Zero Sign On - 1 better or Infinitely better than Single Sign On?

Posted by Dr Nic on February 22, 2008

This article has no code in it. There are no TODO steps. Nothing to install. Its a picture of the future.

There is no reason to bookmark this article and read it another day. Its nearly all pictures. You can read it now.

This “picture of the future” was actually added to our browsers in the 90s. Netscape and MSIE3.0 both had it.

“It” is Client Certificates, and to me to means “never logging on with username/password NOR OpenID ever again”. Zero Sign On. It must be better than the much-targetted Single Sign On.

Client Certificates

Firefox 2.0:

no-certificates

Or on Safari/KeyChain:

Keychain Access - no certificates

Small problem: no website I’ve ever used has ever offered them, so I never knew they existed. I didn’t know what they did, nor as a web developer that I could create them for users who’d never need to login again.

Clifford Heath showed me the light. On #roro irc channel, we were exploring how “Zero Sign On” might be implemented using ssh-keygen, and browser plugins etc. Clifford mentioned client certificates and then someone else mentioned that MyOpenID already supported them. [someone = Michael Kedzierski]

I already had an myopenid account, so raced over to explore the new world of certificates.

Under “Authentication Settings”:

myopenid-create-certificate

After submit:

myopenid-creating-certificate-dialog

And then:

myopenid-certificate-creation-finished

Then feedback:

SSL Client Certificates

So I thought to test out if “Zero Sign On” actually worked. Normally, after logging out you’d need to submit username/password or if a site supported OpenID (yes myopenid.com is an OpenID provider which is a bit circular but bear with me) you login by entering your OpenID url and pressing Enter. Either way, you’ve got work to do.

Instead, I clicked “Login” link on the home page, and was redirected immediately to:

myopenid-login-uses-alternate-url

myopenid-signin-with-certificate-form

So it was still using cookies so that it could log me in immediately next time without clicking “login”, but either way, there is no username/password nor any other “type something here” login form. Just a “Remember Me” checkbox.

Finally, myopenid.com shows a log of your sign-in attempts:

recent activity

Your sites and the future

As a web developer, you can do one of two things to get some leverage of Client Certificates.

  1. Support OpenID as a login mechanism. Users with myopenid.com accounts (or other openid providers that support client certificates) will benefit from automatic login to their openid page and instant redirection to your site. You’ll also be able to help new users import their profile data to get them started quickly.
  2. Implement Client Certificates yourself. I would have liked to have had a crack at this before posting about Client Certificates and all their sweet loveliness, but I didn’t. My bad. Instead, I found a nice step-by-step (plus comments with updates) on implementing Client Certificates

If you have/do implement Client Certificates in Ruby/Rails world, you’ll get a 1000 Happy Points from me if you open source it/blog about it. Happy Points are redeemable for Happiness in all countries.

Trackbacks

Use this link to trackback from your own site.

Comments

Leave a response

  1. tommorris Fri, 22 Feb 2008 10:09:03 UTC

    Yep, being able to sign on with SSL certificates is fantastic, and one of the things I love about MyOpenID.

    (Signing on to my blog doesn’t do much at the moment though - it basically lets people I know IRL access my contact details and will also provide a way in to test possible betas.)

  2. aemadrid Fri, 22 Feb 2008 10:12:15 UTC

    Wow, just wow. This can be amazing. Thanks for the info.

  3. Daniel Fischer Fri, 22 Feb 2008 10:21:23 UTC

    Wow, I had no idea you could do that. This really seems like it should *be the way*. Why the heck hasn’t this caught on? :(

  4. timocratic Fri, 22 Feb 2008 10:51:17 UTC

    Awesome sauce Dr. Nic. I’m just testing if it’s working with the webpage setting in MyOpenID identity so that it links to that, not my OpenID page. I suppose down the road that might be a better verifier, but for now it’d be nice just to have it link to my site without having to become a provider myself, and set-up client cert sign-on.

