[OpenID] [Muscle] updated experience, 2 years later.
Peter Williams
pwilliams at rapattoni.com
Sun Mar 9 00:10:50 UTC 2008
Read the thread from the bottom, if interested in one user's experience linking open source smartcards to openid, linking up to plaxo.
From: Peter Williams
Sent: Sat 3/8/2008 3:56 PM
To: MuscleCard Mailing List; Peter Williams
Subject: Re: [Muscle] updated experience, 2 years later.
Now the bad news (nothing to do with muscle, idalliance, or trustbearer technology!)
Plaxo wants to me do account linking to a new plaxo account, where it assumes my email address is valid (from the openid protocol, based off the pc/sc protocol) given my email is correctly auto-populated on Plaxo's signup screen. Nice.
Not trusting openid (from trustbearer.com) enough, it decides to ping my email account like a million other site subscription wizards.
OK, I play along and authenticate back using untrustworthy email (despite having upgraded to smartcards and then openid), confirming my email id by (really untrustworthy!) email bearer. Presumably it's a case of "Smartcards/Splartcards. Openid/StolenId" for Plaxo and their trust model. Well, they are entitled to that view in the openid UCI model. So, Plaxo falls back to use email verification over the DARPA internet, anyways.
Then comes the rub.
The nature of plaxo is...social networking, asking me to import friends from companion services providers (like MSN). It asks me to type in my MSN username AND PASSWORD (and trust the plaxo privacy policy). Aha, that's unlikely (being a more than usually savvy consumer). They didn't trust my card/openid, why would I trust their privacy policy? After all, that MSN account is also linked up with my new openid (in a new gateway peering service linking WS-Federation names to openids)
Oh well, we clearly have some re-education to engage in, so the assurance of cards and the muscle applet (and trustworthy manufacturing, provisioning and management processes, presumably asserted via X,509 OOB certs) becomes apparent.
You cannot be surely be happily participating in websso on the inbound channel, leveraging behind the scenes smartcard public key auth from the musclecard, and then STILL on an outbound channel be asking for and storing folks's password - when importing friends list! Plaxo should be asking for my openid on the companion services - or asking me to present my trustbearer openid to Microsoft If Microsoft doesn't accept openids, then fine! I can always cite a gateway binding my openid to my live.com cardspace card!
Peter.
Ill be forwarding this email to openid mailing lists, for comment there, too! The world has clearly moved on from two years ago.
From: Peter Williams
Sent: Saturday, March 08, 2008 3:29 PM
To: MuscleCard Mailing List
Subject: [Muscle] updated experience, 2 years later.
Well I have to say I'm impressed both this afternoon and even more so later this afternoon - since this morning depressed me.
This morning:-
2 years ago, I know dominated muscle applet, muscleshell, various tools for GP loading, and GP command sets for its fancy security features such as DAP and receipts. I know I also dominated T0 over CCID firmware for 8051 uPs, and various bits of microcodable verilog to support fancy crypto modes in the ATMEL ICC's 16 bit crypto co-processor, we used once to use. Having left this project, 2 years later I return to its src tree - and its just a load of mumbo-jumbo of various tools, old compilers by firms that no longer exist, and scripts in 9 toolchains, A bit of openssl here, a win32 port of muscletool there, an atmel load script for promming micros, loadfile for starting up a COS, scripts to personalize muscle applet, along with various simulations.
I could not make head or tail of it despite (being the programmer of it all) !
Not happy (with myself).
This afternoon:-
So using Vista SP1 and an old SCM cardreader which received auto-updated firmware/drivers, I went to the identityalliance.com site, and installed its download package. Then I stuck in my really old JCOP21 javacard democard from IBM Zurich and use the idalliance tool's profile menu to configure it (as a musclecard). 60s later, its done . I even set easily a new admin and user pin. Even set a password in the password store.
So, on a roll, I went using the same vista host to the openid.trustbearer.com and and registered this card - enrolling it with my trustbearer openid. 60s later, I have an SSO-capable token.
I'm http://openid.trustbearer.com/home_pw. What else?!!
Perfect. No fuss (and no compiling required of 2 year old code that I cannot fathom any longer).
Later this afternoon (now that I'm feeling lucky and cared for):-
I use task manager to kill my locked up IE7 (sob). Oh well, it happens 4 times a day with or without smartcard installs!
So I go to http://www.plaxo.com/openid to use my new found capabilities. First I remove my old jcop 21 with its old musclecard applet from the old SCM reader.
plaxo redirects the browser to trustbearer, which prompts me to insert a card (after an activeX download). Perfectly reasonable. So I do as asked and it them prompts me for a pin: which I enter. All perfectlty normal and expected.
trust bearer redirects me to plaxo, which now asks me to bind to my asserted openid to the plaxo account, given I have a verified id assured as multi-factor-hardware!
Perfect. It was all seemless, first time through.
Peter.
_______________________________________________
Muscle mailing list
Muscle at lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080308/d9c1c3de/attachment-0002.htm>
More information about the general
mailing list