Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'

Tue, 28 Jan 2003 07:18:34 -0800 

Single Signon by ITSELF is not a bad technology.  But it very much
depends on the architecture and implementation.  A Globally
Centralized SSO system like Passport certainly has problems as you
suggest.  A locally centralized SSO system like Kerberos is less
of an issue.  A Federated SSO system like Shibboleth is much better.

It all depends on your threat model.  Don't destroy SSO just because
some company decided to "do it wrong".

-derek

bear <[EMAIL PROTECTED]> writes:

> The widespread acceptance of something as obviously a bad idea as
> passport really bothers me.  I could see a "password manager" program
> to automate the process of password invalidation where you discovered
> a compromise; but the idea of putting everything you do online on the
> same password or credential is just...  stupid beyond belief.
> 
> Why are single-sign-on systems even legal to sell without warnings?
> Why don't Msoft and the other members of the "Liberty alliance" have
> to put a big warning label on them that says "USE OF THIS PRODUCT WILL
> DEGRADE YOUR SECURITY"?  Because that's what we're looking at here;
> drastically reduced security for very marginally enhanced convenience.
> 
> But what really gets me about this is that it's totally obvious that
> that's what we're looking at, and people are buying this system
> anyway.  That's hard to swallow, because even consumers ought not to
> be that stupid.  But it's even worse than that, because people who
> ought to know better (and people who *DO* know better, their own
> ethics and customers' best interests be damned) are even *DEVELOPING*
> for this system.  It just doesn't make any damn sense.
> 
>                       Bear
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       [EMAIL PROTECTED]             www.ihtfp.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to