Loading ...
Sorry, an error occurred while loading the content.
 

a simpler authorization protocol

Expand Messages
  • Lucas Gonze
    At account creation time, you ask for the URL of a page which the user has exclusive ability to edit. When the user needs to recover their password, you emit
    Message 1 of 23 , Nov 10, 2004
      At account creation time, you ask for the URL of a page which the user has
      exclusive ability to edit. When the user needs to recover their password,
      you emit a secret and ask them to add it to that web page.

      Not ultra secure, but good enough to avoid the need for an email address.

      - Lucas
    • Nick Lothian
      What s the advantage over requiring an email address?
      Message 2 of 23 , Nov 10, 2004
        What's the advantage over requiring an email address?

        > -----Original Message-----
        > From: Lucas Gonze [mailto:lucas@...]
        > Sent: Thursday, 11 November 2004 11:22 AM
        > To: decentralization@yahoogroups.com
        > Subject: [decentralization] a simpler authorization protocol
        >
        >
        >
        >
        > At account creation time, you ask for the URL of a page which
        > the user has
        > exclusive ability to edit. When the user needs to recover
        > their password,
        > you emit a secret and ask them to add it to that web page.
        >
        > Not ultra secure, but good enough to avoid the need for an
        > email address.
        >
        > - Lucas
        >
        >
        >
        > Announce or discover P2P conferences on the P2P Conference Wiki at
        > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        >
      • Lucas Gonze
        Users hate giving email addresses, because email is a push medium, and any push medium allows spam. What inspired me about this idea is that it flips the
        Message 3 of 23 , Nov 10, 2004
          Users hate giving email addresses, because email is a push medium, and any
          push medium allows spam. What inspired me about this idea is that it
          flips the interaction, so that password recovery doesn't require the user
          to provide a pushable address.

          - Lucas

          On Thu, 11 Nov 2004, Nick Lothian wrote:

          >
          > What's the advantage over requiring an email address?
          >
          >> -----Original Message-----
          >> From: Lucas Gonze [mailto:lucas@...]
          >> Sent: Thursday, 11 November 2004 11:22 AM
          >> To: decentralization@yahoogroups.com
          >> Subject: [decentralization] a simpler authorization protocol
          >>
          >>
          >>
          >>
          >> At account creation time, you ask for the URL of a page which
          >> the user has
          >> exclusive ability to edit. When the user needs to recover
          >> their password,
          >> you emit a secret and ask them to add it to that web page.
          >>
          >> Not ultra secure, but good enough to avoid the need for an
          >> email address.
          >>
          >> - Lucas
          >>
          >>
          >>
          >> Announce or discover P2P conferences on the P2P Conference Wiki at
          >> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
          >> Yahoo! Groups Links
          >>
          >>
          >>
          >>
          >>
          >>
          >
          >
          > Announce or discover P2P conferences on the P2P Conference Wiki at
          > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
          > Yahoo! Groups Links
          >
          >
          >
          >
          >
          >
          >
        • Mark Baker
          ... Technorati uses a mechanism like this when you want to claim a weblog; Enter the main URL for each weblog that you wish to claim in the members area.
          Message 4 of 23 , Nov 10, 2004
            On Wed, Nov 10, 2004 at 02:52:24PM -1000, Lucas Gonze wrote:
            > At account creation time, you ask for the URL of a page which the user has
            > exclusive ability to edit. When the user needs to recover their password,
            > you emit a secret and ask them to add it to that web page.
            >
            > Not ultra secure, but good enough to avoid the need for an email address.

            Technorati uses a mechanism like this when you want to claim a weblog;

            "Enter the main URL for each weblog that you wish to claim in the
            members area. You'll receive an email from Technorati with a snippet
            of HTML code to add into your weblog configuration. Simply
            cut-and-paste the HTML into your weblog template (usually it is best
            to put it into your blogroll or external links section), and save your
            weblog! For most blogging packages, that's all you have to do. The
            next time Technorati indexes your weblog, it will see the special HTML
            code, and will update your account to show that you have claimed your
            weblog."
            -- http://technorati.com/help/using-technorati.html#claiming

            Mark.
            --
            Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca
          • Lucas Gonze
            More related info on authentication via url ownership: http://blog.monstuff.com/archives/000153.html I d characterize this way of doing things as pull
            Message 5 of 23 , Nov 11, 2004
              More related info on authentication via url ownership:
              http://blog.monstuff.com/archives/000153.html

              I'd characterize this way of doing things as pull authentication, since a
              user demonstrates their identity by pulling a token into the resource at a
              predefined URL.

