IdentitySelector
|
Size: 2995
Comment: http://www.bandit-project.org/index.php/Reference_Application
|
Size: 3477
Comment: See http://openliberty.org/wiki/index.php/RelatedProjects
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 16: | Line 16: |
| one, provided by a phisherman. | one, provided by a phisherman. Various [http://www.schneier.com/blog/archives/2005/07/security_skins.html security skin] approaches can help. |
| Line 20: | Line 21: |
| For more information about CardSpace (nee InfoCard), a real good place to start is | For more information about the CardSpace Identity Selector and the InfoCard Identity Metasystem, a real good place to start is |
| Line 22: | Line 23: |
See [http://spwiki.editme.com/InteroperabilitySpace Interoperability Space] at the [http://spwiki.editme.com spwiki] run by [http://socialphysics.org SocialPhysics] for how CardSpace, Higgins, XMLDAP and Ian Brown's Mac OSX Card Selector might fit together. See http://openliberty.org/wiki/index.php/RelatedProjects for other related projects. |
|
| Line 32: | Line 41: |
| There is already a Firefox plugin to do this. But implementing this purely in an application like a browser leaves the user's identity information more vulnerable, and the user more confused about when it is ok to type in their password. | Implementing this purely in an application like a browser leaves the user's identity information more vulnerable, and the user more confused about when it is ok to type in their password. |
| Line 46: | Line 55: |
| Card Store to store a user's cards; a log ala the Microsoft "Ledger" that tracks a user's usage of cards at various sites/services; and a Self-Issued Identity Security Token Service (STS) that can be an identity provider for self-issued cards. | Card Store to manage a user's cards; a log ala the Microsoft "Ledger" that tracks a user's usage of cards at various sites/services; and a Self-Issued Identity Security Token Service (STS) that can be an identity provider for self-issued cards. |
| Line 58: | Line 67: |
| is OSIS - Open Source Identity Selector, which | is Higgins, which |
| Line 62: | Line 71: |
See also OSIS - Open Source Identity Selector |
Launchpad Entry: https://launchpad.net/distros/ubuntu/+spec/identity-selector
Created: Date(2006-11-04T15:30:00Z) by NealMcBurnett
Contributors: EricNorman
Packages affected:
Summary
Identity metasystems are finally beginning to mature, based on growing support for "Laws of Identity" (see reference below or [http://www.identityblog.com/?page_id=352]) and frustration with the problems of userid/password authentication.
To guard against phishing, the identity selection should incorporate a clear and unmistakable signal to the user that she is indeed talking with her own identity selector and not something that just looks like one, provided by a phisherman. Various [http://www.schneier.com/blog/archives/2005/07/security_skins.html security skin] approaches can help.
References
For more information about the CardSpace Identity Selector and the InfoCard Identity Metasystem, a real good place to start is [http://www.identityblog.com] (documents on left side).
See [http://spwiki.editme.com/InteroperabilitySpace Interoperability Space] at the [http://spwiki.editme.com spwiki] run by [http://socialphysics.org SocialPhysics] for how CardSpace, Higgins, XMLDAP and Ian Brown's Mac OSX Card Selector might fit together.
See http://openliberty.org/wiki/index.php/RelatedProjects for other related projects.
See also the July 2006 Linux Journal article by Doc Searls: [http://www.linuxjournal.com/article/9049 Progress Report toward Independent Identity]
Rationale
Providing a user interface which makes it clear to the user that they are interacting directly with a layer of the operating system that is more resistant to attack than the browser or other application would increase user confidence and reduce phishing attacks.
Implementing this purely in an application like a browser leaves the user's identity information more vulnerable, and the user more confused about when it is ok to type in their password.
We will also want to enable more flexible and secure authentication methods for many networked activities besides traditional browsing.
Use cases
Scope
This spec is focussed on the client side.
Besides an Identity Selector, other Ubuntu specs are needed for other InfoCard support services. E.g. probably a Card Store to manage a user's cards; a log ala the Microsoft "Ledger" that tracks a user's usage of cards at various sites/services; and a Self-Issued Identity Security Token Service (STS) that can be an identity provider for self-issued cards.
Support for the server side (Relying Parties) and for Identity Provider implementations will come through applications such as Apache.
Design
The Identity Selector would probably consist of a protected user interface, and a protocol module to get tokens via interactions with Security Token Services.
Implementation
One promising code base is Higgins, which intends to be at least as functional, and fully compatible, with Microsoft's CardSpace (formerly known as InfoCard) identity selector that will be shipped with Windows Vista.
See also OSIS - Open Source Identity Selector
There is also the [http://www.bandit-project.org/index.php/Reference_Application Bandit reference application]
See also
IdentitySelector (last edited 2008-08-06 16:35:43 by localhost)