Can We Fix Federated Authentication? - Slashdot

Slashdot is powered by your submissions, so send in your scoop

×

Can We Fix Federated Authentication? 65

Posted by CmdrTaco on Tuesday March 29, 2011 @08:47AM from the yeah-good-luck-with-that dept.

Bruce Schneier writes in his blog of a "New paper by Ross Anderson: 'Can We Fix the Security Economics of Federated Authentication?': There has been much academic discussion of federated authentication, and quite some political maneuvering about 'e-ID.' The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC)."

This discussion has been archived. No new comments can be posted.

Can We Fix Federated Authentication?

Search 65 Comments Log In/Create an Account

Comments Filter:

Re:Incentives aren't wrong, the program is. (Score:3, Informative)

by Anonymous Coward writes: on Tuesday March 29, 2011 @09:24AM (#35651916)

The above seems to be a misunderstanding of what online identity is - just a practical way to verify a user on systems that need some verification. When universities collaborate on research projects, online identity becomes a practical problem. Each institution would like to be able to accept the identities verified by other collaborating institutions. They're agreeing to trust one another, essentially. That's where federated IDs come in.
If College X recognizes the HPSD-12 ID of University Y, it can decide whether or not to allow University Y members into a collaboration site. That's all that's involved at a basic level, simple recognition of identity. Decisions about access levels can be made after identity is somehow established.
Rules for access may be harder than establishing identity in some cases but identity needs to be established first - the easier, the better, even for folks with college degrees.

Parent Share
twitter facebook
Re:It's a bad idea... (Score:4, Informative)

by jd ( 1658 ) writes: <imipak@yahoGINSBERGo.com minus poet> on Tuesday March 29, 2011 @12:00PM (#35653922) Homepage Journal

I'll agree with the excessive trust. Mind you, banks persuaded the plebians out there than a 4-digit PIN was secure, so I'm not terribly enthused as to their understanding of the issues.
I'm not, however, convinced of the risks. If that were wholly true, Kerberos V would not be a leading sign-on mechanism for security-conscious organizations. (Once you are assigned a kerberos ticket, you are authenticated on all machines that talk to the same Kerberos network.)
Nor would SASL2 be as significant as it is. Shibboleth (which uses SASL2 as the underlying mechanism) wouldn't be a fairly mainstream tool on Internet 2 - well, as far as you can call anything mainstream on Internet 2...!
The DoD uses a form of federated authentication in the form of smart cards that contain client-side digital certificates that act as authentication tokens on behalf of the users.
Clearly there are situations where federated authentication works and works well (most of the time).

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

"The four building blocks of the universe are fire, water, gravel and vinyl." -- Dave Barry