SSO authentication: a new approach

[Ray Plante]

On Mon, 14 Mar 2005, John Good wrote:
> I can't see that I would be willing to let
> someone with one of your "weak certificates"
> do much more than someone with an HTTP cookie.
> I would not, for instance, let them have file
> upload access (unless I wanted to be in the
> business of supplying free storage to the
> world).

The motivation for this is the fact that many sites happily do this now, 
albeit in restricted ways.  

Take the example of the what we want to do with the OpenSkyQuery Portal.  
We want users to be able to upload their own catalogs as a VOTable
(perhaps something they've constructed themselves using client tools or
was the result of a query from another site) in order to cross-correlate 
it with a skynode.  Now consider how we would do this without certs and 
such:  we set up a little registration page, a user database, and use 
cookies to track the session.  There is nothing preventing a user from 
entering a false identity, but who cares?  We will place restrictions on 
how big a file, maybe its contents, etc.  All we care about is if we allow 
this uploaded data to persist that only the person who registered can get 
access to it, whoever that schmo is.  This is common practice all over the 
web; we all have accounts like this (travelocity, blogs, etc.).  

What a cert-based model can give us is interoperability between portals 
offering storage space for what ever reason.  A weak cert is 
equivalent to the scenario above.  Some sites will be more general 
purpose in terms of what allow users to store, and thus may want a strong 
cert that guarantees identity, but some can be more restrictive and not 
worry about true identities.  But we can have a common authentication 
model based on certs.  

The number one user complaint about certificates is that is such a pain in 
the ars to get one.  And as many sites maintaining persistant state today 
demonstrate, they are not needed.  Weak certs allow users to do simple 
things simply.  

cheers,
Ray