Remember the concept of server authentication,
discussed in the sections ???The Babel of Cryptography??? and ???The
Babel of Web User Interfaces??? in Chapter 1? The lousy job we
do today of making users able to understand to whom they are
disclosing information is one of the root causes of phishing,
which is by itself one of the main causes in the decline of the
use of the Internet for high-value transactions. A violation of the
?¬?rst law of this magnitude promptly leads to diminished acceptance.
There are other somewhat subtler violations to consider. We are
used to the idea that what we transfer in an authentication transaction
is just the credentials so that we can unlock our identity
on the service provider. In fact, there are many occasions in
which our identity can ?¬‚ow from one service to the other. In
Chapter 1, in the section ???HTTPS, Authentication, and Digital
Identity,??? we have a real-world example in which frequent-?¬‚yer
privileges of a customer are shared between two commercial
partners. In the sections ???Hard Tokens??? and ???Issued
Token??“Based Authentication Schemes??? you saw technologies
that give to identities a vessel for traveling across different entities,
such as the Security Assertion Markup Language (SAML)
token representing the assertion, ???Alice is a principal in my
realm, and she just successfully logged in using username/password
as credentials,??? mentioned in the section ???SAML.
Pages:
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173