Yesterday was the day of the PHPWest Conference here in Vancouver. Since I helped a bit with the organization of the whole affair, and Sxip sponsored a dinner for the speakers and organizers, I got to spend some quality time talking tech with some extremely bright people.
During the course of the conversations SXIP and digital identity came up, leading to some very exciting subjects for me. Most people who are in positions that have some say over things are rightfully wary of accepting new ideas, especially those that have a large amount of hype involved, but I felt the conversations did a good job of assuaging the challenges they presented.
Two of the final challenges brought up that still appeared to leave some doubts in the minds of those presenting them did not have a chance to be fully discussed before the end of the dinner, so I will address them here.
A Unified System of Exchange
A unified system for exchanging personal data presents a large target for malicious applications and spyware, creating the opportunity for more powerful data collection programs based on the unified protocol. In the current system of many non-interoperable formats a hacker can only target a specific section or format of data at once, requiring more effort to steal such data.
The argument assumes that a malicious application or spyware has full access to any data passed through the user’s computer and is likely to be attempting to collect values from specific fields and forms in the user’s web browser.
SXIP is more than single sign-on and a unified system for exchanging data, it improves upon the ‘quality’ of the data that can be sent by supporting much more granular data. Finely grained data allows users to assert specific qualities about themselves, their age, for example, without disclosing their name, government identification number, or even birthdate. While the assertion of the user’s age could be intercepted by somebody who had complete access to your browser, it couldn’t be used at another sxip-enabled site without going through the user’s Homesite. (To read about why this works, I just wrote an entry about it: ‘Credentials, Not Business Cards‘)
Furthermore, because the data can be as finely grained as required, a website such as a car rental company’s could be asking only for proof that the user’s age is above 25, that the user has a valid driver’s license and that the user has a clean driving record before making a reservation. Even were an attacker to gain access to that data, how much use would it be to them? With SXIP the user actually has the option of providing proof of something without providing the actual item, meaning even in the event of interception there is no data usable for impersonation.
But paranoia still shows its ugly head. Even if an attacker can’t use the information without going through the user’s Homesite, and even if the data they get is of minimal outside use, what if they intercept the username and password as they go to the Homesite?
The main risk becomes that of the user’s authentication credentials for his or her Homesite being stolen, as important information provided by the Homesite will only be accepted if provided by the Homesite. The solution SXIP provides is that of decoupling the authentication method used, in other words, a Homesite can increase the strength of their authentication in any way they choose. Some possible methods include public key authentication, like SSH, or multi-level authentication, think of how a credit card company will call if somebody is attempting to make a very large purchase. A Homesite can be set up along the same lines, with graduated levels of authentication for more secure data.
The other point to be made here is that those most concerned with security of their data will sign up for the most secure Homesites that require the most to release their data. The Homesite has to gain the user’s trust, the best Homesites will certainly provide stronger authentication methods for those who want them.
An Open Protocol
At a large company the authentication infrastructure will sometimes rely upon a certain amount of security through obscurity, secret components to the authentication infrastructure that the company’s security people would not feel comfortable having publicly known. Because SXIP is a completely open protocol the large company would not adopt it because it would mean giving up the secrets they feels makes them safe.
One of the reasons I was unable to properly address this at dinner was because it took me a bit by surprise; I have always looked upon security through obscurity as being eventually doomed. Accepting that it is a valid concept — especially because the man making the argument certainly knows more about the workings of large corporations than I — and that many large corporations rely on it, a company can still include obscurity in their process if they wish. Take the following example:
A company, BigCo, has a section on their website in which employees can check their schedule and company memos. This section is obviously something they want to keep very safe. BigCo feels they will be better protected by making sure aspects of the authentication are secret and available only to their employees, so they force their employees to use BigCo’s custom Homesite.
At BigCo’s employee login section their request tries to fetch a property that is not defined in the public SXIP schemas,
/bigco/employeeAuth. Requesting this from a normal Homesite would not result in a proper response, as any Homesite other than BigCo’s would not have any knowledge of the property or how to fill it; however, BigCo’s Homesite knows to fill it with a signed assertion containing some values based on algorithms and data known only to BigCo’s servers.
To add more security to the process, BigCo’s Homesite will, if it gets a request for the
/bigco/employeeAuth property, add a second level of authentication beyond the typical username and password it uses for general Homesite access. After entering their username and password (or right away if the user was previously authenticated in the session), BigCo’s Homesite asks the user to attach a… USB dongle — come on, I’m just trying to illustrate that any form of authentication is fine, no matter how paranoid one might want to be. Once it verifies that the user is an employee with good standing in the company, the response is sent back to the requesting section at which point it is verified against BigCo’s SSL certificate and whatever other magical secret data only BigCo would have access to.
Conclusion and Further Discussion
I had a great time at the conference and getting a chance to talk with all the speakers was amazing. Plus, I can finally add the third of the triumvirate of P language power to the list of people I have eaten lunch with.
For further discussion about the above topics, I have sent this entry to the sxip-discuss mailing list, and it can be found at http://listserv.sxip.org/pipermail/sxip-discuss/2005-January/000045.html. Please feel free to join in the discussion and refine these arguments and responses.
Tags: [tag:sxip], digital identity, [tag:php]