Seemless Single Signon

Sam Ruby rubys at intertwingly.net
Fri May 20 05:23:52 PDT 2005 

I've seen greasemonkey and bookmarklets mentioned in this mailing list, 
but only in the context of pre-filling in fields and the like.

So much more is possible.  Much more.

If you recognize that the desired end result is a specific DSA 
signature, and that many of the clients are able to perform logic and 
via the user at the keyboard potentially have access to all the same 
secrets that the server has, you can streamline everything.

  - - -

Brief outline, from a user's perspective.  I'll pick greasemonkey, but I 
imagine once a proof of concept exists, fans of other browsers will 
quickly provide equivalents.

1) User installs greasemonkey script.  Possibly tailors a few things 
like how long logins are valid for (paranoid=5 minutes, normal=1 hour, 
unconcerned=1 day).

2) User visits web page.  The Verify button is replaced with a login 
button.  User enters the URI and presses login.  This pops up a window 
locally and prompts for a master password.  Once the user enters the 
correct password, the popup goes away, the input field becomes readonly, 
and the login button gets replaced with a logout button.  Note: no 
server interaction, no delays occur.  User continues and ultimately 
submits the form.

3) User visits a second web page, on a different site, before the login 
expires.  The URI is again prefilled in, is again readonly, and the 
verify button is again replaced with a logout button.  The user need not 
perform any overt action to continue.

  - - -

 From a technical perspective, this is not very difficult to pull off. 
There are plenty of simple greasemonkey scripts that do much more than 
this to borrow techniques from.  What is required is:

1) the form itself needs to be standardized enough so that it can be 
readily and reliably identified by the greasemonkey script.  This can be 
as simple as agreeing on a class name.

2) every piece of information necessary to produce the signature needs 
to be similarly readily available.

3) the algorithm for computing the signature needs to be something that 
can be implemented in JavaScript.

- Sam Ruby

More information about the yadis mailing list