              - Lucas
            • Mike Dierken
              What about one-shot email addresses? I built searchalert.net primarily as an email notification system, so I stuck with email based verification, but I also
              Message 6 of 23 , Nov 14, 2004
                What about one-shot email addresses?
                I built searchalert.net primarily as an email notification system, so
                I stuck with email based verification, but I also have Web
                notifications (HTTP POST) and have been trying to figure out a good
                way to verify those.

                I do agree that a system based on unsolicited requests for your
                attention will devolve into spam at some point.


                On Wed, 10 Nov 2004 16:33:33 -1000 (HST), Lucas Gonze <lucas@...> wrote:
                >
                >
                > Users hate giving email addresses, because email is a push medium, and any
                > push medium allows spam. What inspired me about this idea is that it
                > flips the interaction, so that password recovery doesn't require the user
                > to provide a pushable address.
                >
                > - Lucas
                >
                >
                >
                > On Thu, 11 Nov 2004, Nick Lothian wrote:
                >
                > >
                > > What's the advantage over requiring an email address?
                > >
                > >> -----Original Message-----
                > >> From: Lucas Gonze [mailto:lucas@...]
                > >> Sent: Thursday, 11 November 2004 11:22 AM
                > >> To: decentralization@yahoogroups.com
                > >> Subject: [decentralization] a simpler authorization protocol
                > >>
                > >>
                > >>
                > >>
                > >> At account creation time, you ask for the URL of a page which
                > >> the user has
                > >> exclusive ability to edit. When the user needs to recover
                > >> their password,
                > >> you emit a secret and ask them to add it to that web page.
                > >>
                > >> Not ultra secure, but good enough to avoid the need for an
                > >> email address.
                > >>
                > >> - Lucas
                > >>
                > >>
                > >>
                > >> Announce or discover P2P conferences on the P2P Conference Wiki at
                > >> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                > >> Yahoo! Groups Links
                > >>
                > >>
                > >>
                > >>
                > >>
                > >>
                > >
                > >
                > > Announce or discover P2P conferences on the P2P Conference Wiki at
                > > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                > > Yahoo! Groups Links
                > >
                > >
                > >
                > >
                > >
                > >
                > >
                >
                > Announce or discover P2P conferences on the P2P Conference Wiki at
                > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                > Yahoo! Groups Links
                >
                >
                >
                >
                >
              • Mike Dierken
                Like this: http://www.halfbakery.com/idea/One-Shot_20Email
                Message 7 of 23 , Nov 14, 2004
                  Like this:
                  http://www.halfbakery.com/idea/One-Shot_20Email



                  On Sun, 14 Nov 2004 16:40:12 -0800, Mike Dierken <dierken@...> wrote:
                  > What about one-shot email addresses?
                  > I built searchalert.net primarily as an email notification system, so
                  > I stuck with email based verification, but I also have Web
                  > notifications (HTTP POST) and have been trying to figure out a good
                  > way to verify those.
                  >
                  > I do agree that a system based on unsolicited requests for your
                  > attention will devolve into spam at some point.
                  >
                  >
                  >
                  >
                  > On Wed, 10 Nov 2004 16:33:33 -1000 (HST), Lucas Gonze <lucas@...> wrote:
                  > >
                  > >
                  > > Users hate giving email addresses, because email is a push medium, and any
                  > > push medium allows spam. What inspired me about this idea is that it
                  > > flips the interaction, so that password recovery doesn't require the user
                  > > to provide a pushable address.
                  > >
                  > > - Lucas
                  > >
                  > >
                  > >
                  > > On Thu, 11 Nov 2004, Nick Lothian wrote:
                  > >
                  > > >
                  > > > What's the advantage over requiring an email address?
                  > > >
                  > > >> -----Original Message-----
                  > > >> From: Lucas Gonze [mailto:lucas@...]
                  > > >> Sent: Thursday, 11 November 2004 11:22 AM
                  > > >> To: decentralization@yahoogroups.com
                  > > >> Subject: [decentralization] a simpler authorization protocol
                  > > >>
                  > > >>
                  > > >>
                  > > >>
                  > > >> At account creation time, you ask for the URL of a page which
                  > > >> the user has
                  > > >> exclusive ability to edit. When the user needs to recover
                  > > >> their password,
                  > > >> you emit a secret and ask them to add it to that web page.
                  > > >>
                  > > >> Not ultra secure, but good enough to avoid the need for an
                  > > >> email address.
                  > > >>
                  > > >> - Lucas
                  > > >>
                  > > >>
                  > > >>
                  > > >> Announce or discover P2P conferences on the P2P Conference Wiki at
                  > > >> http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                  > > >> Yahoo! Groups Links
                  > > >>
                  > > >>
                  > > >>
                  > > >>
                  > > >>
                  > > >>
                  > > >
                  > > >
                  > > > Announce or discover P2P conferences on the P2P Conference Wiki at
                  > > > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                  > > > Yahoo! Groups Links
                  > > >
                  > > >
                  > > >
                  > > >
                  > > >
                  > > >
                  > > >
                  > >
                  > > Announce or discover P2P conferences on the P2P Conference Wiki at
                  > > http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
                  > > Yahoo! Groups Links
                  > >
                  > >
                  > >
                  > >
                  > >
                  >
                • Lucas Gonze
                  ... I think that most users have disposable webmail accounts to do about the same thing as a one-shot address. The problem is that they still hate giving
                  Message 8 of 23 , Nov 14, 2004
                    On Sun, 14 Nov 2004, Mike Dierken wrote:
                    > What about one-shot email addresses?
                    > I built searchalert.net primarily as an email notification system, so
                    > I stuck with email based verification, but I also have Web
                    > notifications (HTTP POST) and have been trying to figure out a good
                    > way to verify those.

