[18054] in cryptography@c2.net mail archive
Cross logins
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Aug 3 20:43:07 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
Date: Wed, 03 Aug 2005 15:15:00 -0700
In-reply-to: <42284911.8090904@systemics.com>
--
Is it possible for two web sites to arrange for cross
logins?
The goal is that if someone is logged into website
https://A.com as user127, and then browses to
https://B.com/A_com_registrants, he will be
automatically logged in on b.com as user127@A.com
Inventing a protocol off the spur of the moment, and the
seat of my pants, which is a good way to get shot down
in flames, the B.com web page would access a resource
whose url is the on A.com web site, the url containing a
representation of the browser's current B.com cookie.
User127's browser would access that resource, sending
the A.com cookie, the A.com web site would then signal
B.com that the browser with that B.com cookie is
currently logged into A.com as user127
One obvious flaw in this scheme is that *automatic*
login leaks information - users can be logged in without
them knowing it.
So another solution is that the B.com login link is
actually a link to the A.com web site, with a transient
public key encoded in the url. A.com looks at the
referring url, and tells user "<referral URL> wants to
identify you as an A.com subscriber. Do you want to
login to <referral url> as user127@a.com?" If user says
yes, then A.com sends his browser a redirect to B.com
with an encrypted message in the URL to B.com saying
"This guy is user127@A.com". To avoid replay attacks,
public key should change every time - public key should
change with the browser cookie used by B.com
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
kwlCI6Mq0EaMdsYIBsG4HSSU/4ClkoGzJaqI/la0
4fWyITvZRCkgtoqZc3tjKLElzZH7CStTwrq8OxcvR
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
