Why can’t sign-on work like this?
- The user goes to the site’s URL (www.buycrap.com)
- Before they can buy something, the user has to enter their email username and password (Jason@jasonkolb.com and test123)
- www.buystuff.com looks up the email server for jasonkolb.com from the domain registrar (using the domain’s MX record). We now have a server that can authoritatively identify the user.
- www.buystuff.com sends the email server the email address and password that it was given. If it’s able to authenticate, the user can be positively identified as Jason@jasonkolb.com without the need for any further logins and passwords (and without even needing to STORE a password, of any kind!).
Wow. In this proposal, it only takes one single corrupt employee, or a single security breach at any one of the hundreds of sites he might want to authenticate with over a few years, to allow that single employee (and the crooks behind him — there are markets for stolen identities!) to impersonate him all across the web.
His workaround — asking for browser extensions that intercept username (here: e-mail address) and password, and hash it, and then forward in hashed form to the authenticating e-mail host — won’t fly either: how many sites today use HTTP Auth and the built-in browser support compared to their own HTML login form? I can’t think of a single site with mass appeal that does that … whatever their reasons, those reasons will apply the same for his proposal. And then there is the major issue that existing e-mail servers would all have to be upgraded.
Also, I’d wonder how many people would be happy to give our their e-mail address to any site at which they authenticate. I certainly wouldn’t …
While using identifiers that we have already — e-mail addresses — has a certain appeal over having to introduce new identifiers, like Yadis URLs (at least for those people who don’t have any home page yet), so far I haven’t seen a proposal for a viable internet-scale authentication system built from e-mail addresses.