Slashdot Mirror
Sun Announces Passport Competitor
mjankows writes: "Sun, and other people today announced the Liberty Alliance Project. Definitely an answer to passport/hailstorm. Maybe Mono/DotGNU can benefit/assist/use/help this..." Yay, yet another way to be tracked on the Internet.
Just one big corporation competing with another VERY big one.
No matter what they tend to make us believe, I am not inclined to agree that this would make net a safer place.
And with MS allowing third parties to provide similar passport services to hook up with theirs, this could only be construed as another effort from Sun to hide the fact that they were late in realising the advantages of passport and webservices, and also to put a veil over the open source community making them blindly believe that we should support these guys instead of M$ because this is more "OPEN".
I am not flaming.. I just dont see the point.
Rapid Nirvana
Microsoft recently announced that they plan to open up Hailstorm to the web at large, and allow different authentication "cells" to share Kerberos keys.
.com land) in the next couple quarters.
This tells me that they've decided that owning the authentication database (and associated user profile information) is not as valuable a proposition as having an open authentication network and getting a micro-cut of every monetary transaction that passes through it.
No doubt if Hailstorm takes hold, every third-party authentication is practically going to need to interoperate with it, and will just become an involuntary revenue generation service for Microsoft.
To this end, look for Microsoft's purchase of PayPal or some "leading" micropayment shop (perhaps from x.25 land if not
--CTH
--Got Lists? | Top 95 Star Wars Line
Ellison is Oracle. They are pushing a national ID card. Thats evil too, but not mentioned in the scope of this article.
As for this hailstorm stuff... i really think you guys are overreacting. Right now there are lots of people who have your user information. This is only one more, and hopefully only has one fail point.
Right now, you have all of your information replicated all over the place, meaning that you trust that many people with your data. All you need is one of them not patching an exploit, and bam, your data is gone. Why have multiple points of potential failure when you can just have one?
Since you can control how much info you give them, (MS Passport only requires email address) and now they are saying that there will be many different people who store it, so you don't even have to give it to MS.
Sun is just a poor MS wannabee. They see that MS has got something that will make the AVERAGE (don't forget how important this is) users experience more convienient, and thus pleasurable, and they want in on it.
Captain_Frisk
I agree that the passpord paradigm gives you a single point of failure. But whereas you may have smaller subsets of your personal information spread out on other sites, i.e., user name and password, maybe first name and last name, but maybe not *all* of your information, like personal banking, stocks trading account informations, home address, work address, phone, fax, cell phone addresses.
Say someone breaks into a site on which you only stored basic username/password and first/last name information, it's OK, it's not that a big deal, inconvenient, but not the end of the world.
NOW, say someone DOES break into that *single* point of failure you are mentioning, chances are they'll have access to users' *ENTIRE LIFE*. And looking at microsoft's track record of keeping systems secure with their close-source, I wouldn't trust them the least bit. CodeRed. Nimda.
Now Sun's approach may be slightly more secure, and if the open-source community does get involved, it could mature far faster than microsoft's product.
As far as *I* am concerned, though the idea of only having to maintain your information at a single location seems very appealing, I think I still want to go thru the discomfort of having to enter personal information at every site I shop at.
Extraordinary Vacations. Exceptional Prices
Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.
Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.
But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.
Yay, yet another way to be tracked on the Internet.
Well, as I read this article there is yet another person who can complain but doesn't contribute. So in the Open Source philosophy, I have a question for everyone:
What do you want to see in a centralized authentication system that you would use and trust?
For example, would you like it to be overseen by the government, a company, a board of individuals or someone or something else? Should it be Open Source to allow for improvements, or closed source to deter cracking?
I feel rather that simply complain about how terrible this and Hailstorm are, we should discuss what should be in a centralized authentication system we would use and trust.
When Scott mentions that "You have zero privacy anyway," He's not talking about how he has planned to take away your privacy in the future with his nefarious schemes. He's making an observation about the here and now.
Currently most people recieve the bulk of their information in little paper wrappers that are then placed in unlocked tin boxes that sit in front of the place they live waiting to be picked up when said people come home from work...or by somebody else before they come home...
Currently most people make purchases over the phone, using the 16 digits on the front of their credit card and 4 more digits for the expiration date...and nothing else...these numbers are then processed by another person, a person who doesn't earn alot of money most likely, and who even more likely doesn't like their job or care anything about the person giving them 20 digits and an order to place...
The idea that your information and transactions are currently secure and computers will only make them insecure is a false notion. It's only a matter of time before somebody get's the idea of breaking laws that for the most part are unenforcable, or deciding their job isn't worth keeping to do something that jeopordizes your privacy. Wouldn't you at least like their to be some hurdles and tracking in the way to protect you? You currently have zero privacy anyway, get over it. This is progress, and wouldn't you like your progress open and not controlled by just one entity?
Yes, Sun is looking after thier own interests I'm sure, but there are a few words in there that make this different from Microsoft's solution:
"decentralized"
"open standard"
It's the 21st Century Do you know what your government is doing
We have refused the microsoft hailstorm/passport project from day one due to the one company dominates all issues. Yet we are open to the idea of a unified identity system.