                    I think that most users have disposable webmail accounts to do about the
                    same thing as a one-shot address. The problem is that they still hate
                    giving those addresses away, so you still lose users over something
                    unimportant.

                    What do you do with the POSTs, Mike?

                    ...

                    Anyway, in the meantime I have slapped together a working prototype using
                    a handshake similar to the one the one Julien Couvreur described at
                    http://blog.monstuff.com/archives/000153.html

                    I made a couple modifications to that algorithm:
                    1) Stateless -- uses nothing but GETs and redirects.
                    2) No crypto tools -- Uses hashes instead of asymmetric keys.

                    My code is still too much of a mess to make public, but it's a working
                    system that people can experiment with, so if anybody's interested in the
                    URL send me an email.

                    - Lucas
                  • Lucas Gonze
                    Marc Canter blogs on Sxip: http://marc.blogs.it/archives/2004/11/universal_inter.html ... Universal Internet identity system sought for everyone Dick Hardt
                    Message 9 of 23 , Nov 14, 2004
                      Marc Canter blogs on Sxip:
                      http://marc.blogs.it/archives/2004/11/universal_inter.html
                      ...

                      Universal Internet identity system sought for everyone

                      Dick Hardt wants nothing less than to help create a permanent online
                      digital identity for everyone in the world. And he believes he's on the
                      verge of doing just that.

                      The Vancouver-based tech entrepreneur and founder of ActiveState -- which
                      sold a year ago for $23 million US -- has now put his money and his energy
                      behind a universal Internet ID.

                      No more having one identity for eBay, a second for your bank, a third for
                      Amazon and yet another for the place that stores your photos online.

                      "Right now you have these little walled gardens, with your identity in
                      this area and your identity in that area," said Hardt in an interview in
                      the Gastown offices of the 20-employee Sxip Networks (www.sxip.com).

                      Hardt wants to break down those walls. And to that end, he is now rolling
                      out the Sxip Network.

                      It's designed to be the backbone for the flow of information about your
                      globally unique personal identifier (or gupi), which will release as much
                      or as little information about you as you permit, depending on the
                      situation.

                      Sxip (pronounced skip) will carry the data back and forth between you, the
                      website asking for the personal information and your trusted homesite --
                      such as a bank or perhaps a government agency or even a major site like
                      Google or whoever you believe is trustworthy. The security of your gupi is
                      not a concern of Sxip, but of the homesite, just as it is now with your
                      bank.

                      The Sxip Network will, of necessity, be a monopoly, but, adds Hardt, a
                      benevolent one, with tough rules about what it can and cannot do and
                      smallish revenues of between $10 million and $20 million a year. These
                      will come from charging fees to member sites and home sites for the use of
                      the network.

                      "I like the idea of getting a regular cash stream, but that's not a big
                      draw from an investment point of view," said Hardt.

