Universal Authentication
For a long time I have had the idea that browsers and webservers should support another authentication scheme: public-private key authentication. That way, when registering to yet another website, instead of giving my password, I can give it my public key.
On the lowest levels we can reuse the WWW-Authenticate: Digest with some small modifications. On the browser side it would require some public / private key management that even non technical users can understand.
If implemented, it will give secure, but password-less logins for web based services. Even better then single sign-on ideas like Passport.net or Liberty Alliance.
But problems do arise when we want to login from any other terminal that doesn't have our private keys installed. This can be solved by introducing relays.
When the browser doesn't know how to authenticate to this website, it can ask the user if it knows any relay service. The relay will respond on behalf of the browser, but it will require a username / password to work. The relay can be done over http or https and can use Basic or Digest authentication, with an addition header: Relay-Authenticate. If the relay finds the credentials given valid, it will respond to the challenge with the right header in Relay-Authorization. Then the browser can forward this to the webserver.
Note that a relay can be a mobile device with WLAN capabilities, or a personal server reachable over the internet (included in your home broadband-router for instance), a service provided by your boss, or any public server that you trust with your private key. The point is, your personal data is not on Microsofts Passport service, or any other companies server that you might not like, and no-one has a single point of control.
Strong points
- You don't give passwords to servers anymore, meaning no more passwords to remember.
- Single sign-ons without a single point of control like Password.
- The authentication is potentially stronger then can be reached with six to eight char passwords.
- You can always use a relay, which could be something you have with you always (like your mobile!), or your home router.
- You can have multiple key-pairs, some you treat with less paranoia then others. And maybe you can register more then one public key for a single account on a web service.
Weak points
- Switching users should be easy enough, logouts from Basic or Digest has always been difficult inside browsers.
- Browsers need to support the new scheme, plus implement the key management.
- Public / private key systems are not well understood by common users.
- Public / private key pairs need to be exported and imported into other browsers (on multiple computers) too, which makes it less save.
- There should be a way to retract the validness of public keys, which complicates the whole for web services implementing this. Though, note that you cannot retract passwords either.
- Over unencrypted http, this scheme has the same drawbacks as Digest has. (Anyone can listen to the traffic.)
References
- A reasonable public-private key introduction.
- RFC 2617
- Universal Authentication
- http://en.wikipedia.org/wiki/Public_key_infrastructure
- http://en.wikipedia.org/wiki/SAML
- http://en.wikipedia.org/wiki/Single_sign-on
- Atom Authentication
Last modified: 2007-11-19 20:15 GMT