simple fact that people are using Passport so that they _don t_ have to fill their information in twice and so they won t. And if you try
                                              Message 22 of 25 , Sep 5, 2001
                                              • 0 Attachment
                                                Quoting Bill Kearney (wkearney99@...):

                                                > > James, that's probably why Microsoft is interested in this. They
                                                > want
                                                > > control of the demographic information, and they'll probably offer
                                                > you deals
                                                > > on everything you do now independently. In a sense they will become
                                                > your
                                                > > co-publisher.Dave
                                                >
                                                > That's just more FUD. There's nothing stopping a site that uses
                                                > hailstorm from collecting their OWN data, independent of anything up
                                                > on passport.

                                                Except for the simple fact that people are using Passport so that they
                                                _don't_ have to fill their information in twice and so they won't. And if
                                                you try and make them, they'll just stop using your site.


                                                regards,
                                                steve

                                                --
                                                steve jenson <stevej@...> http://sieve.net/
                                                PGP fingerprint: 79D0 4836 11E4 A43A 0179 FC97 3AE2 008E 1E57 6138
                                                "vi has two modes; the one where it beeps, and the one where it doesn't."
                                              • Todd Boyle
                                                ... You mean tax. Rent is OK, if people want to rent. But there has to be choice. and that means, Microsoft cannot be the custodian of anything like
                                                Message 23 of 25 , Sep 5, 2001
                                                • 0 Attachment
                                                  At 01:17 PM 9/5/01, Lucas Gonze wrote:
                                                  >IMO demographic info is a nice add-on, but strategic control leading to a
                                                  >rent-not-own revenue model is the point.

                                                  You mean tax. Rent is OK, if people want to rent. But there has
                                                  to be choice. and that means, Microsoft cannot be the
                                                  custodian of anything like Passport.

                                                  >In any event, it doesn't matter who owns the data as long as there exists a
                                                  >standard user ID that different sites can use to cross-tabulate.

                                                  .... and once again, as long as users have a choice to opt
                                                  out of that kind of tabulating. And access to the resources
                                                  on the internet without that "standard User ID".

                                                  There's a very important and subtle game going on, which
                                                  will determine whether the internet becomes a mass,
                                                  horizontal and mediocre thing like television or something that is
                                                  capable of expressing the diversity of humanity. --Even
                                                  the feared, prohibited, and unmentionable things. Only an
                                                  unconscious society can fear information itself,
                                                  intentionally deciding not to know, and deciding to squash
                                                  the activities of its members even though they injure
                                                  nobody,

                                                  Todd
                                                  -- -------- "I came here to live out loud. -Zola"
                                                  http://www.smh.com.au/icon/0108/28/news1000.html
                                                • dir@badblue.com
                                                  The SAML (security assertion markup language) deals with this very issue... distribution of trust for cross-domain authentication and authorization. More info:
                                                  Message 24 of 25 , Sep 6, 2001
                                                  • 0 Attachment
                                                    The SAML (security assertion markup language) deals with this very
                                                    issue... distribution of trust for cross-domain authentication and
                                                    authorization.

                                                    More info: http://xml.coverpages.org/saml.html

                                                    --doug

                                                    --- In decentralization@y..., Julian Bond <julian_bond@v...> wrote:
                                                    > There are a vast number of web sites that require an ID and
                                                    password but
                                                    > which have relatively low security requirements. It would make life
                                                    > easier for users of those sites if they didn't have to retype all
                                                    their
                                                    > preferences and create a new ID and password.
                                                    >
                                                  • Tom Hume
                                                    ... Requiring average users to know a URL where their preferences are stored. It needs to be more transparent than that. -- Future Platforms ::
                                                    Message 25 of 25 , Sep 11, 2001
                                                    • 0 Attachment
                                                      At 07:52 02/09/2001 +0100, Julian Bond wrote:
                                                      >There are a vast number of web sites that require an ID and password but
                                                      >which have relatively low security requirements. It would make life
                                                      >easier for users of those sites if they didn't have to retype all their
                                                      >preferences and create a new ID and password.
                                                      >What if the registration form or sign on form had three fields
                                                      >1) ID
                                                      >2) password
                                                      >3) get my preferences from this URL
                                                      >What's wrong with this picture?

                                                      Requiring average users to know a URL where their preferences are stored.
                                                      It needs to be more transparent than that.


                                                      --
                                                      Future Platforms :: http://www.futureplatforms.com/
                                                      t +44 (0) 1273 699529 // m +44 (0) 7971 781422 // e tom@...
                                                    Your message has been successfully submitted and would be delivered to recipients shortly.