                      Where Hardt does see major revenues, and profits, is in a spin-out company
                      about to be launched, called Sxip Blu.

                      Operated separately from the Sxip Network monopoly, it will create tools
                      that can be used by websites, corporations, governments and others to
                      adapt to their particular needs when it comes to a gupi.

                      Although Sxip Networks has released its technology to the open-source
                      community Hardt hopes to use the expertise gained in building the network
                      so that Sxip Blu is the company people come to when they want help with
                      using the Sxip Network.

                      "Sxip doesn't have a monopoly on that part of it, they just have a
                      competitive advantage," said Hardt.

                      Of course, all of this depends on Sxip Networks becoming an irresistible
                      force and lining up enough big customers -- say the Amazons and the
                      Googles, the Yahoos and the Microsofts (all of which Hardt says he's
                      talking with) -- to give it traction.

                      So far, Sxip has only announced one home site, Midentity Limited
                      (www.midentity.com) a British-based digital ID company, but Hardt said
                      others will soon be announced.

                      Hardt said he hopes that he can get B.C.'s provincial government
                      interested in using the network as one proof that it works well.

                      ALL ABOUT HOW SXIP WORKS:

                      The problem:

                      Most Net users have multiple identities online. This means separate
                      sign-ins, separate passwords and the hassle of remembering all of that.

                      Also, new sites constantly demand you set up IDs with them.

                      At the same time, sites only really need certain specific information
                      about you. One might require a credit-card number, another might want to
                      know your Care Card number, another might want to know where you live.

                      Naturally, when you're giving out information you want your privacy
                      maintained. Nobody needs all your information.

                      In their turn, sites need a quick, efficient way of getting your personal
                      information from you.

                      The Sxip solution: A digital ID that offers those websites -- whether
                      commercial- or government-run -- no more information about you than they
                      require, certainly no more than you're prepared to give them.

                      If information beyond the level you set is requested, then you would be
                      asked to approve its release.

                      HOW THIS WOULD WORK:

                      Information would flow over the Sxip Network.

                      Your digital ID -- a globally unique persona identifier (gupi) -- would be
                      stored with a trusted homesite, perhaps your bank or well-known online
                      company or perhaps even the government.

                      On launching your browser, or when you arrive at a website (or membersite)
                      requesting information, you would sign in with the homesite that stores
                      your gupi.
                      ...
                    • Julian Bond
                      ... There s a social paradox here that systems like Linkedin attempt to solve. There are a lot of people who:- - Want to network and receive unsolicited
                      Message 10 of 23 , Nov 14, 2004
                        Mike Dierken <dierken@...> wrote:
                        >I do agree that a system based on unsolicited requests for your
                        >attention will devolve into spam at some point.

                        There's a social paradox here that systems like Linkedin attempt to
                        solve.

                        There are a lot of people who:-
                        - Want to network and receive unsolicited approaches from people who can
                        provide mutual benefit.
                        - Don't want to receive spam and want to be able to block unsolicited
                        approaches from people who are a PITA.

                        What we need for this is systems that allow "arms length" initial
                        communication. Something that allows the progressive opening up of
                        layers of protection as the relationship deepens. The problem with email
                        addresses now seems to be that they are binary. Keep them secret or be
                        deluged by spam with nothing in between.

                        "True Names" comes to mind here as does all the work on anonymous
                        remailers.

                        --
                        Julian Bond Email&MSM: julian.bond at voidstar.com
                        Webmaster: http://www.ecademy.com/
                        Personal WebLog: http://www.voidstar.com/
                        M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                      • Julian Bond
                        ... SXIP == Passport/Liberty done properly. They deserve to do well. However readers of this group might ponder on the issue that SXIP depends on a DNS record
                        Message 11 of 23 , Nov 14, 2004
                          Lucas Gonze <lucas@...> wrote:
                          >Marc Canter blogs on Sxip:
                          >http://marc.blogs.it/archives/2004/11/universal_inter.html
                          >...
                          >
                          >Universal Internet identity system sought for everyone

                          SXIP == Passport/Liberty done properly. They deserve to do well.

                          However readers of this group might ponder on the issue that SXIP
                          depends on a DNS record of the form foo.bar.com.simple.sxip.net This
                          gives them the choke point that would let them make some money. But it's
                          not exactly de-centralised.

                          I don't want to undermine SXIP when they're just getting going. But I do
                          think there may be a way of making this completely distributed. The
                          technical problem revolves around cross site cookies being banned.