  5. timocratic Fri, 22 Feb 2008 10:54:59 UTC

    Hmm, apparently you have to set your profile up ahead of time for it to have the right link in the comment? I suppose in the future consumers (of open ID) can become smarter about what to do with the identity info it passes back.

  6. Dr Nic Fri, 22 Feb 2008 10:59:16 UTC

    @timocratic [via] - yeah the openid plugin for wordpress I’m using here just stores your URL at the time that you login and post.

  7. Luigi Montanez Fri, 22 Feb 2008 11:57:22 UTC

    @Daniel Fischer [via] - I think this hasn’t caught on because it’s not portable. Combining this with OpenID is the perfect solution, I think, as it’s the best of both worlds: Zero sign on when you’re on a machine you own, and Single sign on when you’re not.

    Whoa, cool autosuggest on the @. I need to make a cool OpenID plugin like this for Mephisto…

  8. labria Fri, 22 Feb 2008 11:57:32 UTC

    Actually I’ve seen a site use them: http://www.wmtransfer.com/. They use them for authentication.

  9. Daniel Fri, 22 Feb 2008 12:17:56 UTC

    I Denmark, the state body has issued digital certificates to all residents, for use on state body websites (e.g. doing your taxes online), so I’ve been using these for years! It’s the way to go, although I personally prefer PGP.

  10. Dr Nic Fri, 22 Feb 2008 12:29:01 UTC

    @Daniel [via] - exactly - instead of each website issuing client certificates, a client could already have a certificate.

    My knowledge here gets shaking - I’m guessing its like ssl key pairs - the website holds the public key portion.

    This is where I think OpenID is still very useful - you upload your public key to your OpenID profile and when you create a new account with xyz.com your OpenID provider shares your public certificate key. Now you can login to xyz.com automatically without going through OpenID provider each time (ignoring sessions for a second).

  11. http://rictic.myopenid.com/ Fri, 22 Feb 2008 13:12:07 UTC

    This wouldn’t work well if multiple people use the same computer with the same account, or if they typically use a computer that is not under their control.

    However, every modern OS does accounts well enough, and computers are becoming cheap enough that in many places this will work well.

    With good certificate management systems like keychain, you can even be protected in the event of computer theft (I think it encrypts all of the passwords and certificates it saves).

  12. Dr Nic Fri, 22 Feb 2008 13:39:04 UTC

    @rictic [via] - yeah I’m sure many households would have multiple users per machine, and in my life we’ve never managed to use more than one OS-account. But, at work, and on the laptop etc, certificates would be sweet.

  13. Michael Siebert Fri, 22 Feb 2008 17:42:24 UTC

    Great idea… never thought about using it…
    why not create an opensource (rails/merb/…)-plugin?

    @Nic: you forgot to remove your certificate’s serial no. in the “recent activity” picture…

  14. Dr Nic Fri, 22 Feb 2008 17:59:15 UTC

    @Michael Siebert [via] - thx, fixed.

  15. Dr Nic Fri, 22 Feb 2008 18:28:08 UTC
    My Safari screenshots

    Instead of autoloading certificate into browser I must manually open it:

    Safari - manually install .crt file

    Then it appears in KeyChain:

    Keychain Access

  16. NeilS Fri, 22 Feb 2008 19:39:09 UTC

    Really interesting: I never realised myopenid.com had that functionality.

    I’m trying it out (using Safari on a Mac), and have successfully created a client cert, but I can’t see that “Click here to install your certificate” link - or at least, it’s nowhere in the vicinity of the “MANAGE YOUR SSL CLIENT CERTIFICATES” section.

    (Although I do have a link to an Apple support forum message regarding problems signing with Safari.)

    Where do you find the magic “install your certificate” link?

    Many thanks!
    Neil.

