On Sun, Oct 12, 2008 at 7:39 AM, Ben Laurie <[EMAIL PROTECTED]> wrote: > > One argument that I > have increasing sympathy with is that SSO (or if you want to be modern, > federated login)
Federated identity is the fancy modern term for cross-domain SSO. > Obviously the end game here is that the user only has to protect his > login to a small number of sites - i.e. those that provide the IdP. Once > we get there, perhaps users can be persuaded to authenticate to those > sites using something stronger than username/password. I think this is putting the cart before the horse. Today I don't see many IdPs (OpenID, SAML, or otherwise) that support more than username/password. Until that happens, the relying party will continue to maintain its own username/passwords since there's little incentive to federate. > A sidenote that provides me with some amusement: although the modern > trend is towards using OpenID, no-one wants to use it in the mode it is > designed for, i.e. where the user can pick any old IdP and the RP will > just trust it. In practice where we seem to be headed is that RPs will > trust some smallish number of trusted IdPs. This is, of course, exactly > what the Liberty guys have been working on all along. I predict that > over time, most of the elements of Liberty will be incorporated into OpenID. I mostly agree with this observation, but I'd replace the word "Liberty" with "SAML" throughout the above paragraph. The Liberty Identity Federation Framework (ID-FF) was donated to the OASIS Security Services Technical Committee in late 2003. This gave rise to SAML V2.0 in March 2005. For all practical purposes, Liberty ID-FF is dead. If RPs end up trusting a small number of IdPs, then there is much to be gained (obviously) by being one of those IdPs. Thus there are strong forces at work to *prevent* federated identity from taking hold since everyone is competing to be one of those IdPs. I wonder what it will take to break the log-jam that holds back the anticipated rise of federated identity? > Which makes me think that if Liberty had done what it claimed to be > doing when it started, i.e. be a community-based, open-source-friendly > protocol suite, it would have worked much better. I'm not sure I follow that line of reasoning. Are you referring to Liberty the specification or Liberty the implementation? In any event, it is better to talk about SAML, not Liberty, since the latter is history with respect to browser-based federated identity. I agree with you that the goal is to replace username/password with something stronger, but evidently neither OpenID nor SAML are helping us get there. I still have some hope that information cards will make a dent in this problem, but who knows. Tom --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]