                          --
                          Julian Bond Email&MSM: julian.bond at voidstar.com
                          Webmaster: http://www.ecademy.com/
                          Personal WebLog: http://www.voidstar.com/
                          M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                        • Mike Dierken
                          ... You are probably right. ... I send search results to Web destinations like Blogs and such via several Web APIs and content formats (WeblogAPI, RSS 0.91,
                          Message 12 of 23 , Nov 15, 2004
                            >
                            > I think that most users have disposable webmail accounts to do about the
                            > same thing as a one-shot address. The problem is that they still hate
                            > giving those addresses away, so you still lose users over something
                            > unimportant.
                            You are probably right.

                            >
                            > What do you do with the POSTs, Mike?
                            I send search results to Web destinations like Blogs and such via
                            several Web APIs and content formats (WeblogAPI, RSS 0.91, Blogger
                            API, Atom API, TrackBack, plain text, simple mod-pubsub, etc).

                            I haven't come up with a way to authenticate that the URI specified by
                            a user (typically a blog) is actually controlled by that user. I
                            probably could look at each API and determine a way to traverse the
                            links to find a resource that might be used to host a verification
                            token, but there are a lot of potential APIs...

                            If you have an account you can view the list here:
                            http://www.searchalert.net/searchalert/destinations/add.jsp

                            You can see some results at my 'test' blog:
                            http://dierken.blogspot.com
                          • Mike Dierken
                            ... Interesting. I hadn t seen this put so succintly before.
                            Message 13 of 23 , Nov 15, 2004
                              > What we need for this is systems that allow "arms length" initial
                              > communication. Something that allows the progressive opening up of
                              > layers of protection as the relationship deepens.
                              Interesting. I hadn't seen this put so succintly before.
                            • Mike Dierken
                              ... Do you mean that the solution involves enabling cross site cookies?
                              Message 14 of 23 , Nov 15, 2004
                                > But I do think there may be a way of making this completely distributed. The
                                > technical problem revolves around cross site cookies being banned.
                                Do you mean that the solution involves enabling cross site cookies?
                              • Martin Peck
                                ... Iterative deepening is a wonderful technique to use in distributed and decentralized systems. It can provide a robust form of implicit feedback and allows
                                Message 15 of 23 , Nov 15, 2004
                                  On Mon, 15 Nov 2004 21:51:11 -0800, Mike Dierken <dierken@...> wrote:
                                  > > What we need for this is systems that allow "arms length" initial
                                  > > communication. Something that allows the progressive opening up of
                                  > > layers of protection as the relationship deepens.
                                  > Interesting. I hadn't seen this put so succintly before.

                                  Iterative deepening is a wonderful technique to use in distributed and
                                  decentralized systems. It can provide a robust form of implicit
                                  feedback and allows the end user to determine the depth of
                                  communication desired.

                                  As for single sign on (Sxip), I only see this working for homogeneous
                                  security domains. The likelihood of a system being used for on line
                                  banking as well as weblog comment posting is almost zero.

                                  Regards,
                                • Julian Bond
                                  ... Maybe. The problem is identifying in the browser where the home site profile and authentication is held. There s really only three solutions. - Ask the
                                  Message 16 of 23 , Nov 15, 2004
                                    Mike Dierken <dierken@...> wrote:
                                    >> But I do think there may be a way of making this completely distributed. The
                                    >> technical problem revolves around cross site cookies being banned.
                                    >Do you mean that the solution involves enabling cross site cookies?

                                    Maybe. The problem is identifying in the browser where the home site
                                    profile and authentication is held. There's really only three solutions.
                                    - Ask the user. ie Drupal's remote auth
                                    - Display an image provided by the home site. ie Passport signin button
                                    - Use a common domain that both home site and member site recognise. ie
                                    xxx.sxip.net

                                    To completely decentralise this, you need any site to be able to put a
                                    button on a login or account creation form that says "Get Auth from your
                                    home site" without prior knowledge of where the home site is or prior
                                    relationship between the home site and member site. And for the browser
                                    to then start the redirection process based on information it's already
                                    got. There's clearly some tricky trust issues here about prior
                                    federation of authentication between the sites.

                                    All of this stuff and patterns for dealing with it have been worked out
                                    and documented by the Liberty group. It's just that their focus is on
                                    looking at the relationship between say Amex and Fedex. Whereas mine is
                                    between Wordpress and Slashdot.

