Slashdot Mirror
Liberty Alliance Releases Specifications
Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.
As I keep telling my friends who are Analog IC Engineers, there are only two identities for digits -- '0' and '1'. How hard can this be?
Thanks to Sci-fi, we've got all sorts of horrible ideas ready for the technology that isn't here yet. Stolen identity, practically doesn't exist, blah blah blah.... People are always slow to take to such a technology.
E-week story about this is here:
p
http://www.eweek.com/article2/0,3959,382210,00.as
I was thinking rather pessimistic about all this, until this little beauty popped up:
"The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so the identity of the user is safe, and specific details about the customer's identity are not shared. The user may choose which accounts he/she wants to link, and may maintain separate identities in different locations while still benefiting from a seamless sign-on experience."
So, it's cool. Well, not that Em Emalb would be targetted anyway, more along the lines of some poor dude named Pete Slashtaco (who for some reason, lives in New York City 10101) and makes $15,000 a year working as a CEO of a Fortune 500 business with 250,000 employees. Poor, poor Pete.
Sent from your iPad.
All of these identification systems seem to be like the IdentiEze from the hitchhikers trilogy[Some slashdotter tosses a towel at me screaming "attack," I can see it now], or the SIN system popularized by Gibson and that genre of literature[As well as RPGs such as Shadowrun]. Eventually will we be moving to a point where anonymity is a comodity that puts you completely into some form of shadow world?
I hope not, I like my data being spread out, having one system (Passport or LA's) may be convienant, but it's certainly not good for those of us who like to wear tinfoil hats.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
What companies are on the Liberty Alliance Management Board?
.. but in reality these companies are just as money hungry as Microsoft .. is entrusting your purchasing habits to these guys really a good idea?
A.There are currently 16 companies on the management board. They are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines, and Vodafone.
Some big names sure
Ironically, passport started as a stop AOL Instant Messenger affair. So I don't think it is impossible that Passport and Liberty will eventually merge.
On a technical level this is certainly possible and if folk look hard at the underlying SAML spec that Liberty is based on you will notice that there is an interesting intersection between SAML and the GXA world.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
do you really want to trust your information to a bunch of open source yahooos? At least Microsoft is a big name, and therefor accountable, or at least sueable!
a direct link to the specs is here
-BlueLines
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
It looks like this is something relatively simple (on a conceptual level), very flexible, and has a lot to offer businesses that need to interoperate without selling their soul to an unnamed software giant.
There also seems to be a lot of big names standing behind the Liberty Alliance, which gives it so much more clout in the business world than it could ever achieve through just good design.
The rest of the world may be expanding the digital world so fast that MS continues to shrink in relationship to it.
well, one can always hope.
"It is a greater offense to steal men's labor, than their clothes"
I was wondering why this thing was even getting mentioned, then I checked out the list of member companies and if anyone can get this in wide use it's these companies.
Maybe it has a chance.
What makes this better than passport? Is it just that it doesn't have MS in front of it? Is it because it has the word "Liberty" in it? Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom. Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed. It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing. Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information. I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
What makes this better than passport?
Is it just that it doesn't have MS in front of it?
Is it because it has the word "Liberty" in it?
Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom.
Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed.
It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing.
Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information.
I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
You, sir, have no life.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
You need to provide them with personal information in order to read about how they propose to manage your personal information. That's a fitting start.
What's the deal with the whole single sign-on thing, anyway? "Liberty" from Passport through yet another centralized login system. Great. Like having the enemy in your sights, turning the shotgun around, and blowing your own head off.
I downloaded the specification, but it's obnoxiously long/buzzwordish and my Linux PDF software sucks. I've got some pretty basic questions I'm hoping someone can answer:
One would hope they are only sent to the identity provider, and encrypted. But this talk of using existing deployed clients makes me nervous, since I don't see how both things are possible together.
They mention HTTP redirects...I think you go to the Service Provider's page, they redirect you to the identity provider as the form action, and they redirect you back, authenticated. That doesn't seem like a good plan to me, no one will actually check that the form action goes elsewhere.
