Minority Opinions

Not everyone can be mainstream, after all.

Notarized Auth

leave a comment »

A time or two, I’ve had a signature authorized by a notary public. Someone trusted to verify my identity, with official symbols to validate my signature. Granted, that identity verification relied on tokens granted by other widely recognized agencies. I, being legitimately who I claim to be, have no problem providing such tokens, though the process of replacing or updating some of them has revealed some potentially abusable holes in the web of trust.

More recently, I have been wondering how this compares to single sign-on and related problems. I maintain a system that provides a service for customers of our clients. The customer will log into the client’s system, and ask to use our service. At that point, the client will tell us who the customer is, through a series of pre-arranged tokens and signatures, and the customer will be granted a token allowing access to our service.

Perhaps more analogous is OpenID. Certain online services will accept a URL as my identifier, as long as that URL points to a service affirming that I am allowed to use it. Such services generally don’t care who I am, as long as nobody else can claim to be me without my permission. (We haven’t gone this route, but we could use OpenID for SSO. It would require accepting only URLs that point to OpenID services of known clients, but that’s not harder than storing a shared secret.)

For the sake of completeness, OAuth is related, but almost entirely different; a more appropriate analogy here is a (perhaps limited) power of attorney. I can tell my email service that a certain third party is allowed to send emails on my behalf, or edit my contact list, or both. In practice, there are some technical details that must be followed for the permission to be considered valid, but they can be abstracted behind the scenes to something that can be signed or clicked. (Surprisingly, a power of attorney document doesn’t need to be notarized.) Despite that difference in underlying philosophy, the OAuth protocol has been used as a base for one of the SSO options we accept.

Perhaps I could make an entire analogy out of the whole system, with OpenID as a notary public, various online services as state governments, and so on, but it would probably be too fragile for any insightful teaching moments.  If you want to take it further, be my guest.

Advertisements

Written by eswald

14 May 2013 at 10:32 pm

Posted in Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s