                                    But it does all become easier if there's at least one central party. My
                                    Wordpress site could use SXIP in the knowledge that any profile and auth
                                    home site had been authenticated by them and was reasonably trustworthy.

                                    This is one extra layer of indirection from saying "get the auth and
                                    profile from Typekey". Now we're saying something like "get the auth and
                                    profile from any Typekey like service known to SXIP". The question is
                                    whether we can get to "get the auth and profile from any Typekey like
                                    service".

                                    --
                                    Julian Bond Email&MSM: julian.bond at voidstar.com
                                    Webmaster: http://www.ecademy.com/
                                    Personal WebLog: http://www.voidstar.com/
                                    M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                                  • Lucas Gonze
                                    ... Are there systems that use it which I can look at, Martin? I m having a hard time picturing what it would look like in practice. - Lucas
                                    Message 17 of 23 , Nov 15, 2004
                                      On Mon, 15 Nov 2004, Martin Peck wrote:

                                      >
                                      > On Mon, 15 Nov 2004 21:51:11 -0800, Mike Dierken <dierken@...> wrote:
                                      >>> What we need for this is systems that allow "arms length" initial
                                      >>> communication. Something that allows the progressive opening up of
                                      >>> layers of protection as the relationship deepens.
                                      >> Interesting. I hadn't seen this put so succintly before.
                                      >
                                      > Iterative deepening is a wonderful technique to use in distributed and
                                      > decentralized systems. It can provide a robust form of implicit
                                      > feedback and allows the end user to determine the depth of
                                      > communication desired.

                                      Are there systems that use it which I can look at, Martin? I'm having a
                                      hard time picturing what it would look like in practice.

                                      - Lucas
                                    • Julian Bond
                                      ... Agreed. But while lots of work is being done in the B2B area the only people I m aware of working at the weblog end, and with something demonstrable is
                                      Message 18 of 23 , Nov 16, 2004
                                        Martin Peck <coderman@...> wrote:
                                        >As for single sign on (Sxip), I only see this working for homogeneous
                                        >security domains. The likelihood of a system being used for on line
                                        >banking as well as weblog comment posting is almost zero.

                                        Agreed. But while lots of work is being done in the B2B area the only
                                        people I'm aware of working at the weblog end, and with something
                                        demonstrable is SXIP. The thing is Passport has failed, Liberty is aimed
                                        at B2B. Which means there's a chance for a properly architected bottom
                                        up solution to become the standard. If it's built right there's no
                                        telling how high up the ladder it could go.

                                        This is a pretty boring area ;-) but at the weblog end, comments spam is
                                        a problem we all have *right now*. And the spammers and scammers are
                                        getting more inventive and prepared to do work. It's not at all unusual
                                        now for a scammer to go through the whole signon process, wait a week
                                        and then use the system's internal processes to start sending the
                                        message.

                                        We're seeing each major blog platform introduce it's own centralised
                                        authentication to try and deal with this. So in order to leave a comment
                                        I have to have a Blogger, Typekey, Userland, etc etc account depending
                                        on where the blog is located. I'd much rather just say "My authenticated
                                        home account is at Ecademy, use that" and with no changes to any of the
                                        systems, you should be able to say "My authenticated home account is at
                                        TuCows, use that".

                                        --
                                        Julian Bond Email&MSM: julian.bond at voidstar.com
                                        Webmaster: http://www.ecademy.com/
                                        Personal WebLog: http://www.voidstar.com/
                                        M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                                      • Lucas Gonze
                                        ... Ok, then say there is an authentication system. How does that help with comment spam? I don t mean to troll, but I ve been thinking about it and can t
                                        Message 19 of 23 , Nov 16, 2004
                                          On Tue, 16 Nov 2004, Julian Bond wrote:
                                          > Martin Peck <coderman@...> wrote:
                                          >> As for single sign on (Sxip), I only see this working for homogeneous
                                          >> security domains. The likelihood of a system being used for on line
                                          >> banking as well as weblog comment posting is almost zero.
                                          >
                                          > Agreed. But while lots of work is being done in the B2B area the only
                                          > people I'm aware of working at the weblog end, and with something
                                          > demonstrable is SXIP. The thing is Passport has failed, Liberty is aimed
                                          > at B2B. Which means there's a chance for a properly architected bottom
                                          > up solution to become the standard. If it's built right there's no
                                          > telling how high up the ladder it could go.
                                          >
                                          > This is a pretty boring area ;-) but at the weblog end, comments spam is
                                          > a problem we all have *right now*.

