At 02:28 PM 10/7/2001 +0100, you wrote: >OK, this has turned into a rant, for which I apologise, but a rant it will >be. I see this all the time: developers sacrificing usability for security, >in the mistaken belief that black hats will tear people to pieces unless >it's 100% impenetrable. Not true. At the end of the day, SSI is about >convenience. I'd like to use one password to sign in to all my websites and >yes in the future FTP servers and other things too. I'd like to type in my >username and password once, and then for the network to remember all this >and not prompt me again. This opens the system up to abuse of course, even >if it's just my little brother sitting down at the keyboard while I'm out of >the room and looking at my eGroups preferences. But I'm willing to accept >less security for more convenience, and many other people are too. It's a >compromise at the end of the day between the ultra-tight security of >Kerberos and a real world implementation that's easy to use and develop for. >I stick by it.
Hoorah! I also agree that convenience and ease of use are just as important as "security" when designing real world systems (except when working for the NSA or other places where they can expect you to go through the extra hassles of "solid security"). The trick really is to balance the two forces... hopefully allowing users the ability to adjust how secure they need to be (but even that introduces complexity and so may not be desirable). I have been thinking that perhaps we should look at jabber security (and SSO) in a different light. Right now, sign-on is equivalent to unlocking the gates. Once inside, we have unlimited access to whatever we're authorized to do. It is all or nothing and you have to unlock the gate to do anything. But signing on to a Jabber server really isn't that big a deal. So you use up a connection on the server. Is that really that important? And what about updating presence. Is it that disastrous that someone can overcome your sign-on and make it look like you're online? For most the answer is no. So perhaps it should be simple simple simple to sign on, update presence, and send/read "insecure" messages. Like web browsing. It should be a little more difficult to read and send secure messages (confidentiality and nonrepudation (signatures)... where most people are concerned about security). And it should be hard to break in (and a little more work to use) "really secure" things like digital wallets when we have that on jabber. This seems to suggest a "key ring" with various keys (credentials) and differing levels of security. Name and password say to signon once (this is not that valuable a sign on but is universal and simple... SSO). Then the client must use a separate key (perhaps requiring another passphrase) to decrypt/encrypt "secure messages". Finally, a separate passphrase and separate security system to transact financial exchange... I wonder if it is practical. -iain _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
