{"id":322,"date":"2006-04-25T00:01:00","date_gmt":"2006-04-25T08:01:00","guid":{"rendered":"http:\/\/netmesh.info\/jernst\/uncategorized\/jason-kolb-thinks-e-mail-addresses-are-all-we-need-for-single-sign-on"},"modified":"2006-04-25T00:01:00","modified_gmt":"2006-04-25T08:01:00","slug":"jason-kolb-thinks-e-mail-addresses-are-all-we-need-for-single-sign-on","status":"publish","type":"post","link":"https:\/\/upon2020.com\/blog\/2006\/04\/jason-kolb-thinks-e-mail-addresses-are-all-we-need-for-single-sign-on\/","title":{"rendered":"Jason Kolb thinks e-mail addresses are all we need for single-sign-on"},"content":{"rendered":"<p><a href=\"http:\/\/jasonkolb.typepad.com\/weblog\/2006\/04\/single_signon_f_1.html\" target=\"_blank\">He writes:<\/a><\/p>\n<blockquote>\n<p>Why can&#8217;t sign-on work like this?<\/p>\n<ol>\n<li>The user goes to the site&#8217;s URL (www.buycrap.com)<\/li>\n<li>Before they can buy something, the user has to enter their email username and password (Jason@jasonkolb.com and test123)<\/li>\n<li>www.buystuff.com looks up the email server for jasonkolb.com from the domain registrar (using the domain&#8217;s MX record). We now have a server that can authoritatively identify the user.<\/li>\n<li>www.buystuff.com sends the email server the email address and password that it was given. If it&#8217;s able to authenticate, the user can be positively identified as Jason@jasonkolb.com without the need for any further logins and passwords (and without even needing to STORE a password, of any kind!).<\/li>\n<\/ol>\n<\/blockquote>\n<p>Wow. In this proposal, it only takes one single corrupt employee, or a single security breach at any one of the hundreds of sites he might want to authenticate with over a few years, to allow that single employee (and the crooks behind him &mdash; there are markets for stolen identities!) to impersonate him all across the web.<\/p>\n<p>His workaround &mdash; asking for browser extensions that intercept username (here: e-mail address) and password, and hash it, and then forward in hashed form to the authenticating e-mail host &mdash; won&#8217;t fly either: how many sites today use HTTP Auth and the built-in browser support compared to their own HTML login form? I can&#8217;t think of a single site with mass appeal that does that &#8230; whatever their reasons, those reasons will apply the same for his proposal. And then there is the major issue that existing e-mail servers would all have to be upgraded.<\/p>\n<p>Also, I&#8217;d wonder how many people would be happy to give our their e-mail address to any site at which they authenticate. I certainly wouldn&#8217;t &#8230;<\/p>\n<p>While using identifiers that we have already &mdash; e-mail addresses &mdash; has a certain appeal over having to introduce new identifiers, like <a href=\"http:\/\/yadis.org\/\" target=\"_blank\">Yadis<\/a> URLs (at least for those people who don&#8217;t have any home page yet), so far I haven&#8217;t seen a proposal for a viable internet-scale authentication system built from e-mail addresses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>He writes: Why can&#8217;t sign-on work like this? The user goes to the site&#8217;s URL (www.buycrap.com) Before they can buy something, the user has to enter their email username and password (Jason@jasonkolb.com and test123) www.buystuff.com looks up the email server for jasonkolb.com from the domain registrar (using the domain&#8217;s MX record). We now have a&hellip;<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled":false,"footnotes":""},"categories":[59],"tags":[],"class_list":["post-322","post","type-post","status-publish","format-standard","hentry","category-comments","kind-"],"kind":false,"_links":{"self":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/comments?post=322"}],"version-history":[{"count":0,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/322\/revisions"}],"wp:attachment":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/media?parent=322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/categories?post=322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/tags?post=322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}