I refuse to use Single Sign on
|
| Author | Content |
|---|---|
| tracyanne Jul 13, 2008 3:07 PM EDT |
No matter what it's flavour, proprietary of Open |
| Sander_Marechal Jul 13, 2008 3:15 PM EDT |
I actually like the idea of OpenID in combination with Vendor Relationship Management. It puts your data under your control. OpenID is just one piece of the puzzle. Now we need a good VRM implementation. |
| thenixedreport Jul 13, 2008 9:30 PM EDT |
Actually, I'm with Tracyanne on this one. The problem with single sign-on is if your account gets compromised..... |
| TxtEdMacs Jul 14, 2008 4:06 AM EDT |
[See this with a serious tag] Single sign on, makes sense only for access on a corporate site or entity when you have a contractual relationship with them. When you speak of a single account, that becomes a universal sign on would be too risky to use. Too many commercial sites are open to successful attack, one successful break in would mean not a few hundred thousand credit card numbers and some personal data open for reaping, but irreversible, permanent loss in too many areas. One account everywhere does not make sense at this time and perhaps never will. Unless we go completely authoritarian, with Big Brother watching everywhere and we have no choice. Single sign on should allow you access to facilities, tools and information needed to perform your duties. However, it is also the method to exclude one from areas that are by policy beyond your ken in that corporate universe. In a sense the top guy could see everything, still dangerous since the CEO probably is long removed from being a practicing engineer, if s/he ever was one. More reasonably, the engineering staff must have access to their designs (even here, some projects may be excluded), design tools, manufacturing tests, etc. This is not a simple task, where subsets get to see the bigger picture, e.g. future product designs, assessments, etc. I think the term single sign on has become another too popular term where too much energy is being expended in overheated air derived by hyperventilating punditry. [tag change ...] I suppose Congress could pass a law allowing the President-in-Chief to forgive all large corporations of past transgressions and previous security lapses. Moreover, it would be a good lesson in Personal Responsibility. Quit asking for Government to be your Daddy, when we are too busy paying debts to the hard working corporate leaders. I just wonder who will come to their defense. |
| Bob_Robertson Jul 14, 2008 5:26 AM EDT |
> I suppose Congress could pass a law allowing the President-in-Chief to forgive all large corporations of past transgressions and previous security lapses. He does. Presidential Pardon. Usually used for cronies and political embarrassments, but it's there. The FISA bill that passed out of the Senate last week was one such, absolving the telecoms who have been passing the NSA their telephone and internet (is there a difference any more?) traffic without a warrant, retroactively, of any and all legal responsibility for their actions. Now, what was it in that silly slip of paper, the Constitution, about ex-post-facto law? Never mind. That's irrelevant anyway. |
| DrDubious Jul 14, 2008 6:32 AM EDT |
OpenID's not that bad, actually. phpMyID is two files. Customize one with the settings you want and dump it on your own website. You can even do it multiple times at different URLs on the site if you want to use multiple different passwords. Once you set it up, the actual password never goes out across the wires. The main advantage there (as I see it) is that then you have direct access to it (and if you suspect it's compromised, you can change it yourself - heck, watch the logs on your server and if you see someone hitting your OpenID URL when you're not logging into something you can DETECT potential compromise faster than waiting to see someone posting under your name. I wouldn't necessarily use it for everything (and I'd definitely be hesitant to use it for, say, logging into my bank account until it's been in use and demonstrated that it resists compromise) but for things like authentication for blog comments and whatnot it seems ideal. |
| gus3 Jul 14, 2008 9:52 AM EDT |
@Bob: "Ex post facto" only applies to making something a crime after the act was committed. See Calder v Bull (1798). |
| Bob_Robertson Jul 14, 2008 10:13 AM EDT |
> "Ex post facto" only applies to making something a crime after the act was committed. See Calder v Bull (1798). Ok that makes more sense. Thanks. Brain freak. Must be this diet I'm on, I spend half the time a little dizzy from hunger. Which suddenly reminds me of the Clinton retroactive tax increase. Right. |
| jezuch Jul 14, 2008 12:09 PM EDT |
I'll refrain from criticizing OpenID (as an example of single sign-on) because I don't know the technical details. I'm pretty sure that it's possible to make it cryptographically sound and hard to break by script kiddies (and easy to detect in case of) and I assume that its designers aren't naive and incompetent (and the algorithms went though the usual "many eyeballs" peer review). If I knew more maybe even I would start using it some day ;) |
| azerthoth Jul 14, 2008 12:33 PM EDT |
