W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Evan Schwartz <evan@ripple.com>
Date: Wed, 11 Jun 2014 11:35:13 -0700
Message-ID: <CAONA2jWMthJRnwcjjRGv+BsYDg+oKtQoZZwK9ZHUbqjNs13bwA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Steven Rowat <steven_rowat@sunshine.net>, Web Payments CG <public-webpayments@w3.org>
Nice work Manu and company for putting this demo together and pushing this
project forward.

Does the security of the data users store in the to-be-decentralized
database depend entirely on them choosing a random 20+ character password?
Given what we learned about passwords from the Adobe leak, it seems like we
can't wholly rely on people choosing secure passwords (according to this
list <http://stricture-group.com/files/adobe-top100.txt> "123456" was the
password chosen by 1,911,938 Adobe users). It would be trivial to break
most peoples' email/password combinations, especially if decentralization
meant that attackers could mount offline attacks on the whole database. I'd
also guess that using email as the main identifier also increases the
likelihood that people use the same password in the identity credentials
system they use for their actual email account. A while ago, Stefan Thomas,
CTO at Ripple Labs, wrote up this paper <http://justmoon.github.io/pakdf/>
about using a "Peer-Assisted Key Derivation Function" (PAKDF) to address
this type of problem, which might be of interest here.

Am I correct in thinking that the plan for what would be integrated into
the browser would just be a token that allows you to skip some additional
authentication step, as opposed to the credentials themselves? I hear
browsers mentioned quite often as the ideal storage platform for secure
information but I always wonder what happens if I lose or switch my
computer, have multiple devices, or if my internet access is limited to
internet cafes.

When you click “Login”, your email address
>    and passphrase are SHA-256′d and sent as a query to the Telehash
>    network.


Won't this hash be publicly available in the distributed hash table? What
exactly is stored in the blob in the Telehash network? Is it just which
identity provider I'm using?

Your identity provider will receive the request and
>    respond to the query with an encrypted message that will then be
>    decrypted using your passphrase.


Does that mean my identity provider has my plaintext passphrase?

The contents of that message will
>    tell the login hub where your identity provider is holding your
>    identity. The request for the email credential is then forwarded
>    to your identity provider.


How will the request to this identity provider location/URL be
authenticated?

-- 
Evan Schwartz
Developer + Technology Pioneer
Ripple Labs Inc.
Received on Wednesday, 11 June 2014 18:36:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC