The Liberty Alliance Grows Again 111
sempf writes "The Liberty Alliance, a Sun-backed open-specification alternative to the Microsoft platform's Passport system, has added two very powerful members, Oracle and Intel. Now over 150 members, one wonders at the future of a world where we have two single sign-on systems. With the three big IM platforms joining forces, is the identity standard of the world going to be Microsoft, or Sun? Is this going to be the next Browser War?"
No. (Score:5, Insightful)
Re:No. (Score:5, Interesting)
- You have to pay to use it for your site.
- Lots of people don't trust Microsoft's security.
- Some people are concerned about single platform/single corporation.
I'd love to have a single ID.
Re:No. (Score:5, Interesting)
Reading the testimonials [projectliberty.org] it's all fluffy, without implementation (excluding one company which seems to use it for internal enterprise authenication, which is a way different market to Passport)
Re:No. (Score:1)
If there's enough big companies, particularly in the mobile area, there's a chance of big advertising.
I have lots of different sign ons, and would like a single sign-on, if only just for information sites rather than credit card sites.
Small site builders could also benefit from having no need to have their own security databases.
Nope, mostly just an industry interest group (Score:2, Interesting)
Re:Nope, mostly just an industry interest group (Score:2)
Re: or... yes! (Score:3, Interesting)
Some vendors already have Liberty-compliant solutions ready for production, with mobile operators running trials. I am no
Re: or... yes! (Score:1)
" you already have a powerful means of authentication, the one allowing you to attach to the network and place calls."
In Europe it's already there, it's a SIM card. So again, what's the point? When authenication is implemented in hardware and can be easily passed around by the operator why implement a software solution?
Re: or... yes! (Score:2)
The advantage of the Liberty single-sign-on specification is that it provides a method to share the SIM authentication with third parties, so that the end-user does not have to go through the login procedure each time.
Libe
Re:No. (Score:3, Interesting)
- Why they can't do a protocol without wanting to take it for them ?
I mean, have you seen somewhere on the internet that all the emails have to be at hotmail ?
^^ This leads to
Developp a free sign-on protocol
Use user@domain, so everybody can own it's informations (don't know if I expressed myself well enough)
Re:No. (Score:3, Informative)
A passport alternative. (Score:1, Informative)
Re:No. (Score:3, Funny)
I have a MSN Passport. But I use it just for MSN Messenger. So I am not using it for it's single sign on potential.
Re:No. (Score:1)
I'm a web designer and even though dealing with multiple browsers complicates the code, it's the entire reason the web has so many options and capabilities today.
And yeah, this isn't on the subject of Passport, but this frickin' 'everythi
Re:No. (Score:3, Interesting)
Re:No. (Score:2)
Uh, which W3C standard(s) should I follow?
Have you seen how many standards they've published? Do you honestly think any merely-human brain could even start to hold all that?
Meanwhile, I'm out here doing' my best. I do feed pages to various online validators quite often. Sometimes I can even make sense of what they tell me, and I fix the problems. Sometimes I'm just baffled at what they want me to do. But in thos
This would be a great start (Score:3, Informative)
In the spirit of FOSS - to wit, building a working one to back up your specifications - try this [w3.org]. If 50% of websites got a clean bill of health there, the world would be a better place.
The error messages there recently got much better. See if you can spot which explicatory message I contributed to the list. The takeaway message is, don't just whine - fix it.
They may be a bunch of meeting-bound administrator
Re:No. (Score:1)
Jc pretty much debunks the W3C stuff, so that makes my life easier. I'm in the middle of a project which uses (gasp!) Javascript, CSS and
Single Sign In (Score:4, Insightful)
Re:Single Sign In (Score:4, Interesting)
half solution (Score:3, Interesting)
There is a big different between actual single sign on and (for lack of a better word) hacks that auto sign on for you.
Re:half solution (Score:3, Interesting)
Re:Single Sign In (Score:3, Informative)
Been done already, and most big commercial websites support it. It's a tag that goes on text entry fields denoting what they are, say "name", "e-mail", "phone" and so on.
Programs like Roboform, Google Toolbar and Gator (spit) use these to autofill your forms for you.
However, this misses the point; these identification are supposed to securely ident
Public Key? (Score:2)
There's another single sign-in solution called public key cryptography. I'm a little confused as to what problem passport and liberty alliance are trying to solve that wasn't solved 20 years ago by diffie, hellman, rivest, shamir, and addleman. Perhaps someone can enlighten me. With PK, you can authenticate yourself to anyone without revealing your secret key.
Is passport/liberty alliance a solution to the public key distribution problem? Is it a hack to support PK-like authentication without requiring
Re:Public Key? (Score:1)
who cares? (Score:5, Insightful)
Re:who cares? (Score:3, Interesting)
Re:who cares? (Score:3, Insightful)
Let users choose for themselves. But having one password and links to all the services I log into, stored by the company w
RTFA (Score:2, Informative)
Re:RTFA (Score:1)
To use a simple anology, I have two bank accounts and a credit card. I have different pin numbers for each card. If I lose my wallet, and say I don't realise this for a couple of hours, someone might somehow figure out my pin and access one account. But he'll have to figur
Re: (Score:2)
Re:who cares? (Score:5, Informative)
Re:who cares? (Score:2)
Still, it's a lot better than Microsoft, where the only good thing to say about Passport is you know that the database won't get bought by Microsoft.
There are other personal identity platforms coming in the open source/grassroots arena. One
Sign-on War (Score:5, Insightful)
Honestly, site-specific sign-on systems are easy to develop and most e-tailers have a powerful motive to offer their customers as many choices as possible. This is stark contrast to the one-or-the-other image a "war" connotes.
Re:Sign-on War (Score:2)
Re:Sign-on War (Score:3, Insightful)
Re:Sign-on War (Score:2)
Re:Sign-on War (Score:1)
Also, if you did, your site wouldn't be much good if the third party was down for whatever reason.
As an aside though, thinking about the children for once, it would give the script kiddies a really good target for their DDOS of the month.
Patent (Score:3, Interesting)
How universal can it be? (Score:5, Insightful)
Nokia is on board [nokia.com] with this, and as more and more of my personal information gets concentrated on my phone I'll probably end up using it.
Eventually we'll probably all have a digital "passport" of some kind - and much better this way than the Microsoft way - but it's still a bit creepy.
Re:How universal can it be? (Score:2)
The Data Protection issue (I'm in the UK, we have these laws) can easilly be worked around. All they need is your consent to share the data, all it would take is some text stating that by logging in to a new companies site, you consent to sharing your details. Which is why you are logging-in in the first place.
The Data Protection stuff is going to be a big failu
Re:How universal can it be? (Score:3, Informative)
In theory at least, it is the end user who chooses to 'federate' her different accounts so she has to log just into one of them.
Now that you mention Nokia, this issue is really hot in the mobile world, where the mobile network operator would play the role of Identity Provider, allowing Single-Sign-On to a number of mobile websites or even subscription data serv
Microsoft or Sun? No... (Score:5, Insightful)
With, as you point out, over 150 member companies the Liberty Alliance is scarcely just "Sun".
Re:Microsoft or Sun? No... (Score:1)
S
Re:Microsoft or Sun? No... (Score:2, Informative)
Any one can download the specs and do a client/server implementation just using apache projects. (Xerces, XML-SEC) and some DOM/servlets knowled to implement their
protocol.
Any how you can do it in c++/java/.NET or whatever languege you like.
They're all terrified of MS' power (Score:5, Interesting)
Intel is terrified that Longhorn's
Oracle is of course competing against SQL Server.
All these large IT companies have known for years that MS is going to eat their lunch, but they couldn't work out what to do about it.
The penny has finally dropped - the only way to combat MS is for them all to work together using common standards : hence, their support for Linux, the Liberty Alliance, J2EE and so on.
Re:They're all terrified of MS' power (Score:3, Informative)
Re:They're all terrified of MS' power (Score:5, Interesting)
Note that the only non-x86 architecture properly supported by Windows at the moment is IA64.
Re:They're all terrified of MS' power (Score:3, Interesting)
Mind you, it's not so easy to design a new chip with a performance comparable to Intels' recent x86 processors (or AMDs', for that matter). It would take a few years at least, and that is with buying some technology from others.
No, I think the only thing that might happen is a MS system based on Powe
A pretty good standard (Score:5, Interesting)
It's a shame that everything this alliance has produced up to date is just a pile of PDF specifications. Hope it will change soon.
Re:A pretty good standard (Score:1)
[Ironically, the page has "last week's name" for Sun's product, Access Manager [sun.com]. Even groups that Sun founds can't keep up with the continual name changes!]
My big beef with it is the lack of perl and PHP defined APIs. Given the amount of LAMP (along with perl) being used on the web these days, it seems extremely short-sighted not have them defined. Just think, /. and the rest of the OSDN sites could be using Liberty to cross-authenticate rather than requiring each site to do their
Single Sign-On (Score:5, Informative)
Article from Internet News [internetnews.com]
June 30, 2004
Single Sign-On Gains Liberty Support
By Clint Boulton
Although a lack of interoperability has threatened to hold Web services adoption back, Liberty Alliance, a group dedicated to forging an open identity standard, cracked that barrier by certifying nine single sign-in products this week.
The group awarded Ericsson, Hewlett-Packard, IBM, Netegrity, Novell, Oracle, Ping Identity, Sun, and Trustgenix its "Liberty Alliance Interoperable" mark in a conformance test.
The certification, which covers Liberty Alliance Identity Federation Framework (ID-FF) version 1.1 and 1.2 for single sign-on services, involves a rigorous testing process that gauges identity federation, authentication, session management and privacy protection. Vendors must demonstrate interoperability with two other randomly selected participants.
Secure single sign-on services are a key ingredient for Web services, a high-flying concept for distributed computing that allows applications to talk to one another to perform tasks. But customers are afraid to "sign-on" without a secure brand, because crackers can swipe their personal information if the site is not safeguarded properly.
According to a Liberty statement, the products are interoperable out-of-the-box, which pares deployment schedules and saves costs. This is key, as customers are loathe to license technology if it isn't supported by a validated standard, according to Gartner analyst Ray Wagner.
Customers who are thinking about federation projects need some reassurance that there won't be a huge amount of manual integration necessary between partners with different infrastructures," Wagner told internetnews.com. "Requiring compliance with Liberty, SAML, WS-Federation, and WS-I Basic Security Profile, or a subset of the above, will provide some assurance that systems have the capability to work together."
Wagner said he believes most vendors who make identity management products will provide compatibility with specs or standards in the short term, noting that Federation protocols in particular (SAML, Liberty, WS-Federation) will likely converge in the medium term.
With Liberty's certification, companies can say that their products are compliant with the Liberty identity standard, making their identity management software more appealing to customers looking to shore up their Web services platforms with authentication via single sign-on services.
Forrester analyst Randy Heffner said using Identity Web Services Framework (ID-WSF) requires Liberty's ID-FF and offers an interoperable path to Web services as long as users start with Liberty's ID-FF.
"There is a test suite to ensure broad testing coverage of the technical interfaces," Heffner told internetnews.com. "But successful operation of the tests is sort of on the honor system -- except that a vendor who wants the Liberty logo must participate in an interoperability event and successfully connect with a couple of other randomly chosen products."
"This is better than a simple, pre-planned interoperability event, which only proves that there is 'at least one' configuration by which products can work together -- but not that this is the configuration that any given user might need," Heffner concluded.
Web services have been slow to take off over the last few years, due to obstacles such as interoperability, security and manageability. But this is changing, owing in part to the steady work companies have been putting into the matter and the increasing acceptance of the more broad service-oriented architecture approach to software services.
The following products are now Liberty compliant: the Ericsson User S
What Standard? (Score:4, Interesting)
IPs can be spoofed, mail foraged, add to that proxies and firewall... There is no way of telling who is really on either end of the connection. Now, add single signon security, without forced timeout of passwords and without heavy forced editing preventing reuse and dictonary attacks.
Look to windowsupdate.microsoft.com. Are you connecting to truly to microsoft? No, you are not. So you are taking a SECURITY download from a site, that may have an associtation with MS but not MS itself. Boy are we trusting.
So where does that leave the rest?
Re:What Standard? (Score:4, Funny)
Yeah, I hate it when people forage through my email - it's bad enough that my girlfriend goes through my phone sometimes, but my email? No way!
Re:What Standard? (Score:1)
Re:What Standard? (Score:1)
Maybe you are trolling or maybe you are just pandering to the tin-foil hat crowd who would love to believe that they can be without identity.
You seem to be forgetting public key cryptogrpahy. And the forced timeout is not an issue. A SAML assertion says when the user was authenticated and when the assertion itself was created. True it may not be forced timeout, but every site that I visit that has important personal info of mine has
Re:What Standard? (Score:2)
This is same problem with Notary Public. They have to follow standards and so on... but what happens when one is "bad" and others use them?
