OAuth is coming

and we like it!

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications, as stated on the OAuth web site.

Why do we like OAuth?

1. It is simple.  Most of the bad security implementations are done by people with good intentions and low skill.  Understanding the issues involved greatly improves the changes of making the right choices.
2. It solves a real hard problem: giving access to your stuff without sharing your identity.
3. Plays well with others.  OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth helps delegating rights to a process acting as you, without losing privacy or compromising security.  And the specification is short and possible to understand.  Replacing shared secrets is a really good idea.  Replacing hardcoded application-based passwords is an even better idea.  Replacing spoofing of user by logging in as root/admin and then emulating the actual user is a great idea.  And all of this may be done by OAuth.

One use case is getting access to your data on your behalf, but on a different site while not giving away your identity from the first site. Another is the TCS eScience Personal Portal (aka Confusa) that will use OAuth to authenticate a command line client tool to a web-based service that issues short-lived certificate. Then they will extend it further using OAuth for web-based delegation of proxy-certificates; collaborating with a Norwegian University.  Some other use cases that people in my neighbourhood has been playing with so far

• Attribute query protocol
• Certificate enrollment in confusa using OAuth

• Virtual Organizations, OAuth and trust models
• Twitter authentication model

LoA from Australia

The Australian higher education federation has developed a proposal for Implementing Levels of Assurance in a Trust Federation using PKI and Shibboleth

The proposal was commented by Alex Reid as

in Australia we are going with the concept of a “floor of trust” which is rather higher than NIST’s Level 1 assurance level, as it implies/requires that an independent (responsible) authority (namely the University of an agent of the university) has verified the identity to some degree – more, anyway, than the self-validating Level 1 assurance that OpenID, Facebook, etc provide.

The need for level 1,5 seem to crop up in various contexts, as self-asserted identity is not considered good enough for some use cases.  Those use cases does not want to support the full level 2, with a separate gadget (or one-time passwords), since the cost is deemed too high. We might have to wait for Incidents, to assess if the cost of Level2 is really higher than having multiple Incidents in our community.  Cost-effectiveness of security measures is tricky, as the real cost is know only after something went Wrong.

Levels of Assurance is either a quagmire where the most brilliant minds of our community will fall, or an interesting space to watch.  Could be both at the same time, and we could market this whole discussion as a reality show where we charge enough money from TV to cover the costs of implementing it.