Friday, January 10, 2003

New Architect: - A Question of Identity - Passport, Liberty, and the single sign-on race

"The Liberty Alliance argues that the problem with using Kerberos for interoperability is that it requires a middleman?a Kerberos Distribution Center server?to hand out "ticket-generating tickets." Kerberos also doesn't allow for the distinction between authentication tickets and authorization tickets?in other words, the difference between verifying your identity and verifying what actions your identity can perform.

Rather than Kerberos, Liberty relies on the Security Assertion Markup Language (SAML), an OASIS specification for exchanging authentication and authorization data using XML." [new architect]

Clearly, unless an application can determine what permissions to grant any user agent (web browser or other), the potential for security breaches and fraudulent transactions is unacceptable for all but the most low-value activities.

Another point made in the article is the fact that the WS Security spec moves the responsibility for web services security into the application layer instead of the transmission layer, putting more power and flexibility into the hands of application developers (but, as Spidey's uncle Ben says in Spiderman, "With great power comes great responsibility.").
2:39:27 AM    



© Copyright 2003 Joe Peichel .
Last update: 1/13/03; 12:08:21 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Joe Peichel's Radio Weblog" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.