  17. Dr Nic Fri, 22 Feb 2008 20:00:13 UTC

    @NeilS [via] - The “Click here to install your certificate” section was at the top of the screen after submitting “laptop-safari” to the “Add an SSL Client Certificate” form. So its above the “Change Password” + “Manage your SSL Client Certificates” section, and below “About this page”, on the Authentication Settings page.

  18. Dr Nic Fri, 22 Feb 2008 20:10:50 UTC

    As mentioned here, there are issues with Certificates and Safari, see the Safari ticket]. So all is not well in Zero Sign On land for Safari.

  19. Jonas B. Fri, 22 Feb 2008 20:38:23 UTC

    We had that on a web site probably ten years ago (definitively before the millennium) offered as an extra service for the customers who wanted to log in that way. (I’ve always been into smart cards and thought we’d better be prepared when people started using them.) But I think exactly zero customers bothered with it. They turned out to be too lazy even for passwords… Anyway.. Seeing OpenID take off in the blogging world today, I can just shake my head. Certificates are implemented in every client that can do https, plus you get crypto for free, there’s zero to implement since Apache does everything. But apparently it’s not cool enough.

  20. NeilS Fri, 22 Feb 2008 21:06:10 UTC

    @Dr Nic [via] - A-ha! Thank you! Obviously not enough caffeine yet this morning. ;-) For the record, I note that if you reload/revisit that page, it appears your chance to download the certificate is gone forever, which is what I think I did. Thanks again …

  21. crosser Fri, 22 Feb 2008 22:07:00 UTC

    I implemented (experimentally) certificate-based web authentication in the late 90s, when client certificates where introduced by Netscape (it was at the times when Internet Explorer did not exist, and OpenSSL was called SSLeay).

    The approach described in this article (client certificate + openid) may indeed work.

    But using client certificates *directly* to authenticate users at websites has a problem. The problem is the same as using server certificates to authenticate web servers, but much worse. It is the design of x.509: a certificate may be signed by *only one* certificate authority. And to verify your identity, your peer needs to have (and trust) the certificate of the CA that signed your certificate. This boils down to that there may be only so many widely recognized CAs in the world, with all certificates being signed by one of them. Or that a user will have to sign a separate certificate for every site by that site’s private CA, which is almost as bad as having multiple passwords…

  22. sapphirecat Sat, 23 Feb 2008 00:17:05 UTC

    @Daniel Fischer: I suspect that the reason this never caught on is that SSL certificates are strongly associated with with “arm and a leg”.

  23. sapphirecat Sat, 23 Feb 2008 00:20:09 UTC

    @Daniel Fischer: I strongly suspect the reason is that SSL certificates basically cost “an arm and a leg” as far as home users are concerned. By the time ‘free’ ones came out (like the Thawte ones you can get with an SSN), they were under-advertised, basically useless, and collected ridiculous amounts of personal info (my *SSN*!? WTF!!).

  24. brianary Sat, 23 Feb 2008 01:26:48 UTC

    My employer uses certificates for members to access their financial info.

    Safari and Opera really make the process harder than Firefox or even IE.

  25. DavidK Sat, 23 Feb 2008 02:16:02 UTC

    The tab order is incorrect btw. If you tab from the OpenId box you end up in the search field at the other end f the page.

  26. Reid Sat, 23 Feb 2008 04:24:48 UTC

    MIT has been using personal certificates for administrative web sites for a long time. It’s a really great system. Just make sure you set them to expire, because it’s extremely easy to create certs for a wayward machine, and then your security is in jeopardy.

  27. Jeremy Smith's blog Sat, 23 Feb 2008 04:50:47 UTC

    Zero Sign On…

    Zero Sign On - Better than Single Sign On? We’ve talked about doing this here with [[CAS]]…….

  28. Ricky Sat, 23 Feb 2008 05:47:38 UTC

    Cool idea, and good explaination.