It is still too early to say whether the Liberty Alliance project will be a viable solution. Our most important concerns are:
The unified identity system must be 'open', not controlled by one entity that one way or the other can be concidered a competitor to our products. (Microsoft is - they are so dominant that they are in one way or the other a competitor to nearly every IT organisation I can think of, and that is the same reason why passport/hailstorm can not evolve).
The unified identity system must be developed according to users needs and not beyond. It must not be abused for mass marketing. So a major task is to develop the system avoiding any of the participating or non-participating interests to be able to abuse it. How to do that? I do not have the solution, but I don't want the system without one. What I can conclude is that the system must be developed in open. Where everyone can assist in the 'code' review in assuring nothing is being overlooked in the best possible way. An 'opensource' perhaps applicant to the rules of FSF if suitable. Here the extreme rules of FSF are indeed very suitable as this must be a public interest project.
The unified identity system must be implementable/joinable by all interests accross platforms. It must me implementable/joinable by all developers and users in spite of financial status. And for that reason again, unexploitable. Thats a major system development task - but is required. Security bust be built into the system. A socalled social solution will not be adequate, as it is possible that not everyone are playing straight.
I have signed up for the mailing list at http://projectliberty.org/interest.html and I am looking forward to the see how it evolves. Maybe even try to contribute. But if the openness in the solution does not apply and the concerns/issues above are not resolved and perhaps others as well, I can not approve, and I can't imagine anyone who can without having a special agenda that is not favouring the public interest.
best regards
Vspirit - Casper Andersen
Administrative Manager - Sophistic Systems
I looked through the WWW site for this initiative, but I found no implementation details.
If done correctly, this has the potential to be a very good thing for all involved. But, there are some key criteria that it needs to meet before I would use it. A few that come to mind are:
- The user must have 100% control of their personal data & what can be redistributed?
- Any changes of policy, or distribution of data must require user approval (opt-in), nothing should be done without the user's consent.
- In the "distributed authentication" model, I would want my data stored by an entity I trust. Such as, a non-profit consumer advocacy group.
- The security around storage of my information must be rock solid.
- The protocols used for passing authentication to applications must be secure. The services using the authentication must not have access to my password.
I'll reserve judgement until I can read the implementation details.
The obvious implmenentation would be to sign into the *browser* somehow, and have it authenticate you to some Central Authority. Then when you visit any site the browser would exchange your identity with that site (which would probably again have to check it against the Central Authority). Does that sound right?
Given that microsoft conrols most of the browser marketshare, how does *anyone* have a legitimate shot at controlling single sign-on, other than MS?
An un-split Microsoft has no choice but to use IIS. How much faith would you have in the Apache Project if their Jakarta team, for instance, switched their home page over to IIS or AOLserver?
Many pundits and observers believed that Microsoft would be more profitable split than whole. Why? Because the two (or three) BabySofts would not need to promote each others' products, and they would still not be in competition with each other. Currently the IIS offering hurts the Hailstorm group because they are not free to choose the best, most secure product(s) to run their system. Bad for billg, good for the Hailstorm detractors.
-sting3r
att had just bought 20% of sun, att owned unix.
the threat was that sun was going to take over the world of unix and twist the free, good world into submission.
osf proposed building a standard operating system platform; vendors could add their own proprietary value adds. nobody clearly articulated how anyone was going to differentiate their pricey gear.
sun banded together with unisys, some random japanese companies and I forget who-else to form their own competing open-but-not-really coalition (since sun has, from day one, been the open-but-not-really powerhouse).
osf got lobbied by this manufacturer and that, adopted crap from each of their platforms... aix, mach... whatever. they built fancy research institutes in europe (mustn't forget bull and other important european computer manufacturers!), overdesigned, ate a lot of pricey expense account dinners (rumors of more difficult-to-justify expenses in louisiana), fiddled...
everyone attended lots of standards meetings. osf and sun started collaborating. posix. whatever.
net result: bill won. sun forms more coalitions, lobbies, introduces irrelevant initiatives. dec is dead. they all suck. whatever.
oh, I forgot to mention linux. I guess that gets back to the previous point. bill won. whatever.
A federated identity model will enable every business or user to manage their own data, and ensure that the use of critical personal information is managed and distributed by the appropriate parties, rather than a central authority.
seems pretty clear to me - you manage your own data, and it is authenticated in a distributed way, not maintained and authenticated in a centralised Microsoft database. Further:
In a federated view of the world, a person's online identity, their personal profile, personalized online configurations, buying habits and history, and shopping preferences are administered by users, yet securely shared with the organizations of their choosing.
Emphasis mine. You maintain your own data, and decide who you will alow it to be shared to.
Can someone please tell me how this is not (at this vague stage) the sort of thing that we've been wanting? A decentralised, distributed information management system...
Jedidiah
Craft Beer Programming T-shirts
As for the "MS and Sun both suck" issue. There is no issue. Everyone fully realizes that both suck.
That being said...
The real issue here is that this authentication 'standard' needs to be truly 'standardized'. Its ownership and control should be governed by a globally acknowledged standards body i.e. ISO.
That is the issue. When people see Sun headlining an initiative, they instantly think of the nightmare that is the JCP (Java Community Process) -- a process which is neither truly open, nor independent. Rather, the JCP is one which profits only Sun in the end.
What we DON'T want is for the global authentication standard to be 'Sun owned'. This needs to be something that is solely owned by something of the likes of the ISO.
That is what the issue is, I think.