Re: [Auth]A simple serverside authentication scheme

[Adam Theo]

i would first like to apologize for any earlier posts on this thread
that came off as flaming in anyway. i did not mean to, and reading back
on them, i realize i was a lot harsher than i normally am, and intended
to be. i meant no disrespect to Ron and the plug-in model he has worked
very hard on. although i do not personally see it as able to work as
well as a server-side solution, that does not keep me from having a keen
professional interest in it's development and workings. if i have the
time i may even try to help out, although not knowing C may be a
doozy...

Norbert Bollow wrote:
> As the long term solution, we're building a system that can be
> used client-side or server-side (at the user's sole discretion),
> and when it's used server-side, it will be a true distributed
> system.
> 
> For short-term solutions, well if some people believe that
> plug-ins are the way to go, and others believe that server-side
> is the way to go, then maybe both sides should go forward
> with implementing their proposed solutions.
> 
> I really believe that Ron's suggestion is the way to go, and
> going forward with implementing it should not be delayed just
> because you and some others think that a server-based system
> would be better.

hm... after careful thinking, i will agree. it is not easy for me to
conceede, but what you say is very reasonable and fair. this is what i
decide now:

let us proceed with the client-side browser plug-in idea. i personally
hold my deep reservations about it, i'll make clear, but i'm not going
to hold anything against it. i've been kicked in the pants often enough
to know i'm very rarely right, anyway  :-)

my personal preference is still a nice distributed server-side identity
system.

i would take up your proposal of starting to work on a server-side one
here at DotGNU as an alternative to the plug-in one, but i have a better
idea, i think, and i hope everyone will go for it:

this depends upon if DotGNU can end up using Jabber as it's basis (i'm
still advocating it b/c i think it is a near perfect solution, honest).
so this plan of mine will have to be put on hiatus for the next week or
so while i talk with Myrddian and others about Jabber's potential in
DotGNU. assuming we can find some very viable way Jabber can be integral
to DotGNU,

then while all effort here is being done on the worthwhile short-term
plug-in plan, i'll continue work of the jabber-based distributed
server-side identity system at my website: 
http://www.theoretic.com/identity

we will likely have something solid to show for our ideas and efforts
within 2-3 months. at which point, if DotGNU likes it, we can think
about using that as the long-term solution. true, it will at first be
server-side, but as jabber itself moves more p2p over the next year,
then so will the identity system, creating the needed p2p and c2s
qualities of it. i already have ideas for allowing the user to store
their data locally, even from the start.

so, if DotGNU uses jabber, then we keep work at the short term goal
here, and the long term one might be the Identity system over at
Theoretic. sound plausible?

Norbert Bollow wrote:
> 
> Estimate how many HTTP transactions that require authentication
> happen per hour, worldwide.  Choose a percentage goal for the
> market share of these transactions that you would like to be
> handled by our system.  Make this goal big enough that reaching
> it will will prevent Microsoft from dominating the market for
> auth services.
> 
> Compute the resulting load on our auth servers.  Then design a
> system which can handle that load reliably, with 100% uptime.
> Then estimate the required resources.
> 
> It is rediculous to say that it can be done for $20/month.  Sorry.
> Don't believe it when hosting services claim to give you
> "unlimited bandwidth" for $20/month.  There is no such thing as
> unlimited bandwidth, anywhere.
   <snip>
> We're talking about more than just a couple thousand users.
> 
> Microsoft is saying that there are 200,000,000 (yes, 200
> million) accounts on their passport system already.

the one thing i will finally say is that you seem to be under the
impression that because we say 'server-side', we mean from one server or
server farm like MS. this is certainly not the case. i understand you do
not mean it like that, but everything you just said seems to imply that
is what you are thinking. don't worry, i know you don't, just keep in
mind that as i see it, if the internet's resources were that fragile,
how the *hell* could it handle billions of emails, http 'hits', and DNS
calls every day? as long as we keep encryption off the server-side,
resources use will be minimal. i use the very active and successful
email and DNS systems as proof.

Norbert Bollow wrote:
> Nick Lothian wrote:
> > Sorry if this reply sounds like a flame. I am just concerned that bad
> > decisions will be made that will result in lots of wasted time.
> 
> Are you willing to contribute a significant amount of work to
> making an auth system work which is based on distributed servers?
> 
> I feel that what we need right now is proposals from people who
> are also capable of leading the process of implementing their
> proposal, and willing to do so.  I believe this is the case with
> Ron (am I right about this, Ron?) and on top of the fact that
> what he says makes sense IMHO, that is another reason why I am
> supporting his proposal.

ok, i'll stick my foot where my mouth is...

as i said above, i'll try to get jabber accepted by DotGNU to build
itself off of. it provides the structure and addressing already, and is
very flexible and powerful. if i can get this done (help, please?!?),
then i'll say everyone who is interested in a distributed server
identity system please work with me on the Jabber Identity project at
http://www.theoretic.com . i'll be more than happy to work with the
DotGNU community to create solution for both DotGNU *and* the rest of
Jabber.