Slashdot Mirror

Of course, MS would not want to support the Sun answer to Passport: the Liberty Alliance. Check the current member list here:

http://www.projectliberty.org/liberty/about/curren t_members

Now compare it with that of OpenID, if you can find it on their wiki-like site. IMHO, this is just FUD to keep wind out of the sails of the Liberty Alliance. The same stupid tactic they have performed with the open source document format. Kill it by strengthening the currently loosing spec, and both will perish.

Participants who use two-factor authentication, and supposedly there are a few, only need one token card.

See http://www.projectliberty.org/

--dave

Sun has a strong history of providing software and ideas to the community. But at the same time, Sun seems to have tremendous difficulty with follow-through on these kinds of projects. Remember the Liberty Alliance?

Remember Liberty Alliance? It's cranking along like it always has. www.projectliberty.org

This is yet another attempt at a SSO solution. It is not too hard to come up with a rough design for one. The main problem is getting a significant number of sites to use the same one. Otherwise, what is the use? Marketing/advocacy is needed for that.

Although I admit I have not tried it out yet, have people already forgotten about the Liberty Alliance Project? There already exists an open source implementation, SourceID. Why not contribute effort to working with that library? Or if you must have the enjoyment of writing your own implementation, why not at least try to be interoperable with an existing spec?

Everybody is focusing on those two guys smiling together, instead of looking at why they called the press release together, and why what they announced is considered important enough to warrant a Ballmer/McNealy co-presentation!

The reason why this is news, is that both companies, along with a ton of other groups of all sorts of sizes and purposes, have been working on creation of standards that will allow web authentication on the internet to cross boundaries of OS platform, browser platform, and development platform. The Metadata Exchange and Interop protocols are just two of a whole HOST of protocols that are going to link everything up.

Some of you will say - who cares? But the technology they are working on now will be used in the future by most people, on most platforms, to access protected web content.

That's pretty big. This little niche of the industry is set to explode into mainstream consciousness, just wait and see...

If you want to be ahead of the curve:

Check out the Fact Sheet from the MS-Sun announcement.

Check out the WS-* White Paper

Check out Microsoft's Vision For an Identity Metasystem

Check out the Liberty Alliance Technology Review

And if prefer blogs to White Papers, check out Kim Cameron's Blog. That's really the happening place in Identity Management right now...

Pixie

"It's going to put control of digital IDs into the hands of an end-user, the end-user will be in full control," said Mr Stephenson.

Microsoft - get with the program and impliment liberty - here's the info you need http://www.projectliberty.org/.

True. If it goes beyond the borders of a single company it becomes a competitive and political issue. Microsoft tried to offer their Passport as a single sign-on and identity solution, but obviously it doesn't work for several reasons including Microsoft's reputation for security and the fact that all that identity information resides with one company.

Sun and several other companies came up with the Liberty Alliance to provide a federation of companies that could collectively provide a single sign-on network, but it is taking a while to get it going. Although, it seems to be gaining new ground slowly but surely with IBM as one of the lastest additions to the alliance.

It would be nice, to one day, be able to use a widely recognized single sign-on source that is not controlled by a single company.

Yes, according to their web site they are. And the Internet2 community (mainly universities) is developing a way for its users to interact anonymously with online sites that require an identity. It's called Shibboleth . The weak spot in "Shib" is that it relies on the university's LDAP server to determine your status, but the identity that goes out across the net is regenerated for each new use and is short-lived. This wouldn't work for purchases, but it can define you as a legitimate subscriber to a service once you have signed on.

"If you build this technology, they will require it." David Sobel, CFP 2000

There's the Liberty Alliance, which seems to be picking up some speed recently.

There's also the SAML initiative from the OASIS group.

Chip H.

try Liberty Alliance

Why Microsoft ever thought it was a good idea to put all eggs in one basket is a mystery.

They (and the rest of the industry) are headed more towards a federated security world, where you have a myriad of stores with your identity, and realms of trust between servers. So it would enable single sign-on between your bank and other partners they worked with, but not necessarily have the same data that your favorite blogs or what have you would use.

One example of a federated identity system is the Liberty Alliance project, as usual Microsoft has their own take on federation I think with the WS-FEDERATED web service standard (proposed).

