Re: [Auth]A simple serverside authentication scheme

[Norbert Bollow]

I wrote:

> > Don't overlook the problem that this approach requires
> > server-side resources (such as bandwidth, hardware, sysadmin
> > time).

Nick Lothian <address@hidden> replied

> You are joking, aren't you?

No I'm not joking.

> We could use sourceforge to set up an initial implementation.

Not a good idea.  Sourceforge doesn't have the 100% uptime that
this system needs.

If we really want a server-side system, we may of course
consider approaching VA Linux Systems:  This company operates
many servers for the Free/Open Software movement including
Sourceforge and also the main webserver for the GNU system of
the Free Software Foundation.

Maybe they'd be willing to donate some resources.

> That would support many thousand simultaneous login
> validations, and once we require more power we just use other
> free server, or someone spends $20 a month to get some space
> on a shared server.

Please do the math.

Estimate how many HTTP transactions that require authentication
happen per hour, worldwide.  Choose a percentage goal for the
market share of these transactions that you would like to be
handled by our system.  Make this goal big enough that reaching
it will will prevent Microsoft from dominating the market for
auth services.

Compute the resulting load on our auth servers.  Then design a
system which can handle that load reliably, with 100% uptime.
Then estimate the required resources.

It is rediculous to say that it can be done for $20/month.  Sorry.
Don't believe it when hosting services claim to give you
"unlimited bandwidth" for $20/month.  There is no such thing as
unlimited bandwidth, anywhere.

I'm sure that (given enough time) it is possible to make a
server-side approach work, especially if it is a distributed
system.  But it is foolish to ignore the question of resources.
And if you're proposing to quickly develop a reliable distributed
system, I'd like to know how you're going to go about it.  If
you can come up with a good plan, I'll be happy to support it.

> I'm still waiting for a response to issues like:
> 
> a) Historically, client side plugin take up is very slow (eg, Flash took 2
> years to get significant market penetration, same with Real Player. Even in
> the early days of the web Java took a couple of years to get a majority of
> browsers in use supporting it).

Yes, people have a reluctance to install a plug-in.  That needs
to be considered.

But aren't we specifically going for the people who have a
reluctance to entrust personal data to any server-side system
(Microsoft's)?  It will be difficult to convince them that our
server-side system is more trustworthy than Microsoft's.

It'll be a much easier sale IMHO to convince them that our
system is better because their data stays in their own PC.

> b) The security-lock-down issue. By this I mean all the computers (eg net
> cafes, Universities, libraries, corporate environments) that don't let you
> install plugins and/or don't have floppy drives

I think that Ron's proposal was to deliberately make the
decision to not address this issue in the first version.

Does anyone ahve an idea of how to go about estimating the
market share is of internet users who suffer from
security-lock-down?

> c) Support for multiple browsers/operating systems. Who here has written a
> plugin? I've done some ActiveX controls, but even they work differently
> between IE 4 and IE 5. We'd need at least:
>   
>   Netscape 4 Win plugin
>   Netscape 6/Mozilla plugin (does it still support plugins?)
>   Netscape 4 Mac plugin
>   Netscape 4 Linux plugin
>   IE 4 Win Plugin
>   IE 5 Win Plugin
>   IE 4 Mac Plugin
>   IE 5 Mac Plugin
>   Opera Win Plugin (does it support it?)
>   Opera other platforms (I know Linux, how about Mac?)
>   ICab Mac
> 
> I've got no idea if half of those things support the Netscape plugin API. I
> know that IE ones doesn't.
> 
> Who's going to write (and test and build) the plugins for all those
> platforms? I mean, Flash isn't supported on half of them, and you think we
> can get "significant maerketshare quickly."?

Why do you say that we need to support more than twice as many
platforms as Flash?

If we manage to get the same level of market penetration as
Flash, maybe that is good enough?

Anyway, porting the "DotGNU Virtual Identity" plugin to another
platform should be much easier than porting the Flash plugin to
another platform.

Also, Free Software projects typically find it relatively easy
to find volunteers for porting something to another platforms

> > Microsoft has a server-side system and they haven't succeeded in
> > making it work reliably yet.
> > 
> 
> Not true at all. Passport has been working for nearly 6 months for MSN and
> Hotmail. It was only Messenger usage that broke it (and supporting
> non-browser clients doesn't appear to be something you are interested in)

It doesn't matter what broke it.  Maybe Microsoft tried to
improve the system, and thereby broke it.  (And there is no
reason to believe that that kind of thing couldn't happen to us.)

The fact is that they've not been able to operate their system
reliably.  And it didn't only break for Messenger users.

Quote:

   Throughout Thursday morning, people continued to report a
   string of seemingly unrelated glitches, including lost
   Hotmail address books and e-mail and missing MSN Calendar
   information. But one common thread all these services share
   is Passport authentication. In fact, some people could not
   access their Passport accounts.  

   Ray Bailey, information services manager for The Berquist
   Company, said that when he tried to log in, "I was told my
   Passport is bad, and I know that account is right."

Source: http://news.cnet.com/news/0-1005-200-6464354.html

> > But for programs which are used on many computers by many
> > different people, there we have the advantage, because a
> > significant percentage of the users help with making the program
> > better - that's a power that Microsoft doesn't have.
> > 
> 
> Show me a single example of an end user (non developer) open source product
> where the users have helped with development.
> 
> In fact, show me a single example of a successful open source product aimed
> at end users where development wasn't mostly funded and done by a single
> company.

DotGNU Virtual Identities in this respect cannot be compared to
any end-user software that has come before it.  Microsoft's "Big
Brother" approach to auth services is a good reason for many
technically knowledgeable people to become users of the DotGNU
Virtual Identities system specifically with the goal to support
DotGNU against Big Brother Microsoft.  These are the people that
I'm talking about.

> Sorry if this reply sounds like a flame. I am just concerned that bad
> decisions will be made that will result in lots of wasted time.

Are you willing to contribute a significant amount of work to
making an auth system work which is based on distributed servers?

I feel that what we need right now is proposals from people who
are also capable of leading the process of implementing their
proposal, and willing to do so.  I believe this is the case with
Ron (am I right about this, Ron?) and on top of the fact that
what he says makes sense IMHO, that is another reason why I am
supporting his proposal.

Greetings, Norbert.

-- 
Norbert Bollow, Weidlistr.18, CH-8624 Gruet  (near Zurich, Switzerland)
Your own domain with all your Mailman lists: $15/month http://cisto.com
Business Coaching for Internet Entrepreneurs ---> http://thinkcoach.com
Tel +41 1 972 20 59      Fax +41 1 972 20 69      address@hidden