Web Services Strategies

Beyond the technology, IT strategies for implementation of Web services by Doug Kaye.

Scott on Compartmentalization. "Is it any worse than having users writing down multiple userids and passwords on stickie notes next to their screens or keyboards? Or, perhaps even worse, users who use the same userid/password combinations across multiple sites and thereby have the same risk of loss?" The difference is that these are behavioral issues: entirely personal and client-side problems. Liberty, Passport and other single sign-on systems institutionalize the problem and manifest it beyond the control of the consumer. It places merchants in the position of encouraging risky practices that, at the same time, many of them publicly discourage. We're all told that it's bad to keep passwords in our wallets and to never reuse them at mutliple sites. So why, then, is it okay for Microsoft or the Liberty Alliance members to do so on our behalf? Does a second wrong make a right? There's also a difference between enterprise/intranet single sign-on systems and those deployed for the public. In the former case, it's generally (not entirely) the enterprise that assumes the risks associated with the abuse of such a system. Any CIO installing a corporate single sign-on system knows the risks he's taking. And the data that's being protected by the authentication/authorization system is, for the most part, corporate not personal data. Posted Sunday, September 15, 2002 12:55:08 PM

Liberty and the Comparmentalization Attack. We've all seen the generic submarine movie in which the engine room takes a direct torpedo hit. In order to save the rest of the ship, all the compartment bulkhead doors are closed, committing the isolated sailors to their watery deaths. Compartmentalization--limiting the scope of damage--plays an important role in security planning. I believe the Liberty Alliance 1.0 spec may weaken consumer protection by leaving open bulkhead doors between federated providers, therefore creating opportunities for "compartmentalization attacks." Under Liberty 1.0, when a user opts-in to the sharing of his identity between two parties, he must explicitly log in to both web sites. The parties don't learn the usernames and passwords used on the other sites (i.e., no identifying data are exchanged), but an anonymous relationship is created. The next time that same user visits one of the sites, he can click through using a link to the other site without authentication. If a Bad Guy manages to obtain the consumer's username and password to the first site, he can impersonate the consumer on that site. That risk has always existed. But due to the association created by Liberty 1.0, the Bad Guy now can also click through to the other federated sites--continuing to impersonate the consumer--without being authenticated via usernames and passwords. Once the Circle of Trust between providers has been created under Liberty 1.0, compartmentalization of the identity has been compromised. The bulkhead doors have been opened. A password-theft attack that would have been contained to a single site prior to Liberty 1.0, now has a broadened scope. If my bank and brokerage account identities are federated, anyone able to log into one can automatically access the other. Some important caveats here. First, I'm putting this out for comment as speculation based on my understanding of Liberty 1.0. Many people, far smarter than I, have spent months developing the Liberty Alliance specifications, and there's a significant chance that my understanding is flat-out wrong. Second, I'm not a security guru, and I imagine my concept of a "Containment Attack" has another name of which I'm not aware. Please let me know if I'm in error on either account. Posted Sunday, September 15, 2002 6:18:54 AM

September 2002
Sun	Mon	Tue	Wed	Thu	Fri	Sat
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30
Aug   Oct