Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Liberty Alliance Releases Specifications 127

Posted by chrisd from the fraternity-and-equality-are-next dept.
Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.
This discussion has been archived. No new comments can be posted.

Liberty Alliance Releases Specifications More

Liberty Alliance Releases Specifications

Comments Filter:

  • Digital Identity? (Score:3, Funny)

    by imadork ( 226897 ) on Monday July 15, 2002 @10:05PM (#3891260) Homepage
    As I keep telling my friends who are Analog IC Engineers, there are only two identities for digits -- '0' and '1'. How hard can this be?
    • " Tell me what you eat, and I'll tell you what you are."

      So that means that today I am a veggie burger, some now and laters, a small jalapeno and pineapple pizza, garlic bread, salad, 2 red bulls, and ten or so cokes.

      Cool.

      Oh, and a peanut butter twix bar. Damn those things are good.

      About your post: there are three states : 0, 1 and undefined.
  • Thanks to Sci-fi, we've got all sorts of horrible ideas ready for the technology that isn't here yet. Stolen identity, practically doesn't exist, blah blah blah.... People are always slow to take to such a technology.

    • Re:Wonderful (Score:2, Insightful)

      by Anonymous Coward
      Stolen identity doesn't exist? Care to tell that to the thousands of people each year that have their credit hijacked. It's amazing the stuff you can do with a SSN.

  • Media Coverage (Score:3, Informative)

    by jmd! ( 111669 ) <jmd.pobox@com> on Monday July 15, 2002 @10:06PM (#3891268) Homepage
    E-week story about this is here:

    http://www.eweek.com/article2/0,3959,382210,00.asp [eweek.com]

  • whew... (Score:4, Interesting)

    by Em Emalb ( 452530 ) <ememalb.gmail@com> on Monday July 15, 2002 @10:09PM (#3891282) Homepage Journal
    I was thinking rather pessimistic about all this, until this little beauty popped up:

    "The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so the identity of the user is safe, and specific details about the customer's identity are not shared. The user may choose which accounts he/she wants to link, and may maintain separate identities in different locations while still benefiting from a seamless sign-on experience."

    So, it's cool. Well, not that Em Emalb would be targetted anyway, more along the lines of some poor dude named Pete Slashtaco (who for some reason, lives in New York City 10101) and makes $15,000 a year working as a CEO of a Fortune 500 business with 250,000 employees. Poor, poor Pete.
    • Sounds more like Netscape 4.X's roaming access.

      I used to be able to go to any Netscape 4.X system, point it to my web server server and have it pull down my bookmarks, mail filters, cookies, mail server configurations, and a few other things (like digital certs).

      That is the only reason I would like a single-sign on.

      You'll get no more personal information from me than I want you to have. Personally, I could care less if you get my zdnet/slashdot uesr id and password. BFD.

      But, you'll NEVER find me storing credit card numbers, my on-line banking user id/passwords, my stock trading site user id/password.

  • All of these identification systems seem to be like the IdentiEze from the hitchhikers trilogy[Some slashdotter tosses a towel at me screaming "attack," I can see it now], or the SIN system popularized by Gibson and that genre of literature[As well as RPGs such as Shadowrun]. Eventually will we be moving to a point where anonymity is a comodity that puts you completely into some form of shadow world?

    I hope not, I like my data being spread out, having one system (Passport or LA's) may be convienant, but it's certainly not good for those of us who like to wear tinfoil hats.
    • The technology itself is not inherently evil. I would love a centralized system to manage my entire life for the sheer fact that it's simplicity allows me more time to do other things than manually manage aspects of my life which automation could (and should) coordinate. Unfortunately greed (aka business) has become so desensitized to the layman that they honestly couldn't care less what you do with the service provided someone makes a buck.