I'd be much more comfortable with something similar to Kerberos: you get a TGT (ticket-generating ticket) from the Key Distribution Center (excuse me, Identity Provider) and use that to provide a ticket to the Service Provider. That ticket can't be used elsewhere and will be invalidated after a certain length of time.
I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too. A GSSAPI and/or SASL mechanism would help a lot here.
I'd hope that anyone can set up Identity Providers and Service Providers at little or no cost and have them work with major players. I think this would require
Here, I think the answer is yes. They said something about opaque tokens that gave me hope. I'd like clarification, though.
Bad as in Trade Federation ???
What's the catch?
How much do we have to pay to Sun or Verisign now?
Open Source or Closed Source. I don't need either of you to cure a symptom of my ailment. It does not cure the disease. We need strong enforcement of existing laws (never happen) and an educated consumer (never happen).
Strange women lying in ponds distributing swords is no basis for a system of government.
This is my fundamental problem with Liberty Alliance and Passport and whatever-all-else.
/have/ to sign up for something like that to access a service I can't get anywhere else, I don't care what they do or who else offers the same type of service. The day I must sign up to get that service...
What, really, is the point?
I am, in fact, actually capable of taking two seconds to type in my username and password on several different sites every day. If I don't want to, there are a number of programs--including Mozilla and IE--that are willing to save them for me and re-input them every time I visit that site, without holding any of my personal information on someone else's computer.
So why is this Passport stuff supposed to be all that important? Until the day comes that I
I stop using that service.
Really, I don't see why the benefits outweigh the drawbacks, no matter who happens to be running it.
Even if this service doesn't provide an ideal situation, an alternative to a proprietary service is always worthwhile. If nothing else, it gives the proprietary services more work to do, which means better products for the consumers.
It's also good to have someone competing with MS Passport for the authentication game, lest we further our nation's decline into corporate plutocracy. The internet is less of a ghetto and more of an integrated part of the actual world we live in--this is no longer a shadow world, but a real extension of our lives wherein our security is just as important as it is anywhere else.
I confess that the PDF itself was a bit cumbersome (i.e., I didn't read all/most of it), but from what I could tell this appears to be a pretty well thought out project. I encourage everyone to support it however possible, as that's the only way projects like this sustain themselves.
Also LDAP, PostgreSQL, Oracle
And another question:
Someone said that the best authentication systems use two of:
It would be nice if this system was flexible enough to accomodate that idea, rather than limiting it to a password.
Especially if I have one password for many important systems, I won't want to type it into an untrusted terminal. There are plenty of other choices:
First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)
This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:
A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.
The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.
The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.
If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.
Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)
This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.
Finkployd
Sounds more like Netscape 4.X's roaming access.
I used to be able to go to any Netscape 4.X system, point it to my web server server and have it pull down my bookmarks, mail filters, cookies, mail server configurations, and a few other things (like digital certs).
That is the only reason I would like a single-sign on.
You'll get no more personal information from me than I want you to have. Personally, I could care less if you get my zdnet/slashdot uesr id and password. BFD.
But, you'll NEVER find me storing credit card numbers, my on-line banking user id/passwords, my stock trading site user id/password.
They probably just weren't trying hard enough, but I can think of a few better names and mottoes in the vein of "Liberty Alliance":
Super Ethical Freedom Alliance
motto: "Tracking your every move, with tender corporate care."
Friendly Good Group
motto: "We're the good guys."
Ultra Freedom Watcher
motto: "Verifying your identity for liberty!"
On a more serious note, did you wonder why most of the United States' large banking interests are contributors to this system? They have every right to be concerned about Microsoft's Passport becoming a middleman to all of their transactions. But do you think that their actions are likely to lead to "liberty" for anyone else?
The architecture of this system could potentially allow independent networks of verification. However, from reading through the specs, it is very easy to imagine an "open" protocol where the only Authentication Providers who are actually trusted (on a widespread basis) are the early adopting companies. Kind of like the web site certificate situation -- anyone can be a certificate server, but if you don't get a certificate from one of the major 3-4 providers, everyone coming to your web site will get a security error.
One ID string would be nifty per person.
I think we should have peer to peer authentication. Each person will be their own central certification system, and certify friends and family to use their ID. This would form a large network. That should be traceable.
