[10424] in cryptography@c2.net mail archive
SSO (was Re: biometrics)
daemon@ATHENA.MIT.EDU (Marc Branchaud)
Thu Feb 7 14:33:17 2002
Message-ID: <3C62CDC9.995DD2F7@rsasecurity.com>
Date: Thu, 07 Feb 2002 10:56:09 -0800
From: Marc Branchaud <marcnarc@rsasecurity.com>
MIME-Version: 1.0
To: Cryptography Mailing List <cryptography@wasabisystems.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dan Geer wrote:
>
>
> > In the article they repeat the recommendation that you never
> > use/register the same shared-secret in different domains
>
> Compare and contrast, please, with the market's overwhelming
> desire for single-sign-on (SSO). Put differently, would the
> actual emergence of an actual SSO signal a market failure by
> the above analysis?
In most SSO schemes, the password is only used to authenticate to a single
domain, and (a token attesting to) the fact that the authentication succeded
is passed around to other domains. The authenticating domain is typically
akin to the user's "home" domain (as opposed to the user just logging into
some arbitrary domain) so the password isn't widely shared. Most of these
schemes are web-based, and users that first surf to a non-home domain are
redirected (as tranparently as possible) to their local domain for
authentication, and something like an authentication "ticket" is encoded in a
cookie or in a return-redirecting URL.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