                                          Ok, then say there is an authentication system. How does that help with
                                          comment spam? I don't mean to troll, but I've been thinking about it and
                                          can't see a way short of fairly heavyweight web of trust things.

                                          - Lucas
                                        • Julian Bond
                                          ... The short answer is I don t know! But here s a proposal. - You can t rely on pre-verification, so all you can do is kill it quickly. - Combine the ideas in
                                          Message 20 of 23 , Nov 16, 2004
                                            Lucas Gonze <lucas@...> wrote:
                                            >Ok, then say there is an authentication system. How does that help with
                                            >comment spam? I don't mean to troll, but I've been thinking about it and
                                            >can't see a way short of fairly heavyweight web of trust things.

                                            The short answer is I don't know! But here's a proposal.
                                            - You can't rely on pre-verification, so all you can do is kill it
                                            quickly.
                                            - Combine the ideas in Razor, single signon and the Orkut Jail
                                            - It's easier if there is a central Rootsite tracking GUPIs (to use SXIP
                                            terminology)

                                            So allow any single signon authenticated person to report an example of
                                            comments spam. Put the accused in jail where their single signon stops
                                            working for a week. Report the event to the Homesite. Automatically
                                            release them at the end of the week. After three strikes disable that
                                            GUPI completely.

                                            --
                                            Julian Bond Email&MSM: julian.bond at voidstar.com
                                            Webmaster: http://www.ecademy.com/
                                            Personal WebLog: http://www.voidstar.com/
                                            M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                                          • Julien Couvreur
                                            ... Without going into the implementation details (whether browsers can copy cookies from domain to domain, etc.) I think one problem with all federated
                                            Message 21 of 23 , Nov 16, 2004
                                              Julian Bond [julian_bond@...] wrote:
                                              > SXIP == Passport/Liberty done properly. They deserve to do well.

                                              Without going into the implementation details (whether browsers can
                                              copy cookies from domain to domain, etc.) I think one problem with all
                                              federated authentications is trust.

                                              (quote from http://blog.monstuff.com/archives/000173.html)
                                              "Ben seems to think that a federated system is definitely better than
                                              a centralized one. I think there are obvious advantages like allowing
                                              interop, competition and enhanced network effect, but also the
                                              difficulties with federation go beyond the simple challenge of sending
                                              the user to the appropriate authentication provider when he needs to
                                              sign in.

                                              The real problem is with the service that is going to consume the
                                              identity assertion. Which identities/providers/realms should it trust?
                                              You wouldn't let any "bank" join the VISA network, would you?
                                              Or if you are Paypal, would you choose to support users accounts
                                              provided by Passport, TypeKey or both? What is the risk you are taking
                                              by integrating TypeKey into your business? If TypeKey is found to have
                                              a security hole, how confident are you that it'll be handled to your
                                              satisfaction?

                                              But we can assume that building a business is not the goal here, only
                                              to offer single sign-on to community sites and help fight comment
                                              spam...

                                              Still, spammers could start creating hundreds of authentication
                                              services, or hacking into some competitors (that aren't as well
                                              administered/secured as TypeKey might be) to create spam accounts or
                                              hijack legit accounts. As a consumer of identity assertions you still
                                              care about the issuer of these."


                                              I am starting to think that the solution is going to require some
                                              browser changes and will ressemble PKI certs. A user will hold
                                              "capabilities" (see http://www.erights.org/ ) or handles for the
                                              various distributed resources that he can access, will store them
                                              either locally (USB, smartcard), a website or in a
                                              replicated/private/P2P folder.

                                              For example, you would have a capability representing your Amazon
                                              account and a capability to your bank account. When you go to Amazon,
                                              if you need to authenticate (to get access to your shopping cart),
                                              Amazon, your browser, your capability storage and yourself will work
                                              together to provide the "amazon account" capability to your browsing
                                              session.
                                              There is still the problem that you need to fill some data for Amazon
                                              registration. Maybe your browser needs to cooperate with Amazon and
                                              your data store again, or maybe Amazon can take a capability to a
                                              "profile provider service".

