W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 16 Apr 2015 12:01:02 -0700
Message-ID: <946557726353481557@unknownmsgid>
To: Crispin Cowan <crispin@microsoft.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree with you, a GUID or what I consider to be "semi-private" is a total
failure as a credential. But using a name to uniquely identity someone in
an IT system is also a failure. There are unique identifying items,
non-unique/semi-private identifying items, and then credentials.

--
Jim Manico
@Manicode
(808) 652-3805

On Apr 16, 2015, at 11:51 AM, Crispin Cowan <crispin@microsoft.com> wrote:

  Well, I beg to differ here. “Somewhat private” == obscurity, which ~=
security as long as no one is looking hard. The SSN identity theft problem
exists because far too many people assumed that “somewhat private” meant
“good enough to be a credential.” Problem is that something shared between
more than two people is no longer a secret, and so it fails as a credential.



*From:* Jim Manico [mailto:jim.manico@owasp.org <jim.manico@owasp.org>]
*Sent:* Thursday, April 16, 2015 11:43 AM
*To:* Crispin Cowan
*Cc:* Brad Hill; public-webappsec@w3.org
*Subject:* Re: Technical Review of WebAppSec Credential Management API
[2/3] (was Re: Overlap with Credentials/Web Payments CG)



Also, whenever I go out - the people always shout -  "there goes Jim" -
making my name public data unlike a GUID.



So in most IT systems you have public identifying info (name, email,
twitter handle) as well as somewhat private identifying info (guid) as well
as credentials (password, etc).



In strong systems usernames are treated as private data. In weak systems
usernames are public identifying info.

Good stuff.



Cheers, Crispin.

--

Jim Manico

@Manicode

(808) 652-3805


On Apr 16, 2015, at 11:26 AM, Crispin Cowan <crispin@microsoft.com> wrote:

 Weak name spaces, like the names parents give babies, allow for
collisions, which then require disambiguation. The TSA’s “no fly” list has
that problem; if you share a name with a suspected terrorist, you get the
same hassles.



Strong name spaces enforce non-collisions. E-mail addresses and Twitter
handles enforce uniqueness through one or more authorities issuing the
names. GUIDs probabilistically “enforce” uniqueness by randomly choosing
128-bit values J



*From:* Jim Manico [mailto:jim.manico@owasp.org <jim.manico@owasp.org>]
*Sent:* Wednesday, April 15, 2015 8:17 PM
*To:* Crispin Cowan
*Cc:* Brad Hill; public-webappsec@w3.org
*Subject:* Re: Technical Review of WebAppSec Credential Management API
[2/3] (was Re: Overlap with Credentials/Web Payments CG)



In general it's bad to identify someone by their name in a software system;
it's more of a label than identifying info for authentication.



What if his name is my name, too?

--

Jim Manico

@Manicode

(808) 652-3805


On Apr 15, 2015, at 7:28 PM, Crispin Cowan <crispin@microsoft.com> wrote:

 Credentials and Identities are never the same thing, and getting them
confused leads to incredible pain:

·        Identity: who you are. GUIDs, full names like John Jacob
Jingleheimer Schmidt, and phone numbers are identifiers.

·        Credential: a proof that you are who you are. Passwords, private
keys, shared symmetric keys, OTPs, and the shape of those metal key things
in your pocket are credentials.

·        Tragedy: that much of America treated Social Security Numbers
(SSNs) as credentials rather than identifiers. Duh L



*From:* Brad Hill [mailto:hillbrad@gmail.com <hillbrad@gmail.com>]
*Sent:* Wednesday, April 15, 2015 7:01 PM
*To:* public-webappsec@w3.org
*Subject:* Re: Technical Review of WebAppSec Credential Management API
[2/3] (was Re: Overlap with Credentials/Web Payments CG)



With <hat=individual>, regarding a suggestion I've seen to change what is
being stored/managed from "credential" to "identity": -1



If there is a word that is even more overloaded, fraught with complexity,
dense with both technical and lay meaning, and with a history of grandiose
attempts to boil the ocean, than the word "Credential", that word is
"Identity".



Please, let us not use that word.  My bank account is not an identity. My
email address is not an identity.  The means by which I authenticate to
them are not identities, and their relationship to each other and my actual
identity/identities are many-to-many.



If the proposal on the table at rechartering had been for an "identity
manager" I would have leapt out of my chair to keep this group out of that
particular tar pit.



In a similar vein, I've filed an issue suggesting changing the name of the
"avatar" attribute to "icon" to avoid any connotations of identity.



-Brad Hill
Received on Thursday, 16 April 2015 19:01:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC