[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]some more thoughts
|
From: |
Barry Fitzgerald |
|
Subject: |
Re: [Auth]some more thoughts |
|
Date: |
Sun, 12 Aug 2001 13:31:11 -0400 |
(Catching up on some e-mail)
Jeremy Petzold wrote:
>
> I think that that is the general direction the project is taking, however, I
> belive that it will turn into somthing that anyone could build and run, minus
> the Auth servers, I don't see how you could have an auth server that is run
> by the guy trying to get access, but the databank can be run on a homegrown
> server or a leased space from a web host, then the person just needs to
> register with the Auth system so that he can start tuse his information. as
> long as the auth system and the Data system are seperate we can retain the
> freedom of the people who use it, passport bundles both the auth and Databank
> servers together and that is where the lack of freedom is.
>
I disagree with your last statement. I think that there's some merit to
it, but the loss of freedom with passport is not the merging of the
databank and the auth server, it's the fact that they're singular and
controlled by a centralized entity.
The only major difference between the auth server and the databank is
that the auth server handles only authentication and the databank is
generic. For our purposes, the databank might as well be an auth server
because all of the users information should be handled with maximum
sensitivity. However, the merging of the two databases is not really an
issue. It's quite possible for Microsoft to own the auth services on
passport.com, then ask an allied company to hold a databank. In this
case, the separation of the two services does NOTHING to assist the
user. In fact, the auth server could even demand from anyone accessing
information on their servers that that person use their allied
databank. It's unlikely that this would happen, but there's no reason
why it should protect the user.
The key here is choice of provider. Separating the services is mostly
just a question of logistics and configuration. Not everyone will want
auth specific services in their information provider. Then again, much
of the necessary security functionality of the auth system could be used
with standard data anyway, so the auth component should be fairly small.
Also, how can you have a secure databank without having some segment of
the auth server installed? People still need to authenticate to the
databank.
-Barry
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Auth]some more thoughts,
Barry Fitzgerald <=