Home » Blogs » Marco's blog

Pass.net, an email-based SSO

Kaliya, the Identity Woman, says that pass.net is “a new identity protocol”. To me it seems more a smart idea for implementing an effective single sign-on solution. With Pass.net the trick is to delegate identification and authentication to a third party: your email domain. Hence this SSO method is as secure as the mail server handling your email account.

As far as security is concerned, Pass.net could add a new ground for attacks since it relies on a secret confirmation URL built from hashing the email address itself. A correct implementation of the hash function and of the random secret could be an overwhelming complexity for most web site. Anyway Pass.net is a very interesting project, quite simple to implement on any web site with not exceedingly high security requirements and I guess it could be an ideal solution for mailing lists, web forums and maybe blog comments.

It reminds me of a similar approach based on XMPP, the protocol behind Jabber. While XMPP is sometimes perceived as just an IM technology, it includes strong authentication via the Simple Authentication and Security Layer (SASL) specification.

Email accounts are definitely more common than Jabber accounts, but the robustness and flexibility of XMPP is a nice plus. in fact XMPP could act as a universal authentication platform. This fact has been already understood and exploited by Google with Gtalk.

dJOEk in his Dystopics blog had an accurate analysis of Gtalk authentication mechanism and how it can be used by any other web site.

Google hands out tokens securely over SSL. You can use those tokens to auth yourself on XMPP. You can authenticate yourself with your one single Google Account without ever having to give a third party your password.

Then he goes on to explain how you could generate a token to authenticate against Google. There are no auth API from Google, but this undocumented feature is there and it works.

I’ve heard that there are some efforts going on about Jabber and identity and, in our recent meeting, this topic was one that got Boris Mann really excited. I think we can expect some interesting news soon in this field.

sso

Bookmark/Search this post with:
Submitted by Marco on 17 March, 2006 - 12:48. tags:
»

reply

Submitted by dotnet uitbesteden (not verified) on 5 April, 2008 - 12:24.

Any client which fully supports XMPP can be used to access any network to which a gateway exists, without the need for any extra code in the client and without the need for the client to have direct access to the Internet. This may violate terms of service on the protocol used; however, such terms of service are not legally enforceable in several countries.

»

consulting

Submitted by benefits of outsourcing (not verified) on 22 June, 2008 - 11:51.

E-mail is often used to deliver bulk unsolicited messages, or “spam”, but filter programs exist which can automatically block, quarantine or delete some or most of these, depending on the situation.

»

Post new comment

The content of this field is kept private and will not be shown publicly.
Captcha
This question is used to make sure you are a human visitor and to prevent spam submissions.
Copy the characters (respecting upper/lower case) from the image.