                                              Capabilities can be combined and restricted in many ways. For example,
                                              the "visa credit card" capability could be used to generate an "amazon
                                              only, 100$ max debit, unlimited credit, revocable, 24h duration"
                                              capability. Amazon would only trust visa credit card capabilities from
                                              some sources.
                                              Similarly, a capability to your profile could restrict which pieces of
                                              information are shared.

                                              The browser needs to be modified to make these scenarios as simple as
                                              possible. Also, some taxonomy and semantics need to be defined, so
                                              that Amazon can express the capabilities that it needs and can
                                              negotiate with the user or any automated agent representing the user.

                                              What do you think?
                                              Julien
                                            • Martin Peck
                                              ... Hi Lucas, I should clarify that I meant iterative deepening in a more general sense (iterative refinement?) than just the traditional IDA* concept. As a
                                              Message 22 of 23 , Nov 17, 2004
                                                On Mon, 15 Nov 2004 21:46:27 -1000 (HST), Lucas Gonze <lucas@...> wrote:
                                                > On Mon, 15 Nov 2004, Martin Peck wrote:
                                                > > Iterative deepening is a wonderful technique ...
                                                >
                                                > Are there systems that use it which I can look at, Martin? I'm having a
                                                > hard time picturing what it would look like in practice.

                                                Hi Lucas,

                                                I should clarify that I meant iterative deepening in a more general
                                                sense (iterative refinement?) than just the traditional IDA* concept.

                                                As a general case (progressively expanding / narrowing a search or
                                                increasing detail in user interactions) this is useful for a few
                                                reasons:

                                                - It is directed by the user so early halt / termination of a query is
                                                possible. For distributed systems this can greatly improve network
                                                efficiency.

                                                - It provides an implicit feedback mechanism that can indicate
                                                relevance / interest.

                                                Some examples include the ability for some p2p clients to "expand"
                                                search from the super peers they are directly connected to more
                                                remote nodes via forwarded queries. mlDonkey is one client which
                                                supports this for example.

                                                In the case of implicit feedback the act of a user iterating through
                                                pages / sites / files can indicate relevance (if the resource was
                                                provided by a query) or the opposite if they quickly close / delete /
                                                ignore the result.

                                                One example I remember reading about (can't find the link) was an
                                                experiment where search results returned some very high level blurbs
                                                about relevant text documents or thumbnail images. As the user
                                                selected from a given set of results to obtain a detailed paragraph
                                                about the document or an image gallery the results were adjusted to
                                                use the selections as relevant for further refinement and placed less
                                                emphasis on the other results. They could continue another one or two
                                                layers of detail with the full resource (entire text / photo
                                                collection / etc) returned.

                                                In addition to improving the results for a particular user, the
                                                actions of all users was tracked and used to determine what resources
                                                were more generally relevant. These results were then displayed /
                                                presented more prominently given the higher likelihood they would be
                                                useful.

                                                Hope that makes sense. I'll try to find some papers / projects which
                                                do a better job explaining this technique and apply to real world
                                                problems like query routing and recommender systems.

                                                Regards,
                                              • Julian Bond
                                                ... I m SXIP intend their service to be a business. But you re right, I m interested in bottom up systems to provide single sign-on, identity and
                                                Message 23 of 23 , Nov 17, 2004
                                                  Julien Couvreur <julien.couvreur@...> wrote:
                                                  >But we can assume that building a business is not the goal here, only
                                                  >to offer single sign-on to community sites and help fight comment
                                                  >spam...

                                                  I'm SXIP intend their service to be a business. But you're right, I'm
                                                  interested in bottom up systems to provide single sign-on, identity and
                                                  authentication for small private websites not just large corporate ones.

                                                  >Still, spammers could start creating hundreds of authentication
                                                  >services, or hacking into some competitors (that aren't as well
                                                  >administered/secured as TypeKey might be) to create spam accounts or
                                                  >hijack legit accounts. As a consumer of identity assertions you still
                                                  >care about the issuer of these."

                                                  In the spirit of de-centralization, maybe everyone should be able to run
                                                  their own identity and authentication server. Not tens or hundreds but
                                                  millions. This sounds impossible and far fetched. But my blog is already
                                                  my identity server. It just can't provide that identity in a structured
                                                  way.

                                                  --
                                                  Julian Bond Email&MSM: julian.bond at voidstar.com
                                                  Webmaster: http://www.ecademy.com/
                                                  Personal WebLog: http://www.voidstar.com/
                                                  M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                                                Your message has been successfully submitted and would be delivered to recipients shortly.