Posted 8:39 AM (0) comments

Google-oops

A big tip o'the hat to Kim Cameron who today points out a security white paper from US-CERT describing an incredibly bad - and incredibly naive - security vulnerability in Google's SSO implementation.

The kicker isn't that there is a vulnerability, but, as Kim says, "the surprising fact is that the errors made are incredibly basic."

The Google wunderkind evidently ignored major parts of the SAML spec (while claiming to be SAML compliant) leaving the SSO completely open to the most basic insider attack. More incredibly, they extended this vulnerability to third parties so that their insiders could get in on the attack!

Gogle just turned ten, but it's thinking is more like that of a 17-year-old, one who knows what they want to do and can't be bothered to cross all the t's and dot all the i's in their head-long rush for personal fulfillment. They also think they'll live forever, and that they discovered sex (drugs, rock & roll, whatever). It's a very dangerous age but - if they survive it - they may go on to do great things. My hope is that the rest of us survive it, also.

Labels: Google, SSO

Posted 9:32 AM (0) comments

"We have met the enemy..."

OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID ("...one wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."

If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?

Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:

Mr. McGuire: I just want to say one word to you - just one word.
Ben: Yes sir.
Mr. McGuire: Are you listening?
Ben: Yes I am.
Mr. McGuire: 'Zermatt.'
Ben: Exactly how do you mean?
Mr. McGuire: There's a great future in Zermatt.
Think about it.
Will you think about it?
Ben: Yes I will.
Mr. McGuire:> Shh! Enough said. That's a deal.

Or, as Eddie said to Saffie: Just put me through to Zermatt!

Labels: cardspace, digital identity, Microsoft, open source, openid, SSO, user centric

Posted 10:36 AM (0) comments

SSO - the South Park version

Leigh Dodds, the CTO at Ingenta, presented a great slide deck at the June meeting of the Society for Scholarly Publishing (SSP) meeting in San Francisco. And I thought those guys were dull! But anyone who can cover Shiboleth, OpenID and Cartman in a 25 slide tour-de-force can't be called dull!

Labels: humor, SSO

Posted 8:24 AM (0) comments

OSSSO

Rakesh has posted a thorough listing of open source Simplified Signon (SSO) systems, projects and tools ( Open Source Identity Systems for SSO) - well worth noting, reviewing and implementing.

Labels: open source, SSO