I am the only central identification system for myself. NO piece of paper or bits represents me officially. No signatures, no pictures, no retnal scans, no fingerprints.
I personally like to have multiple usernames and passwords with varing security.
I give out my password to things that I view as public (My hotmail account is public... and now The stupid people at microsoft have made it my "Passport")
I tell my friends my root password on my toy machines,
I tell select individuals the password to public servers
For "Secure" sites, I will seal the password in an envelope and put it in a safe deposit box
For Super Secure sites, I would do more.
I give passwords to my friends for subscriptions to online content. If I buy so many credits, I should be able to give them to somebody else.
So:I guess what I am saying is:
We need an Identity Tunneling system, where I can authorize my friends to act in my name... and so then... I would be the central identity server For myself...
Oh wait... If we let microsoft be the identity server, wouldn't microsoft etc be liable for all actions done on our account? If that is the case, Yippie, Create a username and password for me... We will be acting under the central authentication networks name!
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
What a fucking moron, this is not even funny.
Opera fills in all the fields for me, making creating an account easy. I can give each vendor exactly the information I want. (This could be automated even further, I think, while control of my info still remains on my machine.) PayPal alows me to pay without exposing my credit card number to each vendor. Why would I want to give the care of my info and identity away to some company, any company, even one I trusted? Even good companies go bad, or get bought out.
Nobody trusts Microsoft for plenty of good reasons.
I don't have a universal digital ID now, and I honestly don't really feel a need for one. What is the real purpose? To keep absent minded people from having to remember more than one password? Thanks...Ill pass. Given all the political and privacy BS that is coming about...it just seems like more trouble than it's worth.
That's what I thought - never in a million years.
Nobody gives a damn about Passport, or Liberty, or any of that crap. Nobody who runs a Web site worth a damn is going to allow authentication to/from anything he himself doesn't control.
I've just finished reading through the overview in detail, and skimming the other documents.
Before everyone starts bringing out their copy of 1984 (sorry - not going to link to Amazon, thank you very much) to compare lets take a good look at what they're doing.
First, a Service Provider (some place you might want to use your "Liberty" ID) has no requirment to use the Liberty IDs exclusively. The Service Provider can authenticate you with a 'local' username/password as well. (It's up to them.) The examples they use indicate this as well.
Second, if you don't trust an Identity Provider (The entity that you have your cross-site identity with), you don't have to use them -- there can (and hopefully will) be others. There's no built in monopoly, like some other system.
Lastly, if you're worried about your Identity Provider (who holds your 'master account') knowing all sorts of jucy information about you, you can relax (mostly). Other then when and where you signed on, or re-signed on, no personal information gets transferred from Service Provider to the Identity Provider. (With the exception of information needed to verify the identity you give.) This is unlike this system who wants to hold alot of information for itself. The key here is that there is no requirment forcing the Identity Provider to do this, and if you don't like it - don't use it.
If enough people stand up and say "NO", we can affect change.
On the positive side, if the Identity Provider has reasonable policies regarding the use of my personal information, and a compelling base of like-minded Service Providers using it's authentication service, I would likely avail myself of it's use. At the same time I'd burn a monopolistic Identity Provider in effigy.
Does any body know what happened to the Apache Software Foundation,
CollabNet, and O'Reilly?
When the Liberty Alliance was first presented around one year ago,
this three organizations where listed as founder members, but I can't
find them any more in the members list... what happened to them?
Their involvement in the project was the only thing that gave it
a minimum credibility in my eyes... well, probably Sun is screwing
up once more by thinking that they live alone in the universe...
*sigh*
\\Uriel
"When in doubt, use brute force." Ken Thompson
Hi:
Is not Apache and Collab.net in the first work of Liberty? Why they are not here? Some discrepance with Sun?
-Bryam
Maybe someone can answer theses for me. 1) Who hold and owns the central database which contains all this information? 2) Can I setup my own central database using thier technology just to authenticate people to my own servers or intranet even? Or is the libery alliance aways going to require that I use main repository?
Liberty is explicitly about de-centralised control, you have the id, possibly a "smart-card" credit card. It does the identification then passes credentials to others to allow you access.
