On Apr 30, 2007, at 12:31 PM, Michael L Torrie wrote: > On Mon, 2007-04-30 at 11:15 -0600, Devlin Daley wrote: >> Username and password schemes do not give you that. Route Y >> credentials don't prove you are who you say you are, they just say >> that you in possession of a password for a given route y username. > > Now we're moving beyond the scope of the problem at hand and into the > realm of philosophy almost. > > Basically there are three things that, when combined, prove an > identity: > 1. Something you are > 2. Something you know > 3. Something you have > > Any company that has high-security access controls will have a system > that requires the three things listed. For example, a memorized pass > code, a smart card/RFid chip, and perhaps a thumbprint. > > In the normal world, though, a username/password combination has > pretty > much become the standard for proving identity, mainly because it is > simple and effective. Giving one's username and password to > another is > tacit approval for another to do anything they want in his or her > name. > There is no legal mechanism for this, as in power of attorney, but > most > courts would likely find the owner somewhat culpable. > > Thus, to the point that I care, a username and password are enough to > prove someone is who they say they are. >
I'm not exactly sure what your comment is adding to the discussion. We seem to be in agreement here -- passwords don't prove your identity but for most things they are "good enough". Sometimes less than a password is "good enough"; which is why I asked: >> >> The question of why was broader. Do you need to know they are BYU >> students? or do you only need to know that they are the same person >> you spoke to yesterday? Different light weight identity systems can >> be used for some of these other scenarios, I was just wondering if >> you were dealing with one of them. Oh yeah. There is a fourth thing: Someone you know. And, these four things even in combination don't actually get you and identity. A surrogate identifier yes, an identity no. >> >> I eluded to a project I was thinking of implementing to help the >> situation. It's just OpenID for Route Y logins. >> Instead of everyone >> hosting their own CAS authenticating server, their application would >> just consume the tokens and cookies your CAS server provides. The originating problem is that BYU doesn't have an appropriate mechanism for campus wide authentication. I tossed in a potential solution I had been pondering (OpenID). Have you thought about the feasibility of using CAS to the same effect? Is BYU implementing this already? -- Devlin -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
