RSnake has a piece up on Token Security which raises some good points, but also misses some perspective. Firstly any article that makes a serious attempt at mitigating FUD is most welcome, especially in a space that is as overloaded as identity. That said, I think RSnake is taking too narrow of a view, specifically B2C, on federation and tokens. It is true that works on the web eventually filters into the enterprise, but it is also true that sometimes that things that start out as enterprise technologies later become cost effective on the web. So I would not assume that the current status quo on the web will hold. I don't think it will, the identity problems are too big and there is too much money at stake.
"consumers hate tokens."
Except that people use atm cards every day. Consumers will absolutely be inconvenienced, if there is some value created. The problem today is not the token, its the lack of a value proposition to the person you are inconveniencing.
"Everyone wants to be the single federation platform for everyone else."
This will never work. and that's a good thing. i think most companies already realize this though. I think the walled garden model has gone the way of the dodo.
"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."
Federation works quite well. have a look at google for one example. The reason banks hate federation is that their infosec people have a mainframe mindset, they are focused only on resource protection. the problem is they dont run mainframes on closed networks, they went and connected it to the web and so now they need to think about subject and claim security not just resource security. its not hatred its a lack of understanding stemming from a legacy mindset.
Linking up identity providers and relying parties into a federation has been a solved problem for quite some time.
"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."
Rule 1. there are no silver bullets in security
Rule 2. dont forget rule 1
but...
...there is a rule 3
rule 3. just because a security mechanism doesnt solve all of our problems doesnt mean its worthless.
I see this with security consultants all the time, they playa hate on static analysis or some scanning tool where they can find hundreds of things the tool doesn't. Fair point except 99.9999% of IT can't and won't find them. Engineering is about solving one incremental problem at a time.
"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."
This misses the point of federation. i carry around one atm card its up to banks, Visa, Cirrus and so on to make sure i get my cash. the funny thing about banks not understanding federation is that they have the best example right in front of their noses, the problem is its in a different department so they never see it.
"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."
rule 4. do your own due diligence
"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.
When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.
And I ask the lady "what country is this?"
She scratched her head for a bit, and said "well I think its Norway"
I said "well who plows the roads?"
"well Norway does, but he have to pay them."
There is a triple boundary in this town that I was in between Norway, Finland and Russia.
But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.
Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.
And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?
In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.
Comments