Re: Single SignOn

[vamprella () CHICKMAIL COM (Vanna P. Rella)]

On Thu, 24 Feb 2000 12:21:07   Ben Grubin wrote:
> Good lord, I hope this saves you a lot of trouble.

It sure has! Thank you so much for responding :)

> The enCommerce application is unbelievably shaky.  Security wise, since it
> utilizes CORBA services in a multi-tier method, it becomes hellishly unhappy
> to firewall between the CORBA service providers and the clients (such as the
> Netscape Enterprise Server plugin), it's use of UDP also makes this challenging.

Wow, didn't realize it's using UDP. UDP is traditionally insecure. However, if they're using crypto APIs, wouldn't that 
solve the problem?
OK, let me see if I understand this correctly in really super easy basic terms. The client says "hey, I wanna sign on 
to your super cool site" GetAcecss sends a request going through ORB to the Client Implementation. A reply is made from 
the server behind the firewall (holding all types of Phun things) opening UDP ports to talk to the client in the 
Internet Cloud.
Does multi-tier method mean that it

> More importantly though, they used CORBA without a real
> need---it's overly complex.

The only thing I know about CORBA is that it stands for Common Object Request Broker Architecture.
My concerns were originally about using cookies for authentication. Although they'd be 'encrypted' there are still 
problems with cross-site scripting, stealing cookies, replacing cookies, etc. Best practices states that cookies are 
not a Good Thing(tm) when security is a concern. However, I don't really know any other alternative. But now with this 
whole Corba thing on top of it ...

We did a major ecommerce financial
> implementation, and found it's scalability *severely* lacking.  We're
> probably 15 patchlevels ahead of the standard distribution, and even then
> it's the most common component failure in the entire system.

This is great information. In their presentation, they stated something about how UPS uses the service and they're 
getting massive hits and using only one box. They made it seem like scalability wasn't an issue. It was one of their 
selling points.

> At it's core, it's simply an immature product, much like the rest of the
> space, but it does have potential.  I do not have experience with the IBM
> product to compare it.

So, have you worked with any products that were good? Which product would you recommend?

> Hope it helps,
> Cheers,
> Ben
>
> ---
> Benjamin P. Grubin                 / bgrubin () scient com - PGP key available
> Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230
> Scient -- Be Legendary           / http://www.scient.com/  ticker://SCNT

***********************************
chickclick.com
http://www.chickclick.com
girl sites that don't fake it.
http://www.chickmail.com
sign up for your free email.
http://www.chickshops.com
boutique shopping from chickclick.com
***********************************