[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth](AIS and the) (July 15 2002) meeting of DotGNU dg-auth-wag
From: |
david nicol |
Subject: |
Re: [Auth](AIS and the) (July 15 2002) meeting of DotGNU dg-auth-wag |
Date: |
Sun, 21 Jul 2002 22:52:08 -0500 |
"Mario D. Santana" wrote:
>
> The logs are now also available at the dog-auth-wag site:
>
> http://www.freesoftware.fsf.org/dg-authwg/logs/
>
> Enjoy.
>
> mds
reading the July 15 log modulo the question of how would AIS fit in?
I identify two main issues: ROI and attitdue towards MS.
ROI can be provided to the implementor of an AIS service at least two
ways
besides simplifying distribution of internal function through having a
SSO.
-> more mindshare for the participants in the service, for
instance if freshmeat sets up an AIS service, and others use
it, then freshmeat gets more eyeballs on its login page
-> charge a subscription to operators of webservices that
want to outsource their SSO to you. The AIS draft spec includes
overloading the "agent" header as a AIS client identifier/community
string. Since that info is only visible between AIS client and AIS
server, never traversing the user's wire at all, it is safe from
sniffing (or can be hidden unde TLS too -- installing mini-httpd
towards setting this up When I Get To It)
Feeling like the second is non-obvious and possibly warrants patenting,
if only for the vanity. Anyone feel like helping write the patent app
and chipping in to help defray the app fee? Or are we all in the
patents-
are-evil-so-don't camp.
Regarding MS Passport:
I feel that Passport can be ignored besides mentioning it as an
example of an alternate implementaion of general-purpose SSO. A
Passport->AIS
gateway would be trivial to set up on the AIS side: Passport would stand
in
as the server's authentication method.
A central
AIS repeater, which would be a hard AIS that checks several popular soft
AISes
and returns the first good identity it finds for you, should IMO include
a
Passport module along with checking against the potential AIS services
at
savannah and yahoo and freshmeat and /. and pay2send etc etc.
Validating
the various auth authorities is a political issue beyond the scope of a
technical specification. But certainly within the scope IMO of this
mailing list.
Thanks for reading
David Nicol
--
what would Egil Skallagrimson do?