[FoRK] DNT: another example of "you can't make this shit up"
Gregory Alan Bolcer
greg at bolcer.org
Tue Oct 16 06:18:55 PDT 2012
You can forge sessions and steal cookies. Persistence of identity means
there's just a cryptographic correlation between the two separate
accesses. Web sessions have very specific formats and meanings, most of
which isn't needed to provide sub-resource access.
Simply the problem I was solving was a couple things. First,
guaranteeing that a user had paid for access without checking with a
centralized server or a db lookup. Second, eliminating the use of
passwords and user accounts and registration. Third, amortizing the
"pain" of a purchase by reducing the steps to do a secure payment and
then being able to transparently maintain the access tied to the payment
even over time and repeated visits. Fourth, hiding the user identity
from the content provider so that they never see identifying
information, aka cash, while still providing a guarantee.
It's automated provisioning micro-access.
On 10/16/2012 12:04 AM, Stephen D. Williams wrote:
> What is "persistence of identity"? Isn't that just a "session"?
> Identity isn't just a name, it is a unique identity that may have some
> degree of identification and disambiguous characteristics. A session
> should have its own identity. If you want to associate some access with
> the session, then the identity of the user may be how you choose what to
> show but the session is what is being matched between transactions.
greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476
More information about the FoRK