Comments on: SPTP: Decentralized Single Sign-On

By: Bas Westerbaan

Bas Westerbaan — Wed, 17 Aug 2005 20:18:41 +0000

The problem is how to implement it with HTTP and HTML when a client-side RSA computation is required. Javascript isn’t really an ideal language to do a RSA computation in. It would require activeX, flash or Java.. which isn’t really ‘complient’.

By: Bas Westerbaan

Bas Westerbaan — Wed, 17 Aug 2005 20:18:00 +0000

By: Shane Bauer

Shane Bauer — Tue, 16 Aug 2005 16:58:34 +0000

Ok. Well, fine. Just make it reliable enough so that people don’t have to ever worry about public and private keys.

By: Shane Bauer

Shane Bauer — Tue, 16 Aug 2005 16:58:00 +0000

Ok. Well, fine. Just make it reliable enough so that people don’t have to ever worry about public and private keys.

By: Bas Westerbaan

Bas Westerbaan — Tue, 16 Aug 2005 16:24:26 +0000

You don’t have that problem, when – as i suggested already – use public/private RSA-like keypairs and you just challenge someone with a random string that can only be decrypted by you (the owner of the private key). There wouldn’t be any login box required – as we know it.

By: Bas Westerbaan

Bas Westerbaan — Tue, 16 Aug 2005 16:24:00 +0000

By: Shane Bauer

Shane Bauer — Mon, 15 Aug 2005 20:52:13 +0000

Not a bad idea, I don’t think this would ever work, especially with the password problem.

The only way I could imagine this would work is that each “login” site only asked for a username (i.e shane@zefhemel.com). That single site could then parse out the server and redirect them to the profile host where the user then types in the password. If successful, the profile host sends a response back to the original site containing a confirmation ID and username. Then some sort of verification code would need to be executed to ensure the confirmation ID was legit.

Basically, it would work almost exactly like Passport, as login sites don’t actually work with the username/password, but without a centralized server.

Then you have to worry about login box cloaking and all sorts of other fraud activities.

By: Shane Bauer

Shane Bauer — Mon, 15 Aug 2005 20:52:00 +0000

Not a bad idea, I don’t think this would ever work, especially with the password problem.

Basically, it would work almost exactly like Passport, as login sites don’t actually work with the username/password, but without a centralized server.

Then you have to worry about login box cloaking and all sorts of other fraud activities.

By: Sam Gamyi

Sam Gamyi — Mon, 15 Aug 2005 08:55:25 +0000

Interesting idea. For the travelling password problem, maybe it would be good that the system generates a unique -random- password for every signup. So if forum “A” is unsecure and some script kiddie is able to know my password in this forum, that would be useless for gaining access to forum “B”, since the password would be different for that other forum. (Sorry for my bad english).

By: Sam Gamyi

Sam Gamyi — Mon, 15 Aug 2005 08:55:00 +0000

By: Bas Westerbaan

Bas Westerbaan — Sat, 13 Aug 2005 18:23:43 +0000

I guess that every user has their own username on the final application like a message board. But their identity would be a public key; and best would be combined with an username@keyserver, which is easier to work with.

By: Bas Westerbaan

Bas Westerbaan — Sat, 13 Aug 2005 18:23:00 +0000

By: Lewis

Lewis — Sat, 13 Aug 2005 17:37:46 +0000

What happens with clashing usernames? Surely people could just change data and get any username they want?

By: Lewis

Lewis — Sat, 13 Aug 2005 17:37:00 +0000

What happens with clashing usernames? Surely people could just change data and get any username they want?

By: Bas Westerbaan

Bas Westerbaan — Sat, 13 Aug 2005 17:02:57 +0000

It can be done way easier and way more secure:

Everyone should have their own RSA-like keypair. The only thing that has to be done to authenticate you is to challenge you to prove that you got the private key alongside the public one.

By: Bas Westerbaan

Bas Westerbaan — Sat, 13 Aug 2005 17:02:00 +0000

It can be done way easier and way more secure:

Everyone should have their own RSA-like keypair. The only thing that has to be done to authenticate you is to challenge you to prove that you got the private key alongside the public one.

By: David

David — Sat, 13 Aug 2005 16:25:43 +0000

Have you looked at OpenID and Lid yet?

By: David

David — Sat, 13 Aug 2005 16:25:00 +0000

Have you looked at OpenID and Lid yet?

By: Cow

Cow — Sat, 13 Aug 2005 15:54:46 +0000

Sounds very similar to Drupal’s distributed login.

By: Cow

Cow — Sat, 13 Aug 2005 15:54:00 +0000

Sounds very similar to Drupal’s distributed login.