Reading comments is fun too, there is one there that stops just short of advocating making RFID implants mandatory for all human beings. I'm with TA on this one, single sign on is a deplorable idea, you are one password or forged cookie away from having your entire online, financial, and private life absolutely destroyed. While I don't like having a multitude of usernames and passwords for work, and then a similarly large set for when I'm on my home systems doing business online, I prefer it over the alternatives. The windows warriors will still push for i though, even though it has proved a failure as a security concept already. Separation of privilege vs conglomeration of privilege, you decide. |
| Bob_Robertson Jul 14, 2008 1:06 PM EDT |
> While I don't like having a multitude of usernames and passwords for work, and then a similarly large set for when I'm on my home systems doing business online, I prefer it over the alternatives. I'm quite pleased with Kwallet and such. A distributed answer to a distributed problem. |
| Sander_Marechal Jul 14, 2008 1:28 PM EDT |
Quoting:When you speak of a single account, that becomes a universal sign on would be too risky to use. Too many commercial sites are open to successful attack Not a problem with VRM and zero-knowledge web apps. In such cases, the site that you're logging into doesn't even have your important data. It's in your VRM app. And whatever non-important data it does store is encrypted with your personal key. Not even the sysadmin that runs the webapp can get to it. That's the great possibility og Single Sign On + VRM + Zero-knowledge we apps. Single Sign On all by itself is less useful. It's still great for e.g. blogs and public forums. No need to create dozens of new accounts just to post the odd comment or two. But I wouldn't trust e.g. my credit card details to it. Quoting:I'll refrain from criticizing OpenID (as an example of single sign-on) because I don't know the technical details. The main thing you need to know about OpenID is that you do not authenticate at the web application or blog that you're using. You sign into your own OpenID server and then your OpenID server tells the blog or webapp whether authentication is successful. It's not some central OpenID server that the hackers need to crack. They have to get into your own personal server. It's decentralized, just like e.g. Jabber is. And of course, the people who don't run their own servers can use a public server like the one offered by OpenID or various other providers. |
| phsolide Jul 15, 2008 6:56 AM EDT |
Single-sign-on is a crock. It's my belief that "single sign on" gets pushed by folks with a vast ulterior motive. And that motive is "to be in charge". Only pedantic, control-freak gatekeepers push single sign on. As single-sign-on centralizes "ID", those in charge of the LDAP server (or whatever) naturally start to wield enormous power. Once an organization implements single-sign-on, they find that the ID/password combos become so valuable that transport of them has to be via SSL (or something encrypted) that a "standard requirement" is that applications don't keep user IDs/passwords at all, the list is endless. Again, the central-ID-server people are In Charge, and dictate all kinds of weirdness. It's a Pedantic, Control-Freak Gatekeeper's Dream! Oh, my, yes! Does it buy an organization any convenience? Maybe in the sense of "Moron users only have to remember 1 user ID/password for inside the company", but the use of "logins" just proliferates. Apps that didn't previously have a log-in, now have one, mostly because a central ID server exists. Single-sign-on: leave me out. My Name is Legion. |
| Sander_Marechal Jul 15, 2008 7:16 AM EDT |
@phsolide: Did you read my post at all? OpenID is decentralized single sign-on. No gatekeeper holding all the keys. Just a standardized protocol. |
| phsolide Jul 15, 2008 7:37 AM EDT |
As a matter of fact, I did not read your post. My face is red, I'm embarrassed and please accept my apologies. But that won't invalidate my comments about control-freakery and gatekeepers. Said pedantic control-freaks will find some reason to go with an expensive, propriertary, centralized solution. Because the goal is empire building. Single-sign-on is an excuse for World Domination. |
| Sander_Marechal Jul 15, 2008 11:26 PM EDT |
That's a problem with control freaks, not with single sign-on. Control freaks are everywhere. |
| Bob_Robertson Jul 16, 2008 6:12 AM EDT |
> Control freaks are everywhere. Just turn on the news, in any country. |
| gus3 Jul 16, 2008 7:33 AM EDT |
Not just on the news. It's why I run Slackware (well, SLAMD64 now). |
| Bob_Robertson Jul 16, 2008 11:00 AM EDT |
Would "Linux From Scratch" be avoiding control freaks, or would it be demonstrating my own control-freak nature? Hmmm..... (embrace your inner freak!) |
| azerthoth Jul 16, 2008 11:41 AM EDT |
Quoting:(embrace your inner freak!) No Comment. *grin* |
| gus3 Jul 16, 2008 8:12 PM EDT |
Gentoo. For times when Slackware is still not enough control. (If Slackware is a manual-shift transmission, Gentoo is like opening the gear box and moving the gears around yourself. At 120 kph.) |
| azerthoth Jul 16, 2008 10:00 PM EDT |
Gentoo, Linux for the OCD. *grin* |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!