Don, Thanx for the information. I agree with Alan's view that banks like to see themselves as identity issuers. BTW, there are _two_ SSO scenarios that could (or should) be addressed:
- Logging on to ACSes (Or banks, as in the case of Europe) - Logging on to shops 1. Logging on to banks: --------------------------- As banks in Europe already have invested quite a bit in authentication devices and systems, I think that they are _extremely_ reluctant to upgrade their systems. Only a full-blown PKI-solution owned by banks (be it Identrus, VISA, MasterCard etc), or individually deployed by a bank (several banks use PKI since years back for client auth.+sign.) could make this change. Unfortunately there are still no cheap, de-facto-standard, PKI-cards and associated software having built-in support in major OSes, which has stalled the mainstream market so far, in spite of being a hot topic since 1995... 2. Logging on to shops using Passport or similar ID-provider: --------------------------------------------------------------------- Even if you eliminate Microsoft as an ID-provider, favoring a federated approach using a network of trustworthy providers, there are both technical, commercial, and "political" [1] problems that makes me doubt this will happen in a big way. Assuming there are _thousands_ of identity providers, how is a customer going to specify its own ID-provider? IMHO the only reasonable way is to use DNS [2] plus a few "short-cut-buttons" to locally popular ID-providers. Another major technical problem is that the financial industry largely have underestimated the value of an organizational-level PKI, which means that essentially there are only VeriSign et. al. Web-server certificates _generally_available_. Although to some extent usable as organization-certificates, Web- server certificates lack the characteristics needed for creating _stable_ digital links between organizations, as a domain-name is usually owned by one legal entity (like IBM.COM), but enterprises may have many legal entities. An example of this deficiency would be a host named "SECURE1.IBM.COM" that surely does not say too much about the legal entity, and due to the fact that the rest of the subject-information is not fully standardized even for web-server certificates, you really need DUNS-based IDs to create something resembling a server-based "digital company paper". It is true that VeriSign (only?) offers DUNS-support, but only as a _proprietary__option_ which makes DUNS useless for merchants as a _universal_ certificate-based organization "GUID". Why is this important? Because merchants use relational databases that need unique, stable and trustworthy keys to function. As the certificate of a typical ID-provider service' login "ticket" only represents "the issuer dimension" of a customer identity, you need strictly profiled ways of expressing vouched-for IDs as well, at least in order to achieve not only secure, but _reliable_, 100% automated, plug-and-play, PKI-based, interoperability. The latter is in my opinion a pre-requisite for general PKI-acceptance. A sticky commercial problem is who is going to pay for TTP IDs. Microsoft's model is in my opinion not working as merchants already _have_ a login-solution that is for "free". The only working _long-term_solution_ seems to be that the _ID-owner_ (and in some cases the ID-owner's employer or bank) pays for having a universal ID-resource. _Short-term_ I think issuers will have to be very "friendly" in order to persuade the _external_ market to enhance their systems to use new ID-solutions. ================================================= Conclusion: Until cheap, open, trustworthy, interoperable, generally available solutions exist, status quo is likely to rule w.r.t. to _globally_ usable identification/login systems! ================================================= Cheers, Anders [executive level] PKI-based SSO: http://www.x-obi.com/purple 2] [technical] Using DNS in e-commerce: http://www.x-obi.com/OBI400/UDDI-and-DNS-OBIX-2002.pdf 1] A "political" problem is that Passport et. al. _competes_ with the banks' ambitions to become issuers of client-side PKI TTP-solutions. I.e. for firm "PKI-believers", Passport, SAML, Liberty, 3D(!) etc. are inferior solutions as they usually do not offer end-to-end security. Personally, I think banks should (and have already done in some markets), prepare themselves (and their _customers_), for the coming PKI-market by offering SSO-services _now_. And of course getting that crucial organization-PKI running! To make companies scrap their own "free" ID-solutions and start to use and trust _external_ identification systems, is not something that will happen over the next weekend or two. I believe that "just" an organization-PKI for banks and other financial providers, would eliminate a ___lot___ of hassles (including getting 3D Secure running, that certainly does not need any specific "VISA" certificates to function). ----- Original Message ----- From: "Don Park" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Internet-Payments" <[EMAIL PROTECTED]> Sent: Tuesday, July 09, 2002 20:11 Subject: [3d-secure] NEWS: 3D-Secure and Passport Just in case anyone missed it, Microsoft and Arcot finally announced integration of Passport with 3D-Secure. http://news.com.com/2102-1001-942295.html One of the benefit of using third-party authentication service like Passport, AOL, and Liberty Alliance is that you don't end up with 10 passwords if you have 10 credit cards. People rememember ATM PIN because they usually have only one. One of the reason credit card PIN didn't take off is because a person typically has more than one credit card. Single Sign-On (SSO) is helpful too but not necessary. Best, Don Park Docuverse ------------------------ Yahoo! Groups Sponsor ---------------------~--> Free $5 Love Reading Risk Free! http://us.click.yahoo.com/TPvn8A/PfREAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> Info: http://groups.yahoo.com/group/3d-secure/ Unsubscribe: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