    However, this does not really seem to be zero sign on. You have missed the fact that the user still does sign into their operating system (one sign on) and its that authenticated session that allows the user to submit the certification for future sign ons.

    -Ricky

  29. Muse Sat, 23 Feb 2008 05:58:07 UTC

    Okay, but how portable is this? Doesn’t this mean I can’t login from a public machine because I don’t have the certificate on it?

  30. bryanl Sat, 23 Feb 2008 06:31:29 UTC

    I’m all about this… but what good is a ssl cert without a good passphrase? A ssl cert can’t gurantee its me signing on.

  31. Wes Felter Sat, 23 Feb 2008 06:48:49 UTC

    X.509 certs don’t support selective revelation, so they violate some of the “laws” of identity and privacy. Some certs are dossiers, and you don’t want to reveal that to Web sites. But a cert that reveals no info (such as self-signed) seems like it would be no better than a cookie.

    Also, the UI for certs is even worse than the UI for HTTP auth, and you’ll notice that no one uses HTTP auth any more because of the UI problems.

  32. Squeegy Sat, 23 Feb 2008 07:08:32 UTC

    This method is also somewhat phish proof for these site created certificates. A MyOpenID.com phishing clone site may fool the user if it looks exactly the same, but the browser knows that this certificate only gets sent to a specific site or domain. So you have no certificate for the phishing site, telling you that you aren’t where you think you are.

    This is a very reason MyOpenID.com adopted to method, I believe.

  33. labria Sat, 23 Feb 2008 07:17:31 UTC

    Reading the code here: http://reductivelabs.com/trac/puppet/browser/lib/puppet/sslcertificates makes me think those guys did what you wanted. Not in a universal way, bu they do use certs to authenticate users in rails. It would be still nice to make a universal rails plugin out of that. I’ll try to if I find some time…

  34. labria Sat, 23 Feb 2008 07:20:01 UTC

    I meant ruby, surely, not rails. But it seems portable enough to me =)

  35. Dr Nic Sat, 23 Feb 2008 07:38:14 UTC

    @labria [via] - nice find. Perhaps ask the Puppet guys for assistance, but again, nice find.

  36. links for 2008-02-22 at Travels and Travails Sat, 23 Feb 2008 09:26:29 UTC

    [...] Dr Nic » Zero Sign On - 1 better or Infinitely better than Single Sign On? (tags: security authentication) [...]

  37. blm Sat, 23 Feb 2008 10:21:41 UTC

    So a) I can’t log on to my banking, etc. site unless I’m using my browser, and b) anyone who is using my browser can automatically log on to my banking, etc. site? Inconvenient and insecure, gee, I wonder why it hasn’t caught on.

  38. Brad Sat, 23 Feb 2008 10:41:25 UTC

    @Squeegy:

    Maybe, but if the certificate is not signed by a valid CA I wonder if that introduces a security risk for these client side certs. Obviously, if you use a self signed server certificate that’s easy to fake and fool a user with. But I don’t know enough about client certificates to tell if a similar security issue exists there.

  39. Ian Sat, 23 Feb 2008 11:08:49 UTC

    Just curious, but what happens if someone gets access to your computer? how easy is it for them to copy the cert and then use it on their own?

    That’s one thing in favor of a username and password. Assuming my brain keeps working, I will always have my login info with me and no one else can take it (assuming no key loggers, etc etc)

  40. Dr Nic Sat, 23 Feb 2008 11:47:30 UTC

    @blm [via] - you can still login with username/password

  41. Dr Nic Sat, 23 Feb 2008 11:51:45 UTC

    @Ian [via] - I think KeyChain encrypts your certificates so the lawless thief (or ebay purchaser) would need your O/S account username/password first.

  42. antifuchs Sat, 23 Feb 2008 12:46:46 UTC

    I find it both sad and amusing that you document this with screen shots of the mac Keychain and Safari, as those two (at least 2.0 and before, as well as other Webkit-based browsers) have a bug that prevents zero sign-on if you have more than one certificate on the key chain. This may be a .mac certificate in addition to your myopenid cert, for example. It will cause Safari to use one random certificate of yours to authenticate with, and if connecting with that random certificate fails, to fail to connect entirely.