Look into the Liberty spec. One of its optional provisions is forced reauthentication.

Liberty, and its competing standards like WS-Federation and SAML, are good because the partners can run whatever vendor's software they like. You just have to verify your vendor is compliant.

Liberty Specifications
SAML Spec
WS Fed Spec Any number of vendors in the access control realm are jumping on the Liberty bandwagon. My company makes a product competing with Netegrity. Of course ours is superior in every way imaginable :)

Some vendors already have Liberty-compliant solutions ready for production, with mobile operators running trials. I am not allowed to name such operators, but here is a list of products conforming to Liberty specs . It is a very interesting market, where vendors with a telecom background clash against classical IT ones.

[Ironically, the page has "last week's name" for Sun's product, Access Manager. Even groups that Sun founds can't keep up with the continual name changes!]

My big beef with it is the lack of perl and PHP defined APIs. Given the amount of LAMP (along with perl) being used on the web these days, it seems extremely short-sighted not have them defined. Just think, /. and the rest of the OSDN sites could be using Liberty to cross-authenticate rather than requiring each site to do their own auth systems.

One of the points of the Liberty Alliance is that you, the end user choose whether to Federate your accounts or not, and you get to choose to break that Federation. Take a spin through the backgrounder paper on Liberty - there's a lot of tech, but there's also quite a bit of thinking about privacy and security there.

The Liberty Alliance is not a single signon like Passport. It doesn't put all your data in the hands on one organisation. It basically allows you to link logins and share data between them.

It's a tricky concept to grasp but I've found these two introductions helpful:

• http://www.projectliberty.org/resources/tutorial_d raft.pdf
• http://www.projectliberty.org/resources/whitepaper s/LAP%20Identity%20Architecture%20Whitepaper%20Fin al.pdf

The Liberty Alliance is not a single signon like Passport. It doesn't put all your data in the hands on one organisation. It basically allows you to link logins and share data between them.

It's a tricky concept to grasp but I've found these two introductions helpful:

• http://www.projectliberty.org/resources/tutorial_d raft.pdf
• http://www.projectliberty.org/resources/whitepaper s/LAP%20Identity%20Architecture%20Whitepaper%20Fin al.pdf

Reading the testimonials it's all fluffy, without implementation (excluding one company which seems to use it for internal enterprise authenication, which is a way different market to Passport)

. Whitepapers and guidelines are already available from them. Note that when the whole passport thing fizzled (have *you* seen anyone use it other than MSN and ebay?), the Liberty Alliance doesn't seem to have gotten much more steam either.

Companies listed as members of the Liberty Alliance include AOL, Sun, Novell, Oracle, HP, etc. (full list here)I would say that if anyone's going to pull it off, it would be these guys and not a random /. poster.

. Whitepapers and guidelines are already available from them. Note that when the whole passport thing fizzled (have *you* seen anyone use it other than MSN and ebay?), the Liberty Alliance doesn't seem to have gotten much more steam either.

Companies listed as members of the Liberty Alliance include AOL, Sun, Novell, Oracle, HP, etc. (full list here)I would say that if anyone's going to pull it off, it would be these guys and not a random /. poster.

Nice cut at things, but why on earth should we trust you?

This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).

You would do well to read up on the design documents and white papers from the Liberty Alliance. This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.

--Paul

His insight that Domain Naming services tie it all together is quite important. Despite what you think.

You may very well be correct. That is one approach to locating services on the internet: Know the name of the service a priori. Curiously, it is also precisely the approach that Microsoft took with Active Directory.

There are other approaches, however. The world's oldest and largest directory provider, Novell, bet the farm on the Service Location Protocl, or SLP. Sun & IBM are also very prominent in the SLP community [as well as the closely aligned Project Liberty initiative].

Bottom line: There are multiple, competing approaches to the problem of finding resources on the internet. Heck, when you get right down to it, there's nothing wrong with the old Altavista PeopleSearch. Over time, one of these initiatives will win the greatest market share, and all of the survivors will almost certainly become "compatible" to some extent or another. And it may very well be that Microsoft's approach [DynDNS in conjunction with Kerberos] will be the winner. But there's been an awful lot of resistance to Redmond thus far, and their Passport initiative has, to date, been just shy of an utter and complete disaster.

