Wednesday, March 07, 2007

Kim's on a streak

Now Kim's in a snit ("Dave Kearns, who is usually not without wisdom...") about my post from yesterday calling into question his statement that “No one and no service should ever act in a peron’s [sic] identity or employ their credentials when they’re not present. Ever.”

He reasons:

Dave is missing the point - maybe I wasn’t clear enough.

I’m not saying you have to “stand around and watch” while your mail client picks up your mail. I’m saying your mail client should identify itself as a particular instance of a mail client, and present an authorization from you allowing it to pick up your mail.

Why? Because, he continues:

If you share identity (even, in some cases, secrets and credentials) the way Dave is proposing, we don’t know what process is accessing what resource because all the the services I run are ME.

That’s really the computing model we have had until now. Where has it led? Well, for example, my email client is ME, and a trojan on my desktop is ME, and the resources they access can’t tell the difference, because they’re all ME.

So any trojan that gets into my environment can get my email addresses and send worms to my friends, or pick up my mail and feed it to spam machines. My mail server and other resources don’t know the difference.

The reality is, of course, that any trojan that can forge my delegated credentials can do the same. It matters not if the service (my "inbox" in this example) is acting AS me or ON BEHALF of me - the damage is the same. And, more importantly, I'm just as responsible. There is no difference.

Continuing the reality, my inbox - and Kim's inbox - continually masquerades as me (or, in his case, as Kim) in contacting the mail server(s). It doesn't present a token of delegation, it presents my credentials. If Kim is using a non-Microsoft inbox which works in some different way, he should reveal that.

The second example I gave, though, would stop working should a "delegation token" be substituted for the job server's ability to login as me. In addition to the authorizations associated with my account that it needs in order to operate it also needs the personalization information - those attribute-value pairs associated with my identity - in order to find the necessary files (both source and target) to complete the compile. Without that it simply doesn''t work - or else requires that information be replicated in multiple places - something that should never be necessary in a well thought out identity scheme.

While auditable delegation should be encouraged it is still not the best answer for all situations. Absolutist generalizations should play no part in an informed discussion. (he generalizes absolutely :)

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]