      Problem is too many businesses are like this. You don't make money by being nice to people, and functionality to benefit us can just as easily grab and administer marketing strategies. Take the internet for example: originally designed as an amazing place for people to exchange information at a dizzying pace. To simplify session handling for something as limited as a website we developed the cookie. Enter the Gator (or your favourite brand of greed-motivated advertiser) who sees the potential to capitalize on this wealth of knowledge and voila, 200 popup windows before I manage to wade through onto slashdot. Did I mistakenly post my email address describing my company's services? Obviously that means I want info on naturally enlarging my penis through a home based business that can earn me $500 per day offering a flavour of the month pyramid scheme.

      Bottom line: It's a good idea, but wouldn't work in a system where knowledge is power is money. ...Just you wait, my next Toyota with the voice activated system will one day say: "We've opened your door Matt, would've been faster had you bought a Lexus"

      Thank you from Telus.

      -Matt

      ---

      Got web hosting? RackNine [racknine.com]
    • Actually, Passport (I haven't checked out the Liberty system yet) does remind me of the Ident-I-Eaze card... instead of the effective, reliable method of ID (fingerprint, skin scrapings, etc) all of the ID proof is rolled up into one tiny little package that can be easily stolen.
  • What companies are on the Liberty Alliance Management Board?
    A.There are currently 16 companies on the management board. They are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines, and Vodafone.

    Some big names sure .. but in reality these companies are just as money hungry as Microsoft .. is entrusting your purchasing habits to these guys really a good idea?

    • Re:who to trust ..? (Score:3, Insightful)

      by Tony-A ( 29931 )
      I'm sure the companies are all money hungry, but somehow I don't think any of them would accept any of the others using Liberty Alliance as their own private data source. There's more than one degree of separation going on here.
    • Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..
      ... and they don't want to pay the Microsoft tax...
    • It's much better to have the corporate weight distributed. Each one is money hungry, sure, but none of them wants to be culpable for any of the others' malfeasance. They'll police each other on these matters, certainly.

      Also, if they want to find out your purchasing habits they already can and do. If you're worried about that but you still want to do business online, you're going to be in for a rude awakening.
    • but in reality these companies are just as money hungry as Microsoft

      But they can't exploit it asif they where a single company, nor they can have exclusive rights to be members: everyone can join and support it.

      It's MUCH better, can't you see that? If this passport thing is going to happen, then i'd preffer a lot of members and not a single provider, single technology.

      Why would a 1 company monopoly be any better than this? I am totaly in for Liberty Alliance.
    • From what I understand, Microsoft is buying into it as well?!?
    • Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..

      Yup, they're money hungry allright. And they've found a big, and likely to grow, niche, namely people who do not want to do business with companies that share and sell their private information, as if their customers were little more than product themselves, objects to be owned, ie. slaves.

      They've bet that, by offering a service that provides the same convinience Passport claims to provide, while maintaining the integrity of their customer's privacy, that they will gain market share in so doing, at the expense of those who use passport and pass around their customer's private data like some cheap sexually transmitted disease.

      And they are probably right, which means that by protecting our privacy from the likes of telemarketers and Microsoft, those money hungry companies are going to make even more money.

      I'm the first to criticize the idiotic notion that capitalism is somehow a panacea for all our ills ... as often as not it isn't ... but it should also be pointed out that the profit motive doesn't assure unethical behavior, and this looks like a clear case where ethical behavior actually offers a competetive advantage.

      is entrusting your purchasing habits to these guys really a good idea?

      No, which is why you do not want to use Passport, and why the design of the Liberty Alliance scheme, which does not share or even link to personal information, is so much superior and preferable to Microsoft passport.

  • Interesting Convergence (Score:4, Interesting)

    by Zeinfeld ( 263942 ) on Monday July 15, 2002 @10:21PM (#3891337) Homepage
    The problem I have with Liberty is that Sun appear to be more focused on stopping Microsoft than on developing a product that is going to succeed on its own merits.

    Ironically, passport started as a stop AOL Instant Messenger affair. So I don't think it is impossible that Passport and Liberty will eventually merge.

    On a technical level this is certainly possible and if folk look hard at the underlying SAML spec that Liberty is based on you will notice that there is an interesting intersection between SAML and the GXA world.

    • Liberty alliance is more then just sun and there is nothing wrong stopping Microsoft.
    • The problem I have with Liberty is that Sun appear to be more focused on stopping Microsoft than on developing a product that is going to succeed on its own merits.

      This is unfounded. The Liberty Alliance is an association of companies who are looking for the most pragmatic (simplest) solution to dealing with on-line identities. There was an interview the chairman of the alliance, where he said that they would all pack up and go home if there were already a suitable technology. They just want something useful and not controlled by any single entity, so they can get on with their lives on the WWW.
    • That is a common misconception of Liberty. At the Burton Group conference, Eric Dean, Chairman of Liberty and CIO of United addressed this. Sun was one of the founders of Liberty, but immediately after it was formed, they stepped back and let the other companies drive. Liberty is not about designing a product, but about designing the standard for SSO.

      Microsoft also announced at the conference that they will be developing SAML under WS-Security, which is a group under Oasis (http://www.oasis-open.org). It is still too soon to see if MS's SAML will be compatable with the main Oasis SAML or with Liberty's version.
      • That is a common misconception of Liberty.

        It is a very well founded observation based on many hours of contact with the people behind Liberty.

        Microsoft also announced at the conference that they will be developing SAML under WS-Security, which is a group under Oasis (http://www.oasis-open.org).

        I very much doubt they said that. I suspect that what they said is that they will be working with WS-Security group in OASIS so that WS-Security can carry SAML authentication assertions as WS-Security credentials, just as the SAML group has stated that they will be developing a WS-Security binding of SAML.

        Microsoft has no control over the WS-Security group in OASIS and I don't believe that their people would make a public statement which implied they did. A Microsoft person is nominated to be a co-chair of the WS-Security working group but the working group decisions are taken by the TC members and the meetings run acording to Roberts rules of order. If Microsoft wanted a rubber stamp they would have done what everyone else does and taken the thing to ECMA or whatever.

        However it is fairly obvious that some people wanted the SAML/WS-Security harmonization was going to happen given that the editor of the core SAML spec is also an author of the original WS-Security proposal.

  • yahoos! (Score:1, Funny)

    by Anonymous Coward
    do you really want to trust your information to a bunch of open source yahooos? At least Microsoft is a big name, and therefor accountable, or at least sueable!

  • if you don't want to register (Score:5, Informative)

    by BlueLines ( 24753 ) <(slashdot) (at) (divisionbyzero.com)> on Monday July 15, 2002 @10:26PM (#3891358) Homepage
    a direct link to the specs is here [projectliberty.org]

    -BlueLines
  • It looks like this is something relatively simple (on a conceptual level), very flexible, and has a lot to offer businesses that need to interoperate without selling their soul to an unnamed software giant.

    There also seems to be a lot of big names standing behind the Liberty Alliance, which gives it so much more clout in the business world than it could ever achieve through just good design.

    • Nothing which requires 1.8Mb of compressed PDFs to describe can fall into the category "simple".

      • True Twylite, but like so many business documents from big corps, 99% of them is fluff. Several pages are blank, some are devoted to a list of sponsors etc. Quite a lot of it is like this: "Federated identity is the key to reducing this friction and realizing new business taxonomies and opportunities, coupled with new economies of scale".

        Now to us lot, who are mainly I'd guess engineers, that sentance means nothing. It's just filling airspace, because it'll be read not just by developers but also their business oriented bosses who find stuff like this interesting and informative. Also - look at the prices! Do you think a company that spent $120,000 is going to be happy if all they get back for that work is a 10 page RFC?

        • If my company spends $120,000 and I still have to spend two weeks thoroughly reading a document to comprehend it, then I shit all over the upper echelons. At that price I expect information, not data.

          While I accept your point, I must counter that the Bindings and Profiles document runs over 50 pages (excluding title, ToC, references), and is almost purely technical. The Protocols and Schemes document is a further 20; and that's not the end of the technical specs.

          Printed, the SOAP specification is a little under 20 pages, and XML a little under 50; both are laid out in a similar manner to these documents, and include examples, reference tables, etc. And XML can hardly be considered a simple specification (MS XML and Xerces are still trying to get fully compliant, many years on).

  • If this is implemented right, this may leave Microsoft gasping as their DRM and Palladium initiatives get left behind as "so 20th century"

    The rest of the world may be expanding the digital world so fast that MS continues to shrink in relationship to it.

    well, one can always hope.


  • I was wondering why this thing was even getting mentioned, then I checked out the list of member companies [projectliberty.org] and if anyone can get this in wide use it's these companies.

    Maybe it has a chance.

  • Just as scary as Passport? (Score:3, Insightful)

    by aaron_pet ( 530223 ) <aaron_pet&hotmail,com> on Monday July 15, 2002 @10:32PM (#3891392) Homepage Journal
    What makes this better than passport? Is it just that it doesn't have MS in front of it? Is it because it has the word "Liberty" in it? Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom. Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed. It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing. Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information. I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)
    • What makes either of them "scary"? Passport is quite simply a method of "one user, one identity" (and for that it is brilliant. I recently was tasked with designing an authentication required system, and Passport was a heavy contender. The alternative, of course, is that most people just leave after being forced to create YET ANOTHER identity at yet another site), but the reality is that you can have as many identities as you want, and nothing whatsoever guarantees that you've actually given Microsoft the correct information at all (I don't recall them requiring photo ID to sign up for a Hotmail account yet).

      In a nutshell this is just a centralized user/password authentication system, because without something like this becoming widespread sites that require authentication will continue to seem to be more of a nuisance to people : How many times have you followed a link to be brought to the New York Times page only to say "Aw forget it...." (maybe you got an account at one point, but it's among hundreds of accounts that you've long since forgotten the passwords to).

      • One ID string would be nifty per person.

        I think we should have peer to peer authentication. Each person will be their own central certification system, and certify friends and family to use their ID. This would form a large network. That should be traceable.

        I am the only central identification system for myself. NO piece of paper or bits represents me officially. No signatures, no pictures, no retnal scans, no fingerprints.

        I personally like to have multiple usernames and passwords with varing security.

        I give out my password to things that I view as public (My hotmail account is public... and now The stupid people at microsoft have made it my "Passport")

        I tell my friends my root password on my toy machines,

        I tell select individuals the password to public servers

        For "Secure" sites, I will seal the password in an envelope and put it in a safe deposit box

        For Super Secure sites, I would do more.

        I give passwords to my friends for subscriptions to online content. If I buy so many credits, I should be able to give them to somebody else.

        So:I guess what I am saying is:

        We need an Identity Tunneling system, where I can authorize my friends to act in my name... and so then... I would be the central identity server For myself...

        Oh wait... If we let microsoft be the identity server, wouldn't microsoft etc be liable for all actions done on our account? If that is the case, Yippie, Create a username and password for me... We will be acting under the central authentication networks name!

    • Comment removed based on user account deletion
    • Well, Liberty Alliance will not carry personal data. An uses very different technology from MS-Passport [avirubin.com].
    • Basically it's less scary because it's less centralized. A single compromised authority doesn't take down everyone.

      Fundamentally, this seems similar to a "web of trust", only the initial trusted parties are going to be corporations. Whether they will ever agree to trust someone else is an interesting question. But if they don't, then I won't trust them, though I may use them.

      There's a lot of details not known yet, so it's too soon to start deciding just how to feel about it. If they handle it correctly, it could be a liberty enhancing thing. If not ...

      Someone claimed that it was quite like the Shibbolith project http://shibboleth.sourceforge.net/ which is an LGPL licensed project. Be interesting to know how much of the code they used.

  • You need to provide them with personal information in order to read about how they propose to manage your personal information. That's a fitting start.

    What's the deal with the whole single sign-on thing, anyway? "Liberty" from Passport through yet another centralized login system. Great. Like having the enemy in your sights, turning the shotgun around, and blowing your own head off.
    • You need to provide them with personal information in order to read about how they propose to manage your personal information.
      I thought so, too, until I noticed that the first option on the "register" page is to skip registration and go straight to the download.
    • Comment removed based on user account deletion

  • Can someone translate into English? (Score:4, Interesting)

    by slamb ( 119285 ) on Monday July 15, 2002 @10:51PM (#3891467) Homepage

    I downloaded the specification, but it's obnoxiously long/buzzwordish and my Linux PDF software sucks. I've got some pretty basic questions I'm hoping someone can answer:

    • Are passwords ever sent through service providers?

      One would hope they are only sent to the identity provider, and encrypted. But this talk of using existing deployed clients makes me nervous, since I don't see how both things are possible together.

      They mention HTTP redirects...I think you go to the Service Provider's page, they redirect you to the identity provider as the form action, and they redirect you back, authenticated. That doesn't seem like a good plan to me, no one will actually check that the form action goes elsewhere.

      I'd be much more comfortable with something similar to Kerberos: you get a TGT (ticket-generating ticket) from the Key Distribution Center (excuse me, Identity Provider) and use that to provide a ticket to the Service Provider. That ticket can't be used elsewhere and will be invalidated after a certain length of time.

    • Does it work for protocols other than HTTP?

      I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too. A GSSAPI and/or SASL mechanism would help a lot here.

    • Who can set up providers?

      I'd hope that anyone can set up Identity Providers and Service Providers at little or no cost and have them work with major players. I think this would require

      • a good Public Key Infrastructure. The existing X.500 PKI used for web stuff now costs ~ $100/yr/certificate to get a widely-trusted CA to sign your key. DNSSEC might end up being free (depends on what the TLD people do, I think) but isn't really deployed yet
      • addresses that make it obvious what Identity Provider they belong to. I.e., email-style with SRV records or something.

    • Can multiple Service Providers requiring the same credentials without knowing the identity is the same?

      Here, I think the answer is yes. They said something about opaque tokens that gave me hope. I'd like clarification, though.

    • re: "Does it work for protocols other than HTTP", even though it uses SOAP in places the thing is hardwired to HTTP and WAP. Other protocols (Jabber, SMTP, etc.) need not apply :-(.

      There's plenty of other things to complain about in the current set of specs, I wrote up some of them on my weblog [razorsoft.net].

      Digital Identity also has some initial comments here [digital-identity.info], and Doug Kaye [rds.com] is promising comments soon, too.

      --Peter
      http://www.razorsoft.net/weblog [razorsoft.net]

    • I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too

      Also LDAP, PostgreSQL, Oracle

      And another question:

      • Is the authentication to the Identity Provider flexible?

        Someone said that the best authentication systems use two of:

        • something you are (biometrics)
        • something you have (smart card)
        • something you know (password)

        It would be nice if this system was flexible enough to accomodate that idea, rather than limiting it to a password.

        Especially if I have one password for many important systems, I won't want to type it into an untrusted terminal. There are plenty of other choices:

        • Ideally, I would have a small (smartcard-like) physical device that carries an encrypted private key and has a small keypad. I plug it into the terminal. I enter into my device a PIN number (not the terminal! the terminal should never know the password), it (again, my device, not the terminal) uses the password to decrypt its private key and then sign a mutually agreed-on token. So no replay attacks. Someone would need to grab your smart card and guess your PIN number to compromise your identity. With just a password, anyone who can tamper with the terminal would be able to log in as you whenever they want. Bad enough when it's just one system.
        • One-time password systems can accomplish the same goal (defeating replay attacks) without requiring a physical device and attachments on terminals. At a cost, of course. If it's stolen, you're screwed. If you run out before you get back to a secure terminal, you can't log in.
        • etc, etc...there are a million schemes with their advantages and disadvantages. Best to use a system that doesn't limit you to one.
      • Comment removed based on user account deletion
      • According to the spec there will be multiple levels of authentication will be possible.

        So say I went and logged on to Slashdot using my Liberty account I would only be required to enter my username and password. However when I want to go to my bank my username and password isn't enough and I now have to provide my smarcard as well. My username and password was required for the bank but it was already there because I had logged into Slashdot.

        From the looks of the spec there are no restrictions on what type of authentication method could be used beyond the initial authentication assertion (Username password.)
    • Disclaimer, I have not yeat read the Liberty specs, but I did write part of the SAML specs which I am told Liberty is based on.

      Are passwords ever sent through service providers?

      Well your description of Kerberos is not quite right, a TGT is actually used to re-authenticate you to the KDC that issued it. You go to the KDC, get a TGT, then you go back to the KDC, give it the TGT and get back a ticket. The only time TGTs get flung arround is in some folks inter-realm stuff.

      Assume that the Liberty people know all about security in Kerberos etc. and are not going to send passwords in the clear. The SAML group had at least eight or nine of the people who would appear on most informed peoples list of 'top 100 security protocol designers'.

      Does it work for protocols other than HTTP?

      SAML has an HTTP binding but the spec anticipates other bindings. We are currently working on a SOAP binding that uses WS-Security.

      Who can set up providers?

      I don't know, under SAML anyone can set up a server. It would be really nice to see a slashdot server for example.

      Can multiple Service Providers requiring the same credentials without knowing the identity is the same?

      SAML is designed to allow pseudonyms etc. In fact one of the original consumers for SAML was Shiboleth which is a single sign on system for academic libraries and such and so they have really big psuedonymity and anonymity requirements.

      SAML does not provide Chaumian style cryptographic anonymity, but then again neither does Chaum for this application. I did discuss SAML with Chaum a few months ago and we conculded it was not an easy problem.

  • Good as in United Federation of Planets [geocities.com] ???

    Bad as in Trade Federation [starwars.com] ???

  • I just hate having to trust someone I don't see on a day to day basis -- not that you can always trust those you do but at least you can "reach out an touch them". Like they say, "Out of sight, out of mind". I want some sort of local control over my online actions away from a centralized database prone to Government intrusion. Its a lot harder for the Government to go after an individual than an organization it can specifically target through legislation. It takes a lot less testicular/ovarian fortitude to legislate against a faceless organization than someone that you want to vote for you next election and his/her friends. If the US Government would only strengthen my rights to personal privacy in my transactions of my choices and prosecute strongly those that violate my privacy, I don't think we would be talking about these Big Brotheresque solutions.

    Open Source or Closed Source. I don't need either of you to cure a symptom of my ailment. It does not cure the disease. We need strong enforcement of existing laws (never happen) and an educated consumer (never happen).

  • This is my fundamental problem with Liberty Alliance and Passport and whatever-all-else.

    What, really, is the point?

    I am, in fact, actually capable of taking two seconds to type in my username and password on several different sites every day. If I don't want to, there are a number of programs--including Mozilla and IE--that are willing to save them for me and re-input them every time I visit that site, without holding any of my personal information on someone else's computer.

    So why is this Passport stuff supposed to be all that important? Until the day comes that I /have/ to sign up for something like that to access a service I can't get anywhere else, I don't care what they do or who else offers the same type of service. The day I must sign up to get that service...

    I stop using that service.

    Really, I don't see why the benefits outweigh the drawbacks, no matter who happens to be running it.
    • how about...your identity and password are only authenticated/known in one trusted place as opposed to many hackable machines?

      • Re:But... why? (Score:2, Insightful)

        by ShadowDrake ( 588020 )
        Brilliant. Why not hang a neon sign out in front saying "Welcome crackers!" Diversity is a strength.

        Say I have various accounts at 40 different firms. Say one is compromised. If I do things right (vary passwords, don't store appealing information like account numbers where it's not absolutely necessary), at least some of the other 39 are safe.

        On the other hand, say LA or Passport is cracked. Suddenly, my electronic doppelganger is running up charges at CheapBytes and eBay and, worse yet, ruining my rep on /.!

        Why not a use random username/password generator, store the results as a file on your local machine, and encrypt it. I can even see storing that as a good use for one of those "USB-connected flash on a keychain" toys.
    • I think the question isn't so much "why do it at all?", but "why, since MS is pushing people to do it, don't we push them an alternative way to do it?" MS stuff has an alarming tendency to become ubiquitous no matter how stupid or poorly done it may be. Rather than allow a MS-controlled incarnation take hold, I think the initiative here is to either: a) stem the tide so that it doesn't reach ubiquity, or b) at least have an alternative out there so that the MS way isn't accepted as the "universal" way of doing whatever stupid thing they are trying to do this week.
    • You guys obviously don't do enterprise development. If you did you would understand the need.

      There will always be cases where you are subscribing or offering services to other large companies. Very quickly it becomes handy to be able to set policies on what those users can do as groups. Even more important is that you don't want to do provisioning... cause provisioning costs lots of cash and it would be more efficent if the company subscribing to you services did the provisoning on their side. So what you end up with is a need to trust all the users from their domain and integrate it with your systems as well as set policy on how the trust will work.

      It's hard to explain unless you have seen the problem but trust me this is a killer problem for large corporations. I've seen hundreds of millions spent on solving this issue at just two companies.
  • Even if this service doesn't provide an ideal situation, an alternative to a proprietary service is always worthwhile. If nothing else, it gives the proprietary services more work to do, which means better products for the consumers.

    It's also good to have someone competing with MS Passport for the authentication game, lest we further our nation's decline into corporate plutocracy. The internet is less of a ghetto and more of an integrated part of the actual world we live in--this is no longer a shadow world, but a real extension of our lives wherein our security is just as important as it is anywhere else.

    I confess that the PDF itself was a bit cumbersome (i.e., I didn't read all/most of it), but from what I could tell this appears to be a pretty well thought out project. I encourage everyone to support it however possible, as that's the only way projects like this sustain themselves.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Tuesday July 16, 2002 @12:13AM (#3891780)
    Comment removed based on user account deletion

  • Better names... (Score:1, Interesting)

    by Anonymous Coward
    They probably just weren't trying hard enough, but I can think of a few better names and mottoes in the vein of "Liberty Alliance":

    Super Ethical Freedom Alliance
    motto: "Tracking your every move, with tender corporate care."

    Friendly Good Group
    motto: "We're the good guys."

    Ultra Freedom Watcher
    motto: "Verifying your identity for liberty!"

    On a more serious note, did you wonder why most of the United States' large banking interests are contributors to this system? They have every right to be concerned about Microsoft's Passport becoming a middleman to all of their transactions. But do you think that their actions are likely to lead to "liberty" for anyone else?

    The architecture of this system could potentially allow independent networks of verification. However, from reading through the specs, it is very easy to imagine an "open" protocol where the only Authentication Providers who are actually trusted (on a widespread basis) are the early adopting companies. Kind of like the web site certificate situation -- anyone can be a certificate server, but if you don't get a certificate from one of the major 3-4 providers, everyone coming to your web site will get a security error.

  • That's what I thought - never in a million years.

    Nobody gives a damn about Passport, or Liberty, or any of that crap. Nobody who runs a Web site worth a damn is going to allow authentication to/from anything he himself doesn't control.
  • I've just finished reading through the overview in detail, and skimming the other documents.

    Before everyone starts bringing out their copy of 1984 [loc.gov] (sorry - not going to link to Amazon, thank you very much) to compare lets take a good look at what they're doing.

    First, a Service Provider (some place you might want to use your "Liberty" ID) has no requirment to use the Liberty IDs exclusively. The Service Provider can authenticate you with a 'local' username/password as well. (It's up to them.) The examples they use indicate this as well.

    Second, if you don't trust an Identity Provider (The entity that you have your cross-site identity with), you don't have to use them -- there can (and hopefully will) be others. There's no built in monopoly, like some other system [passport.com].

    Lastly, if you're worried about your Identity Provider (who holds your 'master account') knowing all sorts of jucy information about you, you can relax (mostly). Other then when and where you signed on, or re-signed on, no personal information gets transferred from Service Provider to the Identity Provider. (With the exception of information needed to verify the identity you give.) This is unlike this system [passport.com] who wants to hold alot of information for itself. The key here is that there is no requirment forcing the Identity Provider to do this, and if you don't like it - don't use it.

