A memo on securing the web, entitled An Inquiry into the Nature and the Causes of Web Insecurity was published by Mike Hanson, Hannes Tschofenig and Sean Turner as an Internet-Draft in October 2011. This document is well worth reading, and I am looking forward to further work from the authors.
The memo points out that the current security measures on the web are designed for static text-based one-site content, whereas the current web is real-time, multi-site and has moved from documents to mobile code. Some of the issues with passwords are pointed out, and three types of goals are presented:
- Reduce the number of passwords used
- Increase the safety and security of how passwords are used
- Broaden the use of other credentials
Proposed guiding principles:
- moving authentication down into the platform: Methinks not letting every single web developer reinvent the security wheel is a good thing
- design for growth and multiple authentication mechanisms and credentials: the world changes,
- context matters: exposing minimal information depends on getting context sorted out
- transform long-term password to short-term credentials: the sloppy practices of not verifying end points will come back to haunt us
- keep the user experience in mind: investigate failure scenarios and provide user feedback.
- go from client-server to N-Party: Federated login and other multiple party solutions
Please read the Internet draft and give feedback to the authors!
Advertisement