Very nice, very sweet, very personal.
An Eye for an Eye will make the whole world blind - Gandhi
Passport was doomed to fail, not because you or I disliked it but for a much more simple reason.
The MS idea was that all transactions would be arbitrated via Passport, thus of course they would have the ability to charge a commision. The end game here is of course that online transactions would therefore all result in payment to MS, with MS having the ability to offer lower cost online credit than Amex, Visa et al.
It was amazing in its presumption, it was in fact the biggest ever salami scam attempt. Liberty works differently by giving control to the individual, this is great for Amex et al as the identification piece will be their credit-cards (notice the smart chip already on Amex Blue?) which make them even more useful.
This was big business v MS, and MS lost when faced with all of the banks, consumer giants like Sony, and underneath it all a simple technology stack based on....
Java
An Eye for an Eye will make the whole world blind - Gandhi
The technology itself is not inherently evil. I would love a centralized system to manage my entire life for the sheer fact that it's simplicity allows me more time to do other things than manually manage aspects of my life which automation could (and should) coordinate. Unfortunately greed (aka business) has become so desensitized to the layman that they honestly couldn't care less what you do with the service provided someone makes a buck.
...Just you wait, my next Toyota with the voice activated system will one day say: "We've opened your door Matt, would've been faster had you bought a Lexus"
Problem is too many businesses are like this. You don't make money by being nice to people, and functionality to benefit us can just as easily grab and administer marketing strategies. Take the internet for example: originally designed as an amazing place for people to exchange information at a dizzying pace. To simplify session handling for something as limited as a website we developed the cookie. Enter the Gator (or your favourite brand of greed-motivated advertiser) who sees the potential to capitalize on this wealth of knowledge and voila, 200 popup windows before I manage to wade through onto slashdot. Did I mistakenly post my email address describing my company's services? Obviously that means I want info on naturally enlarging my penis through a home based business that can earn me $500 per day offering a flavour of the month pyramid scheme.
Bottom line: It's a good idea, but wouldn't work in a system where knowledge is power is money.
Thank you from Telus.
-Matt
---
Got web hosting? RackNine
--- Need web hosting?
I think, frankly, that the discussion here has been mostly unrelated to the possibilities and dangers of liberty alliance so far.
Here's something to consider: Is there an Authentication Network Operator that you would *really* trust?
So far, you hadn't much of a choice: For payments, you could choose between MC and AMEX, and one of these two would handle the whole shopping side of your life.
But now, with the Liberty Alliance Projekt, you can choose a company that covers your whole online life. Would you trust MC or AMEX again? Better not, they already know too much of you. IBM? How do they guarantee you that your data will be safe? Yahoo - bad track record, no way. Google - no experience in the field but good track record.
I think that we would need a new type of company for this, under close inspection by the public - does anybody agree?
Microsoft Makes Donation to Peru
By THE ASSOCIATED PRESS
Filed at 7:54 p.m. ET
REDMOND, Wash. (AP) -- Microsoft Corp. is providing about $550,000 in money, software and consulting services to the Peruvian government for educational and ``e-government'' initiatives.
In a news conference Monday, Microsoft Chairman Bill Gates and Peruvian President Alejandro Toledo announced the contribution, Microsoft's first in Peru.
Toledo, elected last year, made technology and education a key focus, and initiated conversations with Microsoft, said Sandro Marcone Flores, executive director of the Huascaran project in Peru.
Marcone Flores downplayed whether the contributions could conflict with a proposal under debate in the Peruvian government. That proposal, by Congressman Edgar Villanueva, would obligate all public institutions to convert exclusively to open-source software, in which the underlying code is available to anyone wanting to revise or customize it.
The money will go toward training teachers as part of Toledo's Huascaran Project to improve the educational system with better instructors and technology. Microsoft's contributions will also be used to teach programming skills to potential software developers and help build a central government Web site that can deploy Internet-based services.
REDMOND, Wash. (AP) -- Microsoft Corp. is providing about $550,000 in money, software and consulting services to the Peruvian government for educational and ``e-government'' initiatives.
In a news conference Monday, Microsoft Chairman Bill Gates and Peruvian President Alejandro Toledo