    The way that would work (but I now find it dubious to argue for that as it reveals quite a lot of information about what is in your keychain, as per comment 21 above) is to connect using each of the certificates on the chain and succeed if any of them works. Safari doesn’t do this and I have a .mac account with an attached certificate on my keychain, so I can’t use zero sign on for myOpenID. It would be really really convenient. )-:

    (For a more detailed description of this bug, see http://www.macintouch.com/readerreports/leopard/topic4694.html and search for “client-side certificates”)

  43. Dr Nic Sat, 23 Feb 2008 15:56:24 UTC

    @everyone - if a user already had a myopenid/otheropenid provider’s certificate, could my application/server directly accept those certificates and save the user having to login via the openid provider each time?

  44. http://www.jasani.org/ Sat, 23 Feb 2008 16:09:18 UTC

    @DrNic - the answer is yes. You can accept client certificates and log users in to your server. The issues are that first you need to have either a large list of CA’s that you trust or limit the CA’s that clients can use for their certs. Second, you can test that the client cert is signed by a trusted CA and that it is still valid, but you should know that depending on the CA, you probably can’t assert anything about the identity of the user.

    To answer another user’s comment about why client certs are expensive. The purpose of the CA’s was to actually validate your identity so that when you present a certificate that says you are Dr. Nic, someone (the CA) has actually done some background checking to back up that statement.

  45. Rasputnik Sat, 23 Feb 2008 19:29:03 UTC

    Out of interest, what plugin are you using here for the OpenID comments?

  46. labria Sun, 24 Feb 2008 01:16:17 UTC

    http://blog.startika.com/2008/2/23/ssl-client-certificate-login-pt-1

  47. topfunky Sun, 24 Feb 2008 04:09:48 UTC

    This would be perfect for the iPhone, but MyOpenID returned this error: “Your browser did not send us a valid certificate request.”

  48. “Zero Sign-On” mit OpenID und SSL at notizBlog - a private weblog written by Matthias Pfefferle Sun, 24 Feb 2008 05:41:51 UTC

    [...] mich bei Seiten zu registrieren oder anzumelden… bisher! Tobias hat mich gestern auf einen Artikel von Nic Williams aufmerksam gemacht in dem er beschreibt wie man mit myOpenID aus OpenID ein Zero [...]

  49. Dr Nic Sun, 24 Feb 2008 07:31:44 UTC

    @topfunky [via] - that’s disappointing since mobile devices definitely fit the “one user per device” model. On the other hand, if you don’t password-lock your phone, your certificates aren’t protected, I guess.

  50. Dr Nic Sun, 24 Feb 2008 07:33:48 UTC

    @Rasputnik [via] - I think I’m using the wpopenid plugin from Alan J Castonguay

  51. links for 2008-02-24 « Where Is All This Leading To? Sun, 24 Feb 2008 10:20:53 UTC

    [...] Dr Nic » Zero Sign On - 1 better or Infinitely better than Single Sign On? (tags: openid security authentication certificates ssl firefox browser 2008 administration Apple browsers client ssh tutorial webdev) [...]

  52. OpenID and Zero Signon | The Null Pointer Sun, 24 Feb 2008 12:12:43 UTC

    [...] anyone interested in Zero Signon, please take a look at Zero Sign On - 1 better or Infinitely better than Single Sign On? by Dr. Nic. It’s an interesting combination of the new (OpenID) and the old (Client [...]

  53. 益学会 > OLDaily 中文版 » Blog Archive » 2008年2月22日:PWLE,连接主义,box.net,新闻2.0,DRM,Blackboard诉讼案 Sun, 24 Feb 2008 14:40:56 UTC

    [...] 或Yahoo决定采用)。 Nic Williams, Dr Nic February 22, 2008 [原文链接] [Tags: Google, Yahoo!] [...]

