Mark of the Beast

Just something to think about when you talk about a single Identity number and a single global bank…. Always show your left hand ;-)

Book of revelations Chapter 13 verse 16-17:

“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:” “And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.”

 

 

P3P Cookies

If we use the HTTPOnly flag for XSall perhaps we also have to add P3P headers. Just studying the topic now. Here are some links: P3P, Cookies and IE6.0: A Case Study Don’t get trapped by mixed headers

HTTPOnly ?

The XSall implementation of OpenSignOn is not using the HTTPOnly flag now. I don’t see any XSS problems but perhaps it would not hurt to implement it. An extra wall always helps.

OpenID is looking for a new Executive Director

This seems more like fired for not pushing OpenID hard enough. The job is still vacant. It is a pity I am already the Executive Director of OpenSignOn ;-)

XSall login test

Joren just created a WordPress php XSall ‘Login’. To leave a comment you must be logged in via the XSall login button on the upper right corner. We will try to create more ’Account’ options so everybody can leave comments.

OpenSignOn

Working on the XSall OSO I just have been able to register OpenSignOn.com. It is just a name but it makes me happy to own it. More on XSall soon.

Clickpass OpenID

clickpassClickpass OpenID launched yesterday. They seem to make OpenID more usable. This is good. Perhaps we can add them as an XSall ID Provider.

Are IP addresses Personal?

Because we are building a Browser Based Authentication (BBA) system I came across this interesting article by Google. User trust is the most important factor of the BBA. We already have, with some regrets, striped some great features from the system because it would endanger the users privacy. The BBA will not use IP addresses to identify people and will safeguard the users privacy. More about the BBA when the system is ready.

OpenID 2.0

To go with the flow I think enabling XSall with OpenID will be a good thing. Read what Arthur Bergman has to say about OpenID here. Hulu will only let you see a video if your OpenID ends on the letter “U” or “S” ;-)

Perl HTTP_AUTHORIZATION test

Basic HTTP_AUTHORIZATION

Theo wrote a HTTP_AUTHORIZATION test. If you have mod_rewrite enabled on your Apache 2 server put the following files in some folder. If you go to index.cgi from your browser it will show the default login box. Just enter  some username / password and they will be shown on the page. Very cool Theo. Thanks.

This will help me create the first XSall tests without using mod_perl. If someone likes to create a Digest example please do? I like to test it and perhaps blog about it.


.htaccess

RewriteEngine on
RewriteRule \.cgi$ - [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},L]


index.cgi

#!/usr/bin/perl

use strict;
use warnings;

use CGI :cgi’;
use MIME::Base64;

binmode STDOUT;

my ($user, $password);
my $auth = $ENV{HTTP_AUTHORIZATION};

if(defined$auth and $auth =~ /^Basic\s+/) {
  $_ = decode_base64($’);
 ($user, $password) = split(:’); # What is the username or password contains a “:”?!
}

if(!defined($user) or $user eq ) {
 print Status: 401\r\n”;
 print WWW-Authenticate: Basic ;
 print realm=\”testers\@taletn.com\”\r\n;
 print Content-Type: text/plain\r\n”;
 print \r\n”;
 print 401\n”;
 exit 0;
}

print Content-Type: text/plain\r\n”;
print \r\n”;
print Authorization: $auth\n”;
print User: $user\n”;
print Password: $password\n”;
exit 0;