Re: Cross logins
James A. Donald wrote: > -- > Is it possible for two web sites to arrange for cross > logins? > > The goal is that if someone is logged into website > https://A.com as user127, and then browses to > https://B.com/A_com_registrants, he will be > automatically logged in on b.com as [EMAIL PROTECTED] project athena was being funded to the tune of $50m split between dec and ibm. my wife and I got to go by periodically and review their projects. on one of the visits we were on the leading edge of working out the details of kerberos cross-domain operation. in the following years ... it turns out that the protocol wasn't the big issue ... it was establishing the business trust between two independent organizations (not the protocol issues) ... random past kerberos posts http://www.garlic.com/~lynn/subpubkey.html#kerberos however, maybe two years ago, i saw a presentation on a saml cross-domain deployment ... that went into some details on the message flows. I happened to observe that the basic message flows looked exactly like the kerberos cross-domain message flows (dating back to start of kerberos cross-domain). first, the person doing the presentation was surprised that anybody in the audience had ever heard of kerberos ... and then they finally allowed that their might just be a limited number of ways of doing cross-domain operation. saml reference: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
-- James A. Donald > > Is it possible for two web sites to arrange for > > cross logins? Steve Furlong > Does this question have a practical end in mind? If > so, can you simplify matters by running both web sites > on the same host? The situation envisaged is that A.com is known to B.com, and trusted by them, but B.com is unknown to A.com. The context is that I observe in existing internet currencies a lot of remarkably clumsy procedures to verify that X is the rightful account holder of account Y. Typically the web site that you are trying to register with will make a microspend to your account, and you then have to demonstrate knowledge of that microspend It is apparent that tools to facilitate transactions need to be integrated with nym management software and reputation management software. This was discussed long ago, back in the days of the extropian list, even before the cypherpunks lis, but though a decade has passed, such an integrated tool set does not yet exist. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG YrtMBO44wxxM/nfE5hCE0yaIbuhetu6o+aOu+A3/ 4RIHu0PHIJAOz2EHYlgoyDbkJ12edbzWDPGlDCJy7 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
Rich Salz wrote: Is it possible for two web sites to arrange for cross logins? Check out SAML, esp the browser artifact profile. Check out Passel, which lacks the complexity of SAML: http://www.passel.org/ Peter smime.p7s Description: S/MIME Cryptographic Signature
Re: Cross logins
* James A. Donald: > Is it possible for two web sites to arrange for cross > logins? SXIP is a relatively open effort in that direction. The rootsite seems to be proprietary, though. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
On 8/3/05, James A. Donald <[EMAIL PROTECTED]> wrote: >-- > Is it possible for two web sites to arrange for cross > logins? <> Does this question have a practical end in mind? If so, can you simplify matters by running both web sites on the same host? (cc-ing JAD because I never see any responses to messages sent from my GMail acct. I don't know if the GMail traffic is making it to the list.) -- There are no bad teachers, only defective children. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
On Wed, 3 Aug 2005, James A. Donald wrote: Is it possible for two web sites to arrange for cross logins? Not only possible but standardized, in production, with multiple interoperable vendor and open source implementations. You may even have used it (ie, SAML) already via some service. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security There are also many many proposals (eg SXIP, LID, passel, openID) to do similar things in a less spec-intensive fashion. - RL "Bob" - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
> Is it possible for two web sites to arrange for cross > logins? Check out SAML, esp the browser artifact profile. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cross logins
On Wed, Aug 03, 2005 at 03:15:00PM -0700, James A. Donald wrote: > -- > Is it possible for two web sites to arrange for cross > logins? > > The goal is that if someone is logged into website > https://A.com as user127, and then browses to > https://B.com/A_com_registrants, he will be > automatically logged in on b.com as [EMAIL PROTECTED] > This requires B to trust A, and trust requires a shared key or equivalently a trusted introducer. Given a shared key, A is able to sign (shared secret HMAC, public/private keys or signed Kerberos message) assertions about the user for B's consumption. The signature can be in a referral URL. http://A.com/federated_login.cgi?d=B.com&user=user127&expiration=epochtime&signature=&url=... Absent a valid cookie for a B session, B redirects the user to A's federated login generator page (passing B's name and the url the user wanted), and A redirects the user back to B's federated login verification page passing back the authentication data and the original url, so the user is taken to the right place after the credentials are verified. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]