However, there are two enormous stumbling blocks to further adoption of DNS: Classically, it is an unencrypted protocol with no proper sense of authentication whatsoever. If it is to move forward, the industry will have to move towards encrypted, authenticatible versions of it.

The second stumbling block is much more ominous, however: Against what database [i.e. directory] is DNS to be authenticated? Who will hold the master keys to the server-side authentication and who will hold the master keys to the client-side authentication? Once you require authentication, you give up every ounce of your anonymity on the internet. [Obviously Project Liberty suffers from the same fundamental flaw.] Once you lose anonymity, Big Brother knows who you are, where you are, and precisely what you are doing for the remainder of your life on the web.

Now you could argue that the telecomms already have that power over you when it comes to classical POTS, and that a court order [or "warrant"] is required for the telecomms to release your telephone dialing history, but in all truth: How many times have you used classical POTS to post a political tirade anonymously on a web bulletin board? Or download some pr0n, or place an off-shore bet on a sports team, or purchase a nice Mosel riesling from Wine Commune?

Weren't they supposed to do something similar? Sure seems to be taking them a long time.

I believe this is precisely what the Liberty Alliance is working on -- open, interoperable standards for federated network identity. It would be good from the end user perspective if the social networking sites at least started recognizing each other's members by using liberty alliance identities, but I suppose there isn't yet much motivation for them to do that. Eventually they will realize that they are doomed to die of fracturing user bases and be forced to give up on having everyone as members -- perhaps then a macro-network of much smaller community-based networks could emerge, using federated identities and web services to tie them together.

Interesting enough would be knowing the relationships between the Jabber proposal for SSO and the efforts pursued within Liberty Alliance.

Since I'm a lazy-ass, it won't be me, but seems like it's time to retaliate with a properly-documented DRM standard for document management.

Might this be a good adjunct to the Liberty project?

Hmm, maybe if you ask these guys.

They can always swallow their pride, scrap their insecure system and join the Liberty Alliance Project.

In addition to the information you knowingly provide us, we keep track of the domains and IP numbers from which people visit us. We also collect site usage statistics such as web browser types and page requests and track users' movements. This data is not personally identifiable and is used to more efficiently operate our business, prepare for network load demands, promote the services and administer the site. To the extent this information is associated with a particular user, that information will be considered personally identifiable information and will be protected accordingly.

Aha! a website that actually prepares itself for the slashdot effect!

does seem to be popular with the big boys though Liberty Alliance so I guess we will be landed with some form of it in the future.

Kerberos+LDAP, as others have mentioned, is the best way to do it today, but if you'd like to hack on these projects to add single-signon capability, you might want to check out the Liberty Alliance. This is an industry group founded to combat Microsoft's Passport power-play. Being backed by big business, it might be what actually becomes a viable market solution, even if LDAP+Kerberos is more elegant.

Lots of people will sing songs about you if you contribute Liberty Alliance support to all those projects.

SAML is also used as a base for the Liberty Alliance specifications.

Liberty Alliance objectives include:

- Develop specifications that enable commercial and non-commercial organizations to protect consumer privacy

- Provide an open single sign-on specification that includes federated authentication from multiple providers operating independently

-Enable commercial and non-commercial organizations to control, maintain and enhance relationships with constituents

-Create a network identity infrastructure that supports all current and emerging network access devices

It hosts heavy players like: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone.

For the uninformed:

Liberty Alliance Project. Sun, Novell, RSA, HP, IBM... the list goes on and on.

It's attempting to do exactly what passport does (which you may or may not like). The specs are available, and Sun have released an opensource Identity Server.

I dunno. If you need a server to tell you your identity...

For the uninformed:

Liberty Alliance Project. Sun, Novell, RSA, HP, IBM... the list goes on and on.

It's attempting to do exactly what passport does (which you may or may not like). The specs are available, and Sun have released an opensource Identity Server.

I dunno. If you need a server to tell you your identity...

I really hope it will work with linux. If it does we will have a free ride onto passport-only sites.

I really hope it doesn't myself, I understand why others might have the need. Well, I went over to the Liberty Alliance, and though the website looks rather 'corporate' and polished, it says in big bold on the front (my bolding):

The mission of the liberty alliance project is to establish an open standard of federated network identity through open technical specifications...

