Main

The Next Trust Infrastructure: Securing Mashups

There is no doubt that mashups will be an important construct of the next Internet. The ability to "compose" distributed Web services into one single aggregate service or view is a significant enabler. The lightweightness of HTML and JavaScript speak to the simplicity of a successful programming model. Add to this the emergence of open standards like OAuth, and the need to distribute functionality across screen boundaries (PC, mobile and IP TV), and the picture becomes very clear; mashups and widgets are likely lead the componentization of the Web and become an important distribution mechanism.


For mashups to become ubiquitous, a trust infrastructure is needed. To establish trust between a widget aggregator (a consumer portal, the enterprise portal or your homepage or TV screen), and a widget provider, protocols like OAuth essentially rely on the exchange of shared secrets. This works well when there are only a few big portals serving as aggregators. However, because they require pair-wise trust relationships, the approach does not scale to a truly distributed environment. In particular, the model breaks very quickly in the enterprise as the number of network end-points (enterprise portals and SAAS) explodes.
Alice.jpg
Ravi Ganesan and his new company SafeMashup may have found the answer to this thorny problem. Ravis' answer is brilliantly simple: reuse the existing and proven trust infrastructure of the Web. Indeed, SafeMashup enables existing CAs to issue credentials to mashers and mashees. These credentials are identical to the one they issue to Web sites today. Because Web 2.0 protocols such as OAuth require a shared secret, Ravi uses the SSL handshake and the issued SSL certificate as a secure method to establish a shared secret between the masher and the mashee. This approach allows him to layer SSL and certificates on top of the Web 2.0 protocols without requiring any change to these protocols. Brilliant!


There is no doubt that broad deployment of mashups requires an open, standard-based scalable trust infrastructure. Reusing the existing PKI infrastructures and its rugged SSL cousin strikes me as a very good idea! After all, when the wheel works, why reinvent the wheel. So, "bonne chance" to Ravi and SafeMashup. Indeed, there is something truly exciting brewing in San Antonio, Texas.

03/08/09 | permalink | comments [0]

VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace

This week should be an exciting week for the OpenID community, with lots of things happening at the RSA conference going on in San Francisco. Here's an announcement between VeriSign and some of its partners in the OpenID effort announcing plans to work with Microsoft on making OpenID and CardSpace interoperable:
Microsoft to Work With the OpenID Community, Collaborating With JanRain, Sxip, and VeriSign

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace(TM) to make the Internet safer and easier to use. Specifically:

  • As part of OpenID's security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
  • Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure. Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
  • JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users. Information Cards, based on the open WS-Trust standard, are available though Windows CardSpaceā„¢.
  • JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
  • JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
  • Microsoft plans to support OpenID in future Identity server products.
The four companies have agreed to work together on a "Using Information Cards with OpenID" profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain

We will have some extended commentary on this development here over the next several days. Suffice it to say, this is a significant step toward the convergence needed in the identity space and I'm excited to see what will proceed from this effort.

See related posts on this subject:

02/06/07 | permalink | comments [0]

Search

Categories

Blog Tools | Blogosphere | DRM | Digital Movies DRM | | Feeds | Identity | Miscellaneous | PIP / SeatBelt | Ping | RailsConf | RailsConf2006 | RubyonRails | Tags | VeriSign |

Archives

Recent Posts

Google's Smart OpenID Move
DECE or the Digital Content Cloud: Last Chance for DRM.
The New Personal Identity Portal (PIP)
PiP and the "Fun" Test
Federation 2.0: In Search of a Switzerland for Identity Portability
Friend Connect or the Deportalization of Social Networks
The Business of Identity
Been a Busy Two Weeks!
Updating the PIP
Bringing Useful Scalable Security to OpenID

Comments

We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate.
Powered by
Movable Type 4.21-en
Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy