On Wed, 2008-09-03 at 04:01 -0300, Martín Ferrari wrote: > >> Description : Web single sign-on for intranets > > > > What's the difference between this and OpenId ? > > Why the focus on intranets? > > OpenId is decentralized and open. This is targeted to a diffrent > public (from what I understand), and the authentication is handled by > a single source. Single Point of Failure ? > >> Cosign includes an Apache module for authentication in distributed > >> applications, CGI scripts tmo handle logon/logoff and a session tracking > >> daemon. > > > > Is this smartcard based or "hot-desking" via bluetooth or something? > > i.e. a system that logs you off when you leave your desk and logs you > > back in when you're back from lunch? > > ;-) > > hehehehe. No, it only maintains the logged-on/off state, but doesn't > know about your culinary habits :) How would you re-phrase that? I'm still not quite sure I understand what cosign is trying to do - is it offering an alternative to the existing Apache authentication systems like .htaccess etc.? Some kind of frontend to other website authentication or some kind of cache that stores your username and password for next time? Does this only work with particular websites that have configured their authentication protocols to work with cosign (aka OpenID) or can it masquerade as the authentication protocol for unmodified websites, in which case it would seem to be at least storing the authentication details used by those websites. I've looked at http://weblogin.org/overview.html but I'm not sure I understand it. I'm confused about whether this is some kind of portal for use where internet access is charged / time-limited (like an internet cafe or hotel) or some kind of network filter that either blocks or allows traffic to certain websites. I'm also concerned about *why* a system would be configured to store the web logins of all users in a single location. Or is this some kind of "keep-me-logged-in" service like stay-alive or similar that keeps pinging the login to prevent timeouts? If it is trying to be something like OpenId for intranets, then it shouldn't get involved in the cookies themselves, the sites requesting authentication need to be modified to support the cosign method, without revealing the login details of the users. I can't work out whether it is doing that or not. The website is completely unhelpful in deciding what this package is trying to do and what problems it is either trying to solve or likely to generate. The wiki overview is just a rehash of the website overview that is no clearer, at least to me. I hope this package will come with some clear documentation. ;-) I'm confused about why users would want to trust cosign to keep all their weblogin usernames and passwords - unless those usernames and passwords are part of the same intranet that uses cosign at which point it would seem bizarre that to fix the various login problems of a variety of websites inside an intranet, the admin would add another login that knows all the login details of all the users. I can't help thinking that cosign is a solution looking for a problem. Maybe open this up to -devel where there are people with more experience of network-admin/authentication/intranet issues. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
signature.asc
Description: This is a digitally signed message part