  54. Dr Nic Sun, 24 Feb 2008 18:19:16 UTC

    @DavidK [via] - fixed now, thx for the reminder to get off my arse and fix it.

  55. Dr Nic Sun, 24 Feb 2008 20:46:22 UTC

    Lots of very useful comments @ reddit.

  56. dkubb Mon, 25 Feb 2008 05:07:33 UTC

    I found a few tutorials for Apache, but does anyone have any Nginx tutorials on how to do SSL Client Certificate Authentication?

  57. Pão de Cast» Blog Archive » Pão de Cast S02E05 - Os idos de fevereiro Mon, 25 Feb 2008 11:30:24 UTC

    [...] Single sign-on versus Zero sign-on, incluindo um possível uso incorreto do OpenID; [...]

  58. shaun Mon, 25 Feb 2008 12:08:35 UTC

    This could solve so many issues for me. Handy!

  59. links for 2008-02-25 « Brent Sordyl’s Blog Tue, 26 Feb 2008 01:27:43 UTC

    [...] Zero Sign On - 1 better or Infinitely better than Single Sign On? “It” is Client Certificates, and to me to means “never logging on with username/password NOR OpenID ever again”. Zero Sign On. It must be better than the much-targetted Single Sign On. (tags: authentication openid) [...]

  60. labria Tue, 26 Feb 2008 03:09:32 UTC

    Well, I’ve made it =)
    http://blog.startika.com/2008/2/25/ssl-client-certificate-login-pt-3
    It’s still a mess, needs lots of refactoring, but it’s certificate-based logon with rails, and t works =)

  61. Dr Nic Tue, 26 Feb 2008 09:24:16 UTC

    @labria [via] - very nice work indeed!

  62. labria Wed, 27 Feb 2008 09:16:23 UTC

    Well, now i made a rails plugin out of the whole thing =)
    http://github.com/labria/restful-authentication/tree/master
    or
    http://blog.startika.com/2008/2/26/ssl-client-certificate-login-pt-4
    Gosh, I need some sleep now…

  63. del.icio.us bookmarks for February 21st, 2008 through February 27th, 2008 < Subject Code Thu, 28 Feb 2008 10:33:03 UTC

    [...] Dr Nic » Zero Sign On - 1 better or Infinitely better than Single Sign On? - Using client certificates to implement zero sign on. [...]

  64. Zero Sign on with Client Side Certificates — instant-thinking.de Wed, 05 Mar 2008 05:10:04 UTC

    [...] Der Post von Dr. Nic erklärt das alles sehr schön und man fragt sich ernsthaft warum wir uns im Jahr 2008 immer noch mit der User/Password Kombination rumschlagen wenn es so bequeme Möglichkeiten gibt. Jetzt müsste man das nur noch mit GPG kombinieren können… [...]

  65. Delicious Links - 20 links - tools, gamers, workhacks, code, links « // Internet Duct Tape Sun, 16 Mar 2008 17:46:02 UTC

    [...] [OPENID] Zero Sign On - 1 better or Infinitely better than Single Sign On?, drnicwilliams.com [...]

  66. OpenID voor Westlands? | Westlands.Org Sun, 16 Mar 2008 23:46:50 UTC

    [...] het zoeken naar informatie liep ik tegen een aantal interessante zaken aan. Dit artikel van Dr Nic beschrijft het gebruik van OpenID in combinatie met cliënt side certificates. Dit artikel [...]

  67. Mark’s Link Blog » links for 2008-06-04 Wed, 04 Jun 2008 16:31:54 UTC

    [...] Dr Nic » Zero Sign On - 1 better or Infinitely better than Single Sign On? (tags: openid authentication security certificates ssl firefox browser) [...]

Comments