More and more people have access to the internet. These people spend an increasing amount of time on the web. On the web are many websites on which the user has to authenticate itself; in many cases with a username and password combination. Using the same combination on every site is unwise. This is where Single Sign On (SSO) gets into the picture.
SSO allows users to use a single account on one site to gain access to multiple other websites. Even in the scenario of SSO there are still some pitfalls in using a username and password combination. An attacker has several options to gain access to the account. Using a certificate from a Certificate Authority (CA) based on the Public Key Infrastructure (PKI) would following Barthold Derlagen and Onno Berfelo resolve the security issues of logon credentials.
OpenID is an open standard, it is open source. OpenID is decentralized which means that authentication does not need to take place on the site that offers the service. Within OpenID there are three parties, the User, Identity Provider (IdP) and Relaying Party (RP). The IdP provides the user with an identity and an identifier. The user can provide his identifier to the RP. The RP will then redirect the user to the IdP. The user will authenticate himself to the IdP. The IdP redirects the user back to the RP. The RP then accepts that the user has identified himself. The only thing, OpenID could have, are trust problems. On this point comes CAcert into the game.
CAcert is not unlike a common CA. It does, however, use a Web of Trust to verify the identy of their users. CAcert has assurers which are users with 100 or more assurance points who have successfully taken an assurer test. The assurer can then grant the user points. Once a user has 50 or more points he is deemed assured which will unlock various options in generating certificates.
While Barthold Derlagen and Onno Berfelo proved in a master’s thesis (“How to use the CAcert infrastructure within an OpenID context?”) that CAcert certificates could be used for SSO with OpenID, a project group of volunteers from the CAcert community has implemented exactly that – with OpenID Connect. The new CAcert SSO with OpenID Connect is currently available for Drupal, WordPress and Nextcloud. Interested? Then read more about this in our wiki or download the illustrated manuals.
If you are happy with the new functions of CAcert OpenID Connect, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
P.S. If your CMS is missing, please get in touch with our project team. It would be happy to create together with you an other CAcert OpenID Connect access that fits your needs.
