dotGnu AIS

Working clients and servers are now available on CPAN

read the long-winded presentation here

join the AIS developer's mailing listhere

Help needed:

Anyone feel like redrafting the AIS presentation in IETF RFC format?
Write different servers that do cool things like exporting Windows 2000 log-in data
write AIS clients in other CGI languages (such as C, Python, Java)
Verify and torture-test the perl AIS client in mod_perl environment
Configure perl AIS client for use with mod_perl and a SQL back-end

The following is now (July 2002) of historic interest only.

TJAIS
TipJar Authenticated Identity Service

TJAIS is a working, public, protected, identity service.

If you need a quick and simple way to insist that you only deal with people who are providing you a valid e-mail address that works and that they in fact have access to, TJAIS may be just the thing for you.

Log out from current TJAIS identity

TJAIS is a system for implementing a "single sign-on" useful to web application developers.

Before a web application can determine your identity with TJAIS, you must authenticate yourself to TJAIS. If you have a TJAIS "magic number" e-mail, click on the log-in link contained within the e-mail message to authenticate yourself.

(they don't expire currently. How long should they be good for?)

Steps in TJAIS providing identity info to an application

1: the application generates a session certificate for internal use for tracking the current user session. For this documentation, let's call the certificate LKJHG6789, and use that string in all the examples. The user's web browser is directed to present this certificate to TJAIS for association, by opening a new window or frame which will display the page http://www2.tipjar.com/bin/AISpresent?LKJHG6789.
To avoid sending sensitive session certificates to an untrusted third party (the TJAIS service) a presentation request can use the word "secure" for the certificate, which will cause TJAIS to generate a unique certificate and append it to the (step 4) redirection URL.
Example: Click here for a full demonstration.

2: The user's web browser displays the page, informing TJAIS of the session certificate.

3: TJAIS associates the certificate with the user's identity, and e-mails the user a receipt. Please do not inconvenience your users with redundant authentications! One per session should be enough.

4: After enough time has elapsed for steps 2 and 3 to happen, the application queries TJAIS as to who is using the session certificate, by opening up port 80 at www2.tipjar.com and issuing a GET request for /bin/AISquery?LKJHG6789. TJAIS provides a facility for redirecting user browsers to specific URLS on successful authentication: "&R=(...)" can be added to the AISpresent query string, providing a URL where the browser will be redirected to after ten seconds.
Unlike the example above, which skips step 4 completely, the application must provide a dynamic web page triggered by the loading of the redirection URL, and then open its own communications channel to TJAIS to request the mapping. I recommend postponing assignment of a session cookie until after your program has received the "IS MAPPED TO" message.

5: TJAIS replies with a short HTML page containing the session certificate, the words "IS MAPPED TO" and the user's identity, or a page containing the words "NOT MAPPED" if the certificate is not mapped to any identity yet. Session certificates may be discarded after 24 hours, and will definitely be discarded after 48 hours.

TJAIS security

TJAIS is not at this time protected by SSL, or even GPG-encryption of the magic number e-mails. It is therefore vulnerable to a wide variety of highly impolite infrastructure-level compromise strategies, making it inappropriate for your serious spy-vs-spy kinds of applications. This may change.

Compromise strategies based on encryption, however will not work, unless Mallory is already snooping your line. The TJAIS "magic number" that authoritatively identifies someone is never given to the application, only to TJAIS, and it can be revoked at any time, and users receive e-mail notifications, including a revocation link and browser IP address information, of every ( step 3 ) query.

Integration with TipJar Transaction Service

TJAIS is designed to integrate well with the TipJar Transaction Service towards providing an infrastructure for pay-per-view and pay-per-page and subscription-based web content revenue models. Boilerplate CGI code implementing these things may be forthcoming: please contact me if you would like to discuss developing such an application, or if you would like your code distributed or linked to from here.

TJAIS privacy policy

TJAIS is not being used to harvest e-mail addresses. The administration of this service has very little patience for e-mail harvesters, list sellors, and cockroaches, and will not hesitate to block IP subnets at the first hint or report of abuse.

Abuse

Multiple presentations of unassociated certificates may result in blocking of, and complaints being made to the persons responsible for, your IP address range.

Terms of Service

TJAIS is a free service provided on an as-is basis. It is guaranteed to provide only authenticated identities when used according to instructions.

TJAIS is a tipjar.com nettoy.

Questions or comments?