Since it's all open, a linux client would be easily implemented, and if us OSS users would choose LA's solution, it could put a small dent in Microsoft's network identity marketshare.

The federated network identity is simply corporate jargon for the obvious (from their website's FAQ):

On a very basic level, federated network identity means consumers and businesses can allow separate entities to manage different sets of identity information.

And here's a recent Slashdot article:
Sun Releases Open Source Tool for Project Liberty

First useful post?

seriously, this actually has a chance, look at the list of members/sponsors at : their website

and the concept of a contiguous online identity is coming anyways, so someone has to offer an alternative to the crap microsoft has been plugging . i'm really looking forward to offering my family members who are just in love w/ what ms already offers something else, running on a secure(r) platform

Liberty version 1 doesn't make provisions for sharing personal information -- it only defines protocols for federation, single sign-on, federation termination, and logout.

See the Liberty architecture overview (in the specs section on the Liberty web site) for more information.

Not quite. See the Liberty Alliance Project web site for more information.

I carry all my logins etc. in my PalmOS device, encrypted in a Blowfish-protected database, and synched to my personal computer when I'm back in the office. I have to enter one decent password to get at my data, and if I lose the PDA I suppose someone could crack it if they *_really_* wanted to, but at least I know the data are NOT on a Microsoft/Sun/Liberty Alliance box where some disaffected BOFH can get to it.

YMMV.

what it comes down to is if you can make money

boils down to if the retailers will accept it, not the consumers
this will only happen if you cant cheat them because after all they dont want to lose money because the system is insecure

visa cards are after all very insecure but reatilers put up with them because they make them money

the key is retailers and they are not about to sign up to a insecure system just to get ripped off

regards

John Jones

p.s. Visa are in http://www.projectliberty.org and are not in the habit of throwing money away or doing it for the good of mankind

Sun are pitching it at people who own call centers and Uni's

The box's that Sun will sell have Smart Card readers in
this means that JavaCard

basically easy to setup and sign on with BIG SUN server's doing the web portal and sign on crypto

I would put a bet on it containing www so everyone is happy includeing Visa who will send you more junk mail telling you are approved

regards

John Jones

Hi:

Is not Apache and Collab.net in the first work of Liberty? Why they are not here? Some discrepance with Sun?

-Bryam

I was wondering why this thing was even getting mentioned, then I checked out the list of member companies and if anyone can get this in wide use it's these companies.

Maybe it has a chance.

a direct link to the specs is here

-BlueLines

...the industry standard set by the Liberty Alliance, because __________ ?

• Vendor Neutral
  
• International
  
• Respected by the industry
  
• Respected by a majority of the world's nations.
  

I've been following Microsoft's .NET strategy for quite some time and have been quite interested in the Passport vs Liberty Alliance scenario.

Firstly, what exactly is happening with Liberty Alliance at the moment? I got the impression that the iniative was started as a marketing oppositing against Passport as there doesn't appear to be any visibility of the implementation on the web site.

Secondly, there is also an open source source initially from .GNU for this central authentication service. Essentially both Liberty Alliance and .GNU are trying to provide an opposition framework to Passport - and yet the nature of the concept and the existance of the two projects seem to be self depricating. If everyone and their dog develop a centralised authentication service that spans services across networks - people would probably use Passport purely because of its market share.

Would it not be a good idea to somehow merge the work done to offer a unified opposition to Passport?

I just went out and did a bit of research. Liberty Alliance are definately worth supporting. Have a look a this clip from their FAQ:

Q: Who are the members of the Liberty Alliance Project?

A: Charter members include ActivCard, American Airlines, the Apache Software Foundation, Bank of America, Bell Canada Enterprises, Cingular Wireless, Cisco Systems, CollabNet, Dun and Bradstreet, eBay, Entrust, Fidelity Investments, Gemplus, GM, Global Crossing, i2, Intuit, Liberate Technologies, Nokia, NTT DoCoMo, Openwave, O'Reilly and Associates, RealNetworks, RSA Security, Sabre, Schlumberger, Sony Corporation, Sprint, Sun Microsystems, Travelocity, United Airlines, Verisign, Vodafone and More.

Can't see AOL listed there ... must have it mixed up with something else.