An analogy I can’t relate to

Paul Madsen makes an interesting analogy about basement drains and level of assurance in authentication. Living in Tampa I can’t relate to basements (living a few above an aquifer makes basements highly impractical). I do like the analogy, but I would like to point out a few areas where I disagree with Paul.

One statement that I have heard in this thread and others is that the for Managed Cards there is an IdP but in for Self-Issued Cards there isn’t. This is technically correct but functionally incorrect. Not only there an IdP (the user), in most cases the RP has a legal agreement that indemnifies against liability in case “something goes wrong”. In many respects this is better for the RP than any legal agreements that might be negotiated with an IdP because it is completely under the control of the RP. The RP simply drafts the terms of use for the site and the users accept it or don’t use the site.

Paul also compares password based authn to Self-Issued Card authn and finds that Self-Issued Card authn gives a higher level of assurance. This might be true when you like at them in isolation, but isn’t true in terms of how the cards would be used over the entire lifecycle of the user. Since Self-Issued Cards are tied to a specific machine, sites would likely use password authn as an alternative so that users can self-enroll cards on different machines. Thus Self-Issued Card authn is no better than password authn in practice.

One could make the point (and I often do) that Self-Issued Card authn has a lower level of assurance because it only authenticates the machine, not the user sitting at the keyboard. This is much more vulnerable in cubicle environments and in homes with shared computers. The problem is further compounded by the lack of an authentication context in the SAML 1.1 assertions that are typically used as the token in Cardspace and other Information Card implementations. For instance there is no way for the RP to know the Cardspace ID Selector has been configured for PIN protection on that particular Self-Issued card.

(Mirrored from TalkBMC)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s