Hello, * New Single Sign-on now available Fresh out of DebConf[1], I think that the experimental new Single Sign-on system has reached a point where it is ready to be announced and used. Here is how it works: 1. Go to https://sso.debian.org/spkac/enroll/ 2. Login as usual with your Debian Web Password or Alioth credentials 3. Click on "Get certificate" 4. Visit websites. that is it, nothing else is needed, from that point, when you visit any sso-enabled site[3], you get a popup with the option of using the certificate with them. If you do, the site can be sure that you are you. Really, that is all: one click to add certificates to your browser, one click to use them[4]. It is effectively like having a stored password that works on a lot of sites, cannot be guessed, expires when you want and that can be globally revoked. * Deploying new sso-enabled sites If you maintain any web service, be it deployed on debian.org machines or anywhere else, and would like to be able to authenticate users with sso.debian.org, you just need a 4 line configuration change in Apache and a daily cron job to keep the Certificate Revocation List up to date[5]. If you deploy on debian.org machines, there will be a local copy of everything you need kept up to date for you, so you do not even need the cron job. I think that this greatly lowers the requirements for creating new sites that can work with the Debian Single Sign-on: anyone can just go ahead and set one up, without coordination with sso.debian.org, without needing to deal with shared secret tokens, without increasing the attack surface for stealing passwords. Seriously, now you can set up your blog so that any Debian Contributor can post comments, and then you can complain to DAM if they misbehave :) * In case of problems If you find something that does not work, please report bugs[6] and, if you can, help fix them[7]: openssl and gnutls already have client certificate support built in, and implementing client certificate support in an HTTPS client is generally a simple matter of adding a couple of calls to the https setup code[8]. More documentation is at [9]. If you find tips and tricks for your favourite browser, add them to the wiki[a]. [1] After discussing the single signon situation at the oauth2 sprint at DebConf[2], Bernhard R. Link and me started working on a prototype replacement for sso.debian.org based on client certificates. I kept working on it after DebConf and I think that now we have a system that is quite ready to be used. [2] https://wiki.debian.org/Sprints/2015/oauth2%20sprint%20@%20DebConf [3] https://wiki.debian.org/DebianSingleSignOn#SSO-enabled_sites [4] One click to bring the servers up and to the right ports bind them. In the Land of Debian where Free Software lies. [5] https://wiki.debian.org/DebianSingleSignOn#Documentation_for_web_application_owners-1 [6] https://bugs.debian.org/797057 [7] https://bugs.debian.org/797066 [8] https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;att=1;filename=links-client-certs.patch;bug=797066 [9] https://wiki.debian.org/DebianSingleSignOn [a] https://wiki.debian.org/DebianSingleSignOn#Browser_support Yours and very excited, Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: Digital signature