    If enough people stand up and say "NO", we can affect change.

    On the positive side, if the Identity Provider has reasonable policies regarding the use of my personal information, and a compelling base of like-minded Service Providers using it's authentication service, I would likely avail myself of it's use. At the same time I'd burn a monopolistic [microsoft.com] Identity Provider in effigy.

  • Where is Apache CollabNet, and O'Reilly? (Score:3, Interesting)

    by CondeZer0 ( 158969 ) on Tuesday July 16, 2002 @02:05AM (#3892132) Homepage
    Does any body know what happened to the Apache Software Foundation,
    CollabNet, and O'Reilly?

    When the Liberty Alliance was first presented around one year ago,
    this three organizations where listed as founder members, but I can't
    find them any more in the members list... what happened to them?

    Their involvement in the project was the only thing that gave it
    a minimum credibility in my eyes... well, probably Sun is screwing
    up once more by thinking that they live alone in the universe...
    *sigh*

    \\Uriel
  • Hi:

    Is not Apache and Collab.net in the first work of Liberty? Why they are not here [projectliberty.org]? Some discrepance with Sun?

    -Bryam
  • Maybe someone can answer theses for me. 1) Who hold and owns the central database which contains all this information? 2) Can I setup my own central database using thier technology just to authenticate people to my own servers or intranet even? Or is the libery alliance aways going to require that I use main repository?
    • 1) There are 2 'obvious' databases. First is the database held by the identity provider. This is the entity that holds your 'master' username/password. They own the database, and you cede them rights as they lay out in their privacy document. There can be multiple identity providers (unlike passport).
      The 2nd is the database held by the service provider (site/system/etc you are logging in to). They know no other information about you from the identity provider other then what is needed to authenticate you (username, identity, expiration, etc). That database is owned by the Service Provider.
      Neither the SP or the IP exchange information other then what is *technically* needed to authenticate you. (username, id hashes, expiration info etc).
      2) Yes. (IAMAL - but there are patents involved in this technology - read the disclamers on the documents. I don't know about licences or enforcement on those patents tho.)
    • 1. No one - there is no central database.
      2. Yes.


  • Passport was doomed to fail, not because you or I disliked it but for a much more simple reason.

    The MS idea was that all transactions would be arbitrated via Passport, thus of course they would have the ability to charge a commision. The end game here is of course that online transactions would therefore all result in payment to MS, with MS having the ability to offer lower cost online credit than Amex, Visa et al.

    It was amazing in its presumption, it was in fact the biggest ever salami scam attempt. Liberty works differently by giving control to the individual, this is great for Amex et al as the identification piece will be their credit-cards (notice the smart chip already on Amex Blue?) which make them even more useful.

    This was big business v MS, and MS lost when faced with all of the banks, consumer giants like Sony, and underneath it all a simple technology stack based on....

    Java

  • I think, frankly, that the discussion here has been mostly unrelated to the possibilities and dangers of liberty alliance so far.

    Here's something to consider: Is there an Authentication Network Operator that you would *really* trust?

    So far, you hadn't much of a choice: For payments, you could choose between MC and AMEX, and one of these two would handle the whole shopping side of your life.

    But now, with the Liberty Alliance Projekt, you can choose a company that covers your whole online life. Would you trust MC or AMEX again? Better not, they already know too much of you. IBM? How do they guarantee you that your data will be safe? Yahoo - bad track record, no way. Google - no experience in the field but good track record.

    I think that we would need a new type of company for this, under close inspection by the public - does anybody agree?

  • XNS (Score:1)

    by ek_adam ( 442283 )
    And in what may be a coincidence, XNS (eXtensible Naming Service) [xns.org] released their specs this week also. Under their system you have a master set of data and then a number of ecards with subsets of that data. You might have a business ecard for colleagues and business associates, a personal ecard for friends and family, and so on. The system keeps track of which ecards you gave to which people so if you move or change data, the other people's ecards get updated.
  • Can we benefit Really Soon(tm) from LA being integrated into PAM?

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close