Making it Work
Well, now that we’ve had some time in the clouds (so to speak), I feel like getting back to earthbound reality. I’ve been playing for a while with an interesting beta offering — an Identity Provider called SlashID.
SlashID calls itself an ‘untrusted’ provider – my interpretation of that is, you don’t have to trust that SlashID will accidentally or purposefully betray your data to anyone – because they store that data in encrypted format, with your user password as the key, and the unencrypted key is never in reach of SlashID servers. Similar to a service like HushMail, this should mean that SlashID is incapable of abuse or negligence (other than losing or corrupting your data en masse, I suppose).
Of course, there still is trust needed – you have to trust their code to not contain backdoors, legally coerced hacks, and so on (queue the evil music reminding us of HushMail’s recent issues). There is an excellent response to this and other issues (such as the relationship between SlashID and OAuth, or OpenID Security) on the SlashID blog, if you’re interested.
SlashID uses its own protocol specification, and they have a lot of information available on why they’ve gone in this direction, but what I like about this company, is that this is not a company who is trying to blindly make a business out of a technology — they understand the service they want to provide, and the value proposition for that service — and they are leveraging the technology that they feel is going to get them to their business objectives. I feel like this is a healthy, healthy approach.
I’ve got the SlashID Relying Party code running on one of my test blogs right now, so if you want to try out the service there, be my guest. One day, when I move my blog to my own domain, I’ll enable my blog as a permanent SlashID client. You need to register for a user account at SlashID before you can authenticate; once that is done, you can use your credentials at login screens where you see this logo: Just remember — these guys have NO way to get your account back if you forget your password, so make sure it is recoverable by you, yourself.
I think that one of the biggest problems facing SlashID right now is identical to that of any company trying to offer mainstream products or services based on crypto: how do you make both the general user and the RP app owner understand the underlying paradigm well enough to make secure decisions and understand the consequences of their decisions, while still providing a user experience that isn’t too terrifying?
I’ve had a great time working with the SlashID guys on this – they are responsive and very interested in feedback, so if you have any to pass on and aren’t sure how to communicate it, drop me a line and I’ll make sure to pass it on.
Since you all probably won’t want to run off and register your own website while checking this stuff out, let me know if you’d like to see/play with either my RP setup at SlashID or on my blog — otherwise I’ll end off with a few screenshots of what it takes to set up a relying party with this technology (click on the image to get a bigger version)…
Configuring Attributes passed from IdP to RP at the IdP:
Configuring Crypto at the RP, via a WordPress Plugin: