Older blog entries for cpw (starting at number 23)

Joined the EFF. (First time it's come up and I've had the money.)

Just read David Gelernter's Second Coming manifesto. Nice.

The topic of lifestreams comes up again - and the folly of file names. I guess it's time to try and implement a metadata-based filing system and build a groupware server around it. Groupware is Internet-wide communications writ small, and a good place to start.

11 Jul 2001 (updated 12 Jul 2001 at 00:10 UTC) »

OK, so here's my basic proposal for a net-wide authentication service.

Trusted third party authentication (Kerberos-like). User need not trust service and vice versa - instead, they negotiate use of an aauthentication server they both trust. Ideally, we don't want to entirely trust any one authentication server, or perhaps even any one authentication service provider, but this is deep magic to me.

Users and services generate their own public keys, a la PGP. Paying a CA just to have a key is not on - paying for one to trust your key may be. Especially a CA that actually looks at you, takes photos, affidavits and skin samples, and will then commit to an authentication reliability guarantee which high-security applications will require

We'll need to be able to implement a client on a smart card.

We'll need to implement a client in IE and Mozilla somehow.

We'll need to do it all fast, before Microsoft and AOL take over

Pluggable encryption schemes would be nice. Ideally the encryption scheme would be implemented in a portable bytecode of some kind. Crypto codec could possibly be negotiable between client, server and authenticator. The service protocols will probably be more vulnerable than the encryption algorithms, so this may not really be cost-effective, but it's worth thinking about.

Yes, beating HailStorm (or providing a reasonably widely-accepted alternative to it) is more important then being able to run .NET software. It's going to be hard to get right, but much, much harder to get accepted - and religious dogma will not help us sell the damn thing to service providers and users. Openness will help, but Jabber is not killing of AOL IM or MSNM. Price will help somewhat.

Can it be done? I think so. Note Apache versus IIS. Note DNS versus WINS, or TCP/IP versus NetBEUI.

Note also IE versus Mozilla. The desktop is our greatest weakness. We will need to work with IE to succeed. (We will also need to work with Mozilla to attract enough mindshare to get close.)

11 Jul 2001 (updated 11 Jul 2001 at 07:33 UTC) »

The FSF have put forward dotgnu.org as a contender to fit the Passport-shaped gap in Ximian's Mono initiative. I'm initially unconvinced. Their project is too unfocused - it portrays itself as a total .NET replacement - and too religious to gather enough mindshare to succeed.

>What do you guys think of Microsoft's .Net and Hailstorm efforts?

>Dangerous stuff. It is often said that the price of freedom is eternal vigilance. Unless we counter them, Microsoft's efforts are not only a threat to Free Software, they are also extremely dangerous tools in the hands of any Evil Government that wants to make their citizens unfree.

These are not the words of a project with its eye on the ball - producing a working, reliable, secure authentication service for a hostile Net and a license-apathetic gaggle of web hackers.

How much hacking would it take to run an authentication server for multiple separate Web sites, such that the users and sites can authenticate each other while trusting only the authentication server?

This sounds like Kerberized Web to me, but I'm not positive about that.

1 Jun 2001 (updated 11 Jul 2001 at 07:12 UTC) »

Passport is Microsoft's bid to operate the master password database for every Web site and service. They've got a shot at grabbing a large number of subscribing sites because the current Web authentication solution involves thousands of different password databases to administer and support, and thousands of passwords for a user to remember.

I don't think they can do it right.

  • Those Terms of Service are an abomination
  • Insufficient paranoia is endemic within MS product groups
  • The protocols are closed, resulting in vendor lock-in
  • The protocols are closed, resulting in insufficient peer review of what is potentially the most used crypto since DES.

AOL are their only credible current threat. They have a slightly better security record, but the other problems are much the same.

I don't want to trust either of them. We cannot allow Microsoft or AOL to dominate Web-wide authentication.

Why can't I run a program that grabs a list of security flaws and checks my vulnerability to them automatically?

19 Mar 2001 (updated 26 Mar 2001 at 21:56 UTC) »

Eazel, Ximian and Red Hat to mutually annihilate over system updating tools: film at 11.

No, seriously - isn't a certain amount of backstabbing, intrigue, and collapse inevitable here?

Red Hat Network sucks. Ximian's Red Carpet should suck, being cross-distribution and all, but works pretty well. Haven't tried Eazel's.

I wonder where Gnome dev bucks are coming from these days...

It's been a while. I've been arranging a big move.

Sometimes I wonder if XML is solving the right problems.

14 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!