Assurance

["Cantor, Scott" <>]

On 3/12/14, 11:20 AM, "Steven Carmody" 
<>
 wrote:
>
>I do wonder, tho, whether Kerberos/SPNEGO might be as effective (even
>tho its also sort-of password based, but not on the wire).

I would be interested myself. As I understand most uses of Kerberos,
unless you're using channel binding or using a session key derived from
the ticket to do things, Kerberos tends to be susceptible to MITM attacks
when used as authentication "up front" and then kind of disregarded. It's
highly dependent on the application, so it depends how SPNEGO works. Not
my area but a good question.

>Are there libraries for development platforms for mobile that make it
>easy to use ECP ? Does any site have experience with this approach ?

We use it (we wrote our own). We will be making our iOS and Android code
for this available soon, I believe.

It of course, though, has a basic-auth-like interface on the client, and
on Android you really have no provenance for applications, so any app can
just phish the user if the user is willing to install it. It's a matter of
perspective whether this is an improvement. I am happy to see such a
conversation happen, since I have failed to get one to happen for several
years.

You also, losing SSO, tend to see apps cache the passwords to make this
model friendly to people.

Again, nothing specific to ECP in that, it's all down to whether you use
the browser or not.

-- Scott