W3C home > Mailing lists > Public > public-xg-webid@w3.org > August 2011

RE: How to select Passwords - xkcd

From: Peter Williams <home_pw@msn.com>
Date: Wed, 10 Aug 2011 08:11:53 -0700
Message-ID: <SNT143-W54922F28B79C219D6B09F892230@phx.gbl>
To: <henry.story@bblfish.net>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>


 lets talk abot two unmentionables that constrain the design space in passwords. 1. one has to assume that governments have ensure the vendors have "comprisable-when-needed" commodity security/crypto. Its the nature of the beast, called society. Lets assume the web vendors selling browsers are betting at lying about this, than others. If one uses a password to store a list of passwords, you still have a password based system. If you have a password to a cert, that authenticates a user to an IDP, that asserts to 10 assertion consuming sites, you still have a password. Compromise 1 password, and 10 assertion consuming sites are penetrated. And, this is the goal of society, working through their (browser) vendors.  2. at a recent workshop, a  very high-profile vendor of IDP/SP software admitted to using its own software in its business processes, for the first time (in 10 years). It described the transition, as its sales force guided the adoption rules. It ended up requiring the social user to have to generate a password for the target site (thus proliferating passwords). You also had to register an email address (that the site would confirm, since the sales force didnt feel one could trust a billion dollar company liek Google, over the "assurance" favor of an internet email system designed by the US Dept of Defense). If you want to change the email address later at the SP, you cannot, and have to register yourself a "new google account" - since they are all "throwaway" in the eyes of the consuming sales team. The rationale for all this was that the nature of sales requires such constraints on the social dynamics (in order to grant the convenience and benefits of the SSO); and ANY sales dept would come to similar conclusions. The point is, that the story of: one password to rule them all is NOT resonating. Its hitting a wall, once one gets passed the obvious demo of SSO/SSL channels, assertion passing, attribute/claim sourcing, etc.  > From: henry.story@bblfish.net
> Date: Wed, 10 Aug 2011 10:13:48 +0200
> To: public-xg-webid@w3.org
> Subject: How to select Passwords - xkcd
> 
> The latest xkcd 
> 
>    http://xkcd.com/936/
> 
> Henry
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
 		 	   		  
Received on Wednesday, 10 August 2011 15:12:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 10 August 2011 15:12:32 GMT