Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
- Original Message - From: bear [EMAIL PROTECTED] [Talking about Microsoft Passport...] But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. It does make some sense. The more people who are developing the system who know better, the more they may influence higher management. I'm sure that you know that in a big company like Microsoft, it's not the developer, architect or cryptographer that decides what is shipped out, but managers who don't care about security but more about $. The more security-conscious people who start working for Microsoft, the better, they will have more power to influence the decisions of higher management. Microsoft has the most widely used software products, it's a good place for someone to try to influence good security practices. If you are a security person or cryptographer, you can either decide to work for some small company which has good security practices and your opinions be highly considered, but their products not widely spread, or for a big company with widely spread products but which has bad security practices, and try to change things (even though your opinions are less considered). In which case does the security person or cryptographer have the most impact on the world of software security? --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
Single Signon by ITSELF is not a bad technology. But it very much depends on the architecture and implementation. A Globally Centralized SSO system like Passport certainly has problems as you suggest. A locally centralized SSO system like Kerberos is less of an issue. A Federated SSO system like Shibboleth is much better. It all depends on your threat model. Don't destroy SSO just because some company decided to do it wrong. -derek bear [EMAIL PROTECTED] writes: The widespread acceptance of something as obviously a bad idea as passport really bothers me. I could see a password manager program to automate the process of password invalidation where you discovered a compromise; but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Why are single-sign-on systems even legal to sell without warnings? Why don't Msoft and the other members of the Liberty alliance have to put a big warning label on them that says USE OF THIS PRODUCT WILL DEGRADE YOUR SECURITY? Because that's what we're looking at here; drastically reduced security for very marginally enhanced convenience. But what really gets me about this is that it's totally obvious that that's what we're looking at, and people are buying this system anyway. That's hard to swallow, because even consumers ought not to be that stupid. But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
The Liberty Alliance was stillborn to begin with. Not that it made any
practical difference, but the Liberty Alliance received an additional
bullet through the head the day that RSA Security, a key participant in
the Liberty Alliance, announced that they would also support Microsoft
Passport.
{I'm not on DBS so they won't see this.}
I wasn't discussing the politics, just the architecture. But anyway:
if Liberty does manage to field something run by the CCard companies,
then it will survive, and probably win. MSFT will have to acceede to
what Visa and MC deploy.
/r$
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
Rich Salz wrote: Liberty is architected to be federated, unlike Passport. The Liberty Alliance was stillborn to begin with. Not that it made any practical difference, but the Liberty Alliance received an additional bullet through the head the day that RSA Security, a key participant in the Liberty Alliance, announced that they would also support Microsoft Passport. --Lucky - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
The widespread acceptance of something as obviously a bad idea as passport really bothers me. I could see a password manager program to automate the process of password invalidation where you discovered a compromise; but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Why are single-sign-on systems even legal to sell without warnings? Why don't Msoft and the other members of the Liberty alliance have to put a big warning label on them that says USE OF THIS PRODUCT WILL DEGRADE YOUR SECURITY? Because that's what we're looking at here; drastically reduced security for very marginally enhanced convenience. But what really gets me about this is that it's totally obvious that that's what we're looking at, and people are buying this system anyway. That's hard to swallow, because even consumers ought not to be that stupid. But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Liberty is architected to be federated, unlike Passport. /r$ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
