From fcf8de6de487af0c74ceab8d2ae8b4d8d74ee357 Mon Sep 17 00:00:00 2001 From: wbamberg Date: Fri, 24 May 2024 11:26:20 -0700 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Estelle Weyl --- files/en-us/glossary/federated_identity/index.md | 6 +++--- files/en-us/glossary/relying_party/index.md | 2 +- files/en-us/glossary/salt/index.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/files/en-us/glossary/federated_identity/index.md b/files/en-us/glossary/federated_identity/index.md index 73ea5e1f0e2cb19..83733051a1b7307 100644 --- a/files/en-us/glossary/federated_identity/index.md +++ b/files/en-us/glossary/federated_identity/index.md @@ -17,11 +17,11 @@ In a federated identity system, an _identity provider_: - manages a user's credentials and can authenticate users - is trusted by multiple websites to make assertions about a user's identity. -A user can then authenticate with the IdP, which will return a token to the user's browser if authentication was successful. The user's browser will send the token to the website, who can verify that it was issued by the IdP. If the verification succeeds, the website can sign the user in. +A user can then authenticate with the IdP, which will return a token to the user's browser if authentication is successful. The user's browser will send the token to the website, which can verify that it was issued by the IdP. If the verification succeeds, the website can sign the user in. -Federated identity is often provided as a service by corporations: for example, users who have Google, Microsoft, or Facebook accounts can use them to sign into many websites. Websites typically have to implement a process for verifying tokens that's specific to an identity provider. However, open standards such as [OpenID](https://en.wikipedia.org/wiki/OpenID), [OAuth](https://en.wikipedia.org/wiki/OAuth), and [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) are widely used in the implementation of federated identity systems. +Federated identity is often provided as a service by corporations: for example, users who have Google, Microsoft, or Facebook accounts can use them to sign in to many websites. Websites typically have to implement a process for verifying tokens that is specific to an identity provider. However, open standards such as [OpenID](https://en.wikipedia.org/wiki/OpenID), [OAuth](https://en.wikipedia.org/wiki/OAuth), and [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) are widely used in the implementation of federated identity systems. -Although federated identity makes life much easier for users and can greatly improve security, it can have serious implications for a user's privacy. If not carefully designed, a federated identity system can allow identity providers to track users across the web as they try to sign into sites. Early federated identity systems on the web were built on technologies such as third-party cookies, which are intrinsically privacy-invasive, and as these technologies have been deprecated by browsers, new approaches are needed. The [Federated Credential Management (FedCM) API](/en-US/docs/Web/API/FedCM_API) aims to standardize a privacy-preserving mechanism for federated identity on the web. +Although federated identity makes logging into multiple different accounts much easier for users and can greatly improve security, it can have serious implications for a user's privacy. If not carefully designed, a federated identity system can allow identity providers to track users across the web as they sign into multiple different sites. Early federated identity systems on the web were built on technologies such as third-party cookies, which are intrinsically privacy-invasive. As these technologies are being deprecated by browsers, new approaches are needed. The [Federated Credential Management (FedCM) API](/en-US/docs/Web/API/FedCM_API) provides a standardized privacy-preserving mechanism for federated identity on the web. ## See also diff --git a/files/en-us/glossary/relying_party/index.md b/files/en-us/glossary/relying_party/index.md index 5bd2a252aaff3fb..7ec24306d068897 100644 --- a/files/en-us/glossary/relying_party/index.md +++ b/files/en-us/glossary/relying_party/index.md @@ -6,7 +6,7 @@ page-type: glossary-definition {{GlossarySidebar}} -A **relying party** is an entity that needs to control access to some resource, and to do so needs to authenticate other entities that are trying to access the resource. On the web a relying party is usually a website that allows users to sign in, and needs to authenticate users (for example by checking a password) before deciding whether to grant them access. +A **relying party** is an entity that needs to control access to a resource and, to do so, needs to {{glossary("authentication", "authenticate")}} other entities that are trying to access that resource. On the web, a relying party is usually a website that allows users to sign in and needs to authenticate users (for example by checking a password) before deciding whether to grant them access. The website _relies on_ the validity of the credentials the browser presents when it grants access to its resources. diff --git a/files/en-us/glossary/salt/index.md b/files/en-us/glossary/salt/index.md index 82115cd43ddb42b..ee19590ab462b57 100644 --- a/files/en-us/glossary/salt/index.md +++ b/files/en-us/glossary/salt/index.md @@ -20,6 +20,6 @@ To derive a password from a hash, attackers can look up the password correspondi Although these tables may be very large, such attacks can be effective because table lookup is a fast operation. -Adding random salt to passwords before hashing them stops this attack from working, because the hash is not calculated over the password itself, but on the password combined with the salt. +Adding random salt to passwords before hashing them stops this attack from working because the hash is not calculated based on the password alone but on the password combined with the salt. Unlike the password, the salt does not need to be kept secret: it can be stored alongside the salted and hashed password in the server's database.