[JDEV] Single Sign-on and stuff

Iain Shigeoka iainshigeoka at yahoo.com
Mon Oct 8 10:05:26 CDT 2001 

At 02:28 PM 10/7/2001 +0100, you wrote:

>OK, this has turned into a rant, for which I apologise, but a rant it will
>be. I see this all the time: developers sacrificing usability for security,
>in the mistaken belief that black hats will tear people to pieces unless
>it's 100% impenetrable. Not true. At the end of the day, SSI is about
>convenience. I'd like to use one password to sign in to all my websites and
>yes in the future FTP servers and other things too. I'd like to type in my
>username and password once, and then for the network to remember all this
>and not prompt me again. This opens the system up to abuse of course, even
>if it's just my little brother sitting down at the keyboard while I'm out of
>the room and looking at my eGroups preferences. But I'm willing to accept
>less security for more convenience, and many other people are too. It's a
>compromise at the end of the day between the ultra-tight security of
>Kerberos and a real world implementation that's easy to use and develop for.
>I stick by it.

Hoorah!  I also agree that convenience and ease of use are just as 
important as "security" when designing real world systems (except when 
working for the NSA or other places where they can expect you to go through 
the extra hassles of "solid security").  The trick really is to balance the 
two forces... hopefully allowing users the ability to adjust how secure 
they need to be (but even that introduces complexity and so may not be 
desirable).

I have been thinking that perhaps we should look at jabber security (and 
SSO) in a different light.  Right now, sign-on is equivalent to unlocking 
the gates.  Once inside, we have unlimited access to whatever we're 
authorized to do.  It is all or nothing and you have to unlock the gate to 
do anything.

But signing on to a Jabber server really isn't that big a deal.  So you use 
up a connection on the server.  Is that really that important?  And what 
about updating presence.  Is it that disastrous that someone can overcome 
your sign-on and make it look like you're online?  For most the answer is no.

So perhaps it should be simple simple simple to sign on, update presence, 
and send/read "insecure" messages.  Like web browsing.

It should be a little more difficult to read and send secure messages 
(confidentiality and nonrepudation (signatures)... where most people are 
concerned about security).

And it should be hard to break in (and a little more work to use) "really 
secure" things like digital wallets when we have that on jabber.

This seems to suggest a "key ring" with various keys (credentials) and 
differing levels of security.  Name and password say to signon once (this 
is not that valuable a sign on but is universal and simple... SSO).  Then 
the client must use a separate key (perhaps requiring another passphrase) 
to decrypt/encrypt "secure messages". Finally, a separate passphrase and 
separate security system to transact financial exchange...

I wonder if it is practical.

-iain


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the JDev mailing list