Simple Sign In (SSI)
SSI is designed to be a simple alternative to authentication systems such as OpenID. The most common way people login nowadays is still through the vanilla username and password combination. Furthermore, this is usually done over insecure connections, unless HTTPS is employed.
There have been numerous issues brought up regarding OpenID. The main issue not addressed perhaps is the fact that it currently fails the PHP test. That is, because the typical PHP installation is not equipped with the necessary tools to utilize OpenID, there is no widescale adoption of OpenID. Until PHP ships with the necessary math libraries that can do the cryptographic voodoo, OpenID is doomed to linger in adoption limbo. Unless of course, you want to delegate the authentication responsibilites to a source controlled by another party, like Yahoo. Even then, there has to be an adoption on the consumer level, which is still lingering behind. This should be fixed in the first half of 2008 with the release of PHP 5.3, a release that will come with the tools needed to much more easily implement a protocol like OpenID.
Now, dont get me wrong, the Internet wouldn't be anywhere today without the cryptographic tools that underpin all the eCommerce and business transactions that occur daily. However, that doesn't change the fact that many users still use the vanilla way of authentication. And it is the users that the focus should be on.
SSI is just a login way that fits into the basic model. It doesn't pretend to be wholy secure, but it is easy to implement. If you want to add some security layers to it, you can do that too.
How it Works
SSI is loosely based on OpenID, at least in the sense that there is both a provider, as well as a consumer. The provider is a website that the user has authority over, so the user basically uses the provider as a means to authenticate with a remote party, called a consumer. It also uses another technology known as RESTTA for a REST based approach for formatting correct URIs. The basic steps in the protocol are these:
Further Details
You can find the detailed specifications HERE. You can also find the detailed RESTTA specifications HERE. If you wish to contact me regarding SSI, discuss improvements (after all, its still just a draft), please Contact Me . Perhaps a mailing list will be setup soon as well.
Changelog
- 0.3
Added "login_nick" input to the "ticket_gen" resource to take into account multiple id's per domain.
Moved "hash_func" input to "ticket_provider" resource and renamed it to "nonce_hash_func".
- 0.2
Added "token_hash" input to the "ticket_provider" resource to take into account potential errors on the consumer connection.
Added recommendations on handling token_hash/token_value pairs for providers.
- 0.1
Initial draft
What SSI Doesn't Do
Remember, the goal of SSI is simplicity. It still has some of the same problems as OpenID. For one, users are still putting all their login eggs in one basket. This means that if an evildoer hacks a users provider name and password, then that evildoer can login to all the sites the user could login to. SSI is meant only as a casual login system for forums, web logs, web 2.0 apps, etc. It is NOT meant to be an authentication system that can be used for eCommerce and banking sites. Nevertheless, SSI doesn't cripple itself with extra security layers that can instead be provided by established technologies such as SSL. The simplicity thus allows users to run their own providers easily, so if you are running your own site and a bad guy hacks the provider login, you could just take the site down and change the login information on the spot through a different channel (FTP, cPanel, etc).
The Wordpress Plugin
The plugin is designed to work on most Wordpress installations, and it allows your Wordpress installion to be both a provider(allows you to sign in to ssi sites) and a consumer(allows others to sign in to yours). It also allows you to manage your login information. Also, those that post comments on your site after signing in also have their avatars displayed and the comment form is autofilled for them.!
Download
The latest version can be downloaded HERE
Installation
- Upload `ssi` directory to the `/wp-content/plugins/` directory
- Activate the plugin and the widget plugin through the 'Plugins' menu in WordPress
- Edit the restta.xml file in the ssi directory if your wp installation is in a directory (e.g. mysite.com/wp/). Edit the pathPrefix element to surround the path (e.g. <pathPrefix>/wp</pathPrefix>)
- Move the restta.xml file to the document root. If there already exists a restta.xml file, do not delete it. Open the existing file and merge the appClass tag (along with its contents) in the original file with the other appClass tags in the already-existing file.
- Add the login widget to the sidebar through the widget panel. People wont be able to login unless it's there!