What about a doctor or the guy that fixes your car?
In each and every case a form of trust is required that I claim I am who I say I am. And the other end does them same.
But with faceless techinology, it is impossible to realy besure.
EBay has tried one method - called feedback. With it other faceless
I think claiming (Score:4, Funny)
Re:I think claiming (Score:2, Funny)
Re:I think claiming (Score:1)
Comment removed (Score:5, Insightful)
Re:How about this... (Score:1, Insightful)
So I get a multiplatform tool that helps me make people choose certain usernames/passwords on my website.
How does that fix the problem of said people having dozens of usernames/passwords on multiple websites?
Re: (Score:2)
Re:How about this... (Score:2, Insightful)
Re: (Score:3, Interesting)
Re:How about this... (Score:2)
Re: (Score:2)
My bet is on... (Score:2, Insightful)
This would be like fighting over... (Score:3, Funny)
Summary is misleading (Score:4, Insightful)
I'm just waiting for Google to offer a Messenger service, using a gMail account as a login. I think they could bring great things to the IM market, especially if the based an offering on an OSS project like Jabber, for which other IM software providers could then incorporate support.
Passport is already tied closely to Messenger and Windows XP in particular, I don't see the opposition gaining ground without going the same way.
Re:Summary is misleading (Score:4, Insightful)
Note that I did NOT say IM convergence. I DID say they are joining forces. They are. Despite all of the vitrol, reality has forced them to hold hands and play nice. I'm sure the ability to send a message from one platform to another using a common P2P platform is not far off, despite your claims.
How exactly is Google making a gMail messenger any different from MSN mesenger, or Yahoo messenger? All great brands, all good technology. Will it be better because you like Google more? Don't get me wrong, I like Google too, but how will a fourth standard make it any better?
Re:Summary is misleading (Score:1)
MSN:Fred Hi Fred!
>IMProxy George: Hi Fred!
AIM:George Hi George.
>IMProxy Fred: Hi George.
Basically so that you don't have to sign up for everything, someone else does the work. Sort of like BugMeNot. GAIM does this well for a single user, I'm thin
Liberty Alliance is not the same as Passport (Score:5, Informative)
The Liberty Alliance is not a single signon like Passport. It doesn't put all your data in the hands on one organisation. It basically allows you to link logins and share data between them.
It's a tricky concept to grasp but I've found these two introductions helpful:
Re:Liberty Alliance is not the same as Passport (Score:1)
Neither? (Score:4, Insightful)
Re:Neither? (Score:3, Insightful)
That's what the Liberty Alliance is. It's a way to share authentication info without one company controlling it all. RTFA.
What? (Score:1)
What the hell are you on about.
And it's Enforced, not inforced.
And if you've got an IP address, then you're not exactly anonymous anyway.
Re:Neither? (Score:2)
What about dotGNU? (Score:1)
From their website it seems that they are making some kind of decentralized "passport". Is The Liberty Alliance also pushing a decentralized solution?
Why stop at just two (Score:2)
Re:Why stop at just two (Score:4, Informative)
Re:Why stop at just two (Score:2)
Actually it was just a bad attempt to be funny before the morning sugar rush hits my head. But the implication that we can be authenticated via a whole long list of places proves my point a little more rather than less. Mainly that we are simply going to have a long list of places to authenticate to just like we already have, so what did we fix? Or to put it another way, my dad has 6 different
Re:Why stop at just two (Score:3, Informative)
That logo looks familiar... (Score:2)
Where does AOL really stand? (Score:2)
The Liberty Alliance page shows AOL as one of the 15 "Management Board Members".
Seems AOL is positioning themselves to be a win/win member.
Liberty Alliance? (Score:2)
Re:Liberty Alliance? (Score:1)
Suckers! Just what Big Brother wants! (Score:1, Interesting)
"Jennifer Government" (Score:1)
should have called it the Rebel Alliance.. (Score:2, Funny)
Liberty Alliance is low tech (Score:3, Interesting)
"Warning slippery when sarcastic!"
The Liberty Alliance (Score:2, Funny)
client peace (Score:2)
Re:client peace (Score:1)
In the end, I'd rather trust all my information to one of the largest security systems in the world rather than Joe Bob's Tackle Supply.
Re:client peace (Score:2)
Cross-site scripting (Score:3, Interesting)
Is there a difference anymore? (Score:2, Interesting)
Identity Commons (Score:2, Informative)