Re: Online Accounts panel for 3.2

On 04/19/11 16:12, Alberto Mardegan wrote:
> On 04/19/2011 04:08 PM, David Zeuthen wrote:
>> Hey,
>> One of the things I'm looking at doing for 3.2 is the Web Accounts panel:
> See the "Current status" section in that page. We already have all of
> this (and more) in MeeGo, and I'm willing to support any efforts in
> bringing this to Gnome.

I've looked at the libaccounts + sso stuff work you've done, and it's
certainly interesting and had a lot of thought behind it. Kudos.

Side note: I think part of integrating it with the GNOME desktop would
involve integrating it with gnome-keyring for secret storage.

But on to the main point:

It seems to me the architecture of Meego SSO is very security focused.
In particular it uses pass through authentication to keep credentials
away from the applications that are using them. Essentially it doesn't
even trust the applications that its authenticating. This is wonderful
security from a theoretical point of view.

However I think that this could get in the way of broader adoption. In
order to succeed, you would need patch every GNOME application and
library to not do its own authentication (DIGEST, NTLM, OAuth, CRAM,
GSSAPI, and so on...) but have them call out to the daemon. This is not
impossible but requires a large amount of commitment and time by someone
(probably you). It's not something that will likely happen by the
various projects on their own.

If the goal is to have this work with the entire desktop (not just
GNOME) then certain applications (think Mozilla) would be very
challenging to refactor in this way.

The amount of work that this involves brings me to question the
practical value of hiding the secrets from the applications. Here are
some thoughts:

 * As security people we often tend to think of the credentials as the
   holy grail. In our minds it is the thing to be protected at all

   However for many use cases this is not true. The user's data is
   often really the item of utmost importance. An application must be
   trusted if it has access to the user's online account and by
   extension their data. It doesn't matter whether it has credentials
   or not.

 * Many auth protocols have no way to hide the secret from the client
   application and instead rely on wire encryption to provide security.

   OAuth 2.0 (as used on Facebook) has converged on bearer tokens.
   Anything that has the token can authenticate. This means there's no
   way to hide the secret from the application.

   The same is true for the plethora of applications using using LOGIN,
   PLAIN or BASIC authentication over TLS.

 * Pass through authentication adds way more moving parts to any app
   implementing authentication or anyone wishing to implement a new
   authentication method.

I myself am torn here between the theoretical security benefits of being
anal about credentials, and the practical benefits of letting
applications do their own authentication.

One thing I'm pretty sure about: using pass through authentication to
effect SSO, and keeping the credentials away from applications, will
make adoption of the Meego SSO bits in GNOME a challenge. Of course,
these obstacles are not insurmountable if you put enough lots of time
and effort in.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]