Convener: Gerben Venekamp
Abstract: The system of offline Single Sign-On interfaces where a user just has to login once in order to gain access to the whole network of interfaces. Interfaces with a very high trust level as they are all based locally which use passwords as user authorization.
Tags: Non-Web SSO, SAML ECP, Moonshot
Cheap to deploy, but not so cheap to the user himself. There are very smart scientists but no smart computer-scientists.
Why do you see an ECP as the good trader?
Matthew: what I wouldn't like is the required usage of a password. I give them the certificate and they can enter, using a smart card.
Alternatively you can issue short-lived certificates (RFC3980); in the case of windows it takes a mini driver to make your certificate look like a smart card token so it can be used for authentication. In the background you keep refreshing the certificate once in a while (1 week, 1 month, etc.) and pop up a web browser to a SAML re-authentication that proves you are still affiliated and authorized.
Classical OTP. You write a smart card, keep refreshing. You wrap that with a mini driver. From a tech perspective it will work, but from the administrative side: how will I make them available to people who have no or a minimal IT support.
The first time they log in you put up the regular authentication.
If you need other services like storage it’s reasonable to go for a Moonshot installation.
Project Moonshot-> www.project-moonshot.org
What is the current state of the Moonshot? The reason you don't see a lot of deployment is because only if you do windows to windows, there is a decent chance that Moonshot will work out for you.
The other option would be SPNEGO / Kerberos which would be an unworkable solution for most people due to configuration complexity.
keybase.in? Doesn’t do SSH, SAML, OIDC, X.509
New HTTP mechanism would be better than password.
In the case of IoT authN/authZ you can look for IRTP ACE working group
In general the non-web HTTP authentication has not found its way to standardisation 5 years ago and now days all you have left is resort to ugly hacks. Today what you will do is maintaining ugly hacks.
Some tools are only available from the command line. When on Linux, solution is relatively easy. Some are only accessible on Windows. This becomes hard.
SAML ECP supported by Shibboleth.
How many use cases are not SSH? There’s is one: RDP
SSH key management could be a solution (80%).
SPNEGO, FIDO, SAML ECP -> most likely only password based -> means maintaining large password stores in your infrastructure.
Challenge: getting users to accept new software on their machine.
IoT changes the need for non-web, i.e. non-HTTP, authentication.
“Our” needs for standard are relatively small compared to the “rest”. Makes our influence small.