Key Chain for the Web Follow-up
A number of people wrote in about my editorial in TidBITS-279 that proposed that Web browsers support the PowerTalk Key Chain (or at least something akin to it) to deal with the many authenticated Web sites springing up.
Andrew Anker <[email protected]>, president of HotWired Ventures wrote to defend HotWired’s use of authentication:
We actually offer a number of sophisticated features that result from our use of authentication. Most uniquely, we can generate a custom "What’s New" page for each HotWired subscriber that reports only what you haven’t seen. It looks up in the database (which can track your usage because of authentication) when you last saw each section and when they have changed and only tells you what you want to see.
There’s another higher level where you can set up a profile of what you want to see and what you don’t want to see. It stores your user profile (again, available only because you have to authenticate) and gives you a "your view" page, highly tailored to you as an individual.
I agree that authentication is kind of a pain and by itself is a silly thing to add. But we’re all about adding features that give our subscribers a much better time while in HotWired and that’s why we need authentication.
As to your proposed solution, I’m all for anything that simplifies the authentication process. I suggested a similar system to the folks at Netscape a short time ago, but I don’t know if they are doing anything with it.
Privacy — I also commented in email that authentication could on occasion seem like an invasion of privacy, assuming I didn’t want to jeopardize my future political career by getting caught nosing around a dubious Web site. Andrew responded, "Don’t forget though, that you are vaguely anonymous even with authentication. If you asked me to find out your ID on HotWired, I can only do that if you’ve registered as Adam Engst and/or used the email address <[email protected]>. If you used one of your more obscure email addresses (and we all have plenty of those) and didn’t use your real name, I’d have absolutely no way of finding out who you are or what you’ve done on HotWired. So if I register on some dubious site using the name John Q Public and create a special AOL email account (like John5342) for anonymity, they would have no idea that Mr. Public was actually me."
Reginald Braithwaite-Lee <[email protected]> commented that adding this sort of authentication is possible via AOCE. When I expressed surprise, since I’d been told that Apple hasn’t yet published the relevant information (although it may appear in the near future), Reginald wrote:
It is true that the templates for the Key Chain and AppleTalk Addresses are not published, however Chapter 9 of New Inside Macintosh (AOCE Application Interfaces) details the Authentication manager, which supports the features you describe. Although it is mostly about authenticated communications using a PowerShare server, it has plenty of support for using the PowerTalk local identity to "unlock" various services.
In the interests of encouraging this kind of work, you might direct your readers to the AOCE mailing list. I have received a number of excellent replies to the questions I have posted there. The address is <[email protected]>. It is moderated by Gavin Eadie <[email protected]>, who wrote several AOCE samples, which I have been converting to CodeWarrior. Also, Joshua Baer <[email protected]> maintains a useful AOCE home page at:
Another approach, admittedly more of a kludge, would be to create a CSAM (Catalog Service Access Module) with templates for the various identities you possess as you register with Web servers. The nice thing about this approach would be the possibility of accessing them through the desktop Catalogs icon. A button in the template could launch your Web browser and go to the page in question. Since this would be a CSAM, it would automatically be inaccessible without opening your Key Chain. This approach may or may not be as secure as using the Authentication Manager. A similar template from Martin Simoneau (without the authentication feature) has been available for some time.
Brian Korver <[email protected]> comments that work is being done on the problem of automatic authentication as part of the Secure Hypertext Transfer Protocol. It wasn’t inherently obvious to me, but perhaps I simply didn’t read the specification closely enough.