A memo on securing the web, entitled An Inquiry into the Nature and the Causes of Web Insecurity was published by Mike Hanson, Hannes Tschofenig and Sean Turner as an Internet-Draft in October 2011. This document is well worth reading, and I am looking forward to further work from the authors.

The memo points out that the current security measures on the web are designed for static text-based one-site content, whereas the current web is real-time, multi-site and has moved from documents to mobile code. Some of the issues with passwords are pointed out, and three types of goals are presented:

  1. Reduce the number of passwords used
  2. Increase the safety and security of how passwords are used
  3. Broaden the use of other credentials

Proposed guiding principles:

  • moving authentication down into the platform: Methinks not letting every single web developer reinvent the security wheel is a good thing
  • design for growth and multiple authentication mechanisms and credentials: the world changes,
  • context matters: exposing minimal information depends on getting context sorted out
  • transform long-term password to short-term credentials: the sloppy practices of not verifying end points will come back to haunt us
  • keep the user experience in mind: investigate failure scenarios and provide user feedback.
  • go from client-server to N-Party: Federated login and other multiple party solutions

Please read the Internet draft and give feedback to the authors!