Perl Passport or Single Sign On?

Just a few days ago a new web site appeared called annocpan to provide a place to easily annotate the existing documantation of any CPAN module. (See also perl.com article)

This, along with a number of other Perl related web sites including The Monastery, use.perl.org, CPAN ratings, my CPAN::Forum, RT, PAUSE and probably a few others I missed now require registration and then authentication using username/password.

Some, like PAUSE and RT share part of their authentication, CPAN ratings uses auth.perl.org but still this is a mess. (As natural for us).

Something should be done so we won't need to manage so many identities. Can soemone come up with an idea that will provide some central management of all our identities, at least those related to Perl ? I am not sure what would be all the requirements for such a system, but here are a two points I could come up:

Have (if possible) the same username on all systems
Keep every system independent (so if for any reason the central system won't work, or won't let users authenticate for this particular system, it can still function and have all the users information)

Or am I just trying to centralize again something that should remain distributed and anarchic?

Update: As jhourcle mentioned this question was already discussed not long ago in Single Sign-On?
I should have seen that before posting.
So just disregard this post, unless you have something new to say.

Update 2: What I'll probably try to do, once I have more time to work on CPAN::Forum again is that after registering I'll let users connect their CPAN::Forum identity with some other identity (e.g. their reverend name) and then they'll be able to login using their reverend username/password. In turn CPAN::Forum will authenticate agains The Monastery and if my server won't be blocked by Gods then people will not have to remember their username/password on CPAN::Forum.

Comment on Perl Passport or Single Sign On?

Replies are listed 'Best First'.
Re: Perl Passport or Single Sign On? by jhourcle (Prior) on Jul 03, 2005 at 14:04 UTC
See the earlier thread, Single Sign-On? Update: (this is mainly to explain some of the reasons that have been discussed why this is difficult to implement successfully... it's entirely possible that situations have changed since then, and some of the constraints have been lifted)	[reply]
Re: Perl Passport or Single Sign On? by theorbtwo (Prior) on Jul 03, 2005 at 16:33 UTC
This has come up before, but there is a change in the situation that we should possibly consider: OpenID, an open standard for decentralized single signin. It more or less works for both your points. Your ID on most sites would be a URL on your favorite site (IE http://perlmonks.org/?node=theorbtwo). There's no single point of failure -- each site going down means that users who use that ident server can't log in anywhere, but has no effect on those that don't need to use it. Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).	[reply]
Re: Perl Passport or Single Sign On? by cbrandtbuffalo (Deacon) on Jul 03, 2005 at 14:12 UTC
I'll second the mention of Shibboleth. It requires each site to trust the other site, but the actual auth work still happens at the local site. We are looking into this at UB for access to other Universities and it is open source.	[reply]
Re: Perl Passport or Single Sign On? by itub (Priest) on Jul 03, 2005 at 21:37 UTC
I think we really need something like this. I wanted to use the perl.org authentication system for AnnoCPAN, but it wasn't ready yet for use by non-perl.org sites and I couldn't wait any longer. ;-) (but they are working on it) It is possible to have a reasonably secure system where the password database is held by a central server and the other application servers don't know the user's passwords. That can be done by having the authentication server create a signed cookie that is passed to the application servers by the user as a form parameter. The main weakness is that if the central auth server is down, no one can log in to any of the application servers... However, I find the idea of having an application server (such as cpanforum.com) receive the user's password for another site (such as perlmonks.org) and then use it to authenticate the user in permonks.org very, very bad from a security point of view. How do you expect every user to trust you with their perlmonks.org password?	[reply]
Re^2: Perl Passport or Single Sign On? by szabgab (Priest) on Jul 04, 2005 at 11:11 UTC
How do you expect every user to trust you with their perlmonks.org password? The keyword I think is optional. If you trust cpanforum.com enough to handle you Monkpw then you can use it. If you don't trust then just use your cpanforum.com username/password.	[reply]
Re: Perl Passport or Single Sign On? by jacques (Priest) on Jul 03, 2005 at 20:24 UTC
Just a few days ago a new Perl web site appeared This happens more often than most people realize. However not all of these new sites get covered by perl.com Can someone come up with an idea that will provide some central management The underlying fallacy of your suggestion is that these websites are managed by the same people. They are not. Therefore, even if you come up with a good idea to improve one or all of these websites, you would have to convince these separate website operators to implement your idea. Simply presenting your idea to them will not get this done. In many cases, you would have to spend time befriending an operator after you establish contact with him or her. Some of these operators know each other and belong to an inner circle of Perl developers (a Perl clique). If you belonged to the same group of friends, then implementing your idea would be a much smoother process for you than if you were an outsider. Good luck.	[reply]
Re: Perl Passport or Single Sign On? by TedPride (Priest) on Jul 03, 2005 at 18:08 UTC
The problem with any sort of shared login system is that the system is only as strong as its weakest link. A security breach at any one of the sites you use will provide access to your account at all the others. It's much better imho to use different user names and passwords for everything and store them in some encrypted form on a floppy in case you forget (so you don't have to use the secondary verification systems, which are generally weaker). If you don't care about security, just use the same user name (or as close to same as you can get) and password everywhere.	[reply]
Re^2: Perl Passport or Single Sign On? by inman (Curate) on Jul 04, 2005 at 07:54 UTC
I have recently started using Password Safe, by Bruce Schneier. While this doesn't solve the single sign on problem, it does mean that I can use a different password for each site and the individual passwords are more secure because I don't have to remember them. My credentials for any site are only ever a couple of mouse clicks away.	[reply]
Re: Perl Passport or Single Sign On? by mpeters (Chaplain) on Jul 04, 2005 at 13:14 UTC
Just to add one more thing to look at... try reading about Sxip (pronounced 'skip'). They were a sponsor of YAPC this year and gave a presentation about their services/protocol. Not too shabby. -- More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk. -- Bruce Schneier	[reply]
Re^2: Perl Passport or Single Sign On? by LoriP (Initiate) on Jul 14, 2005 at 17:54 UTC
Thanks! Our Perl Homesite Package should be coming out later this summer. FYI, the link on your posting to our site is wrong. It should be http://sxip.com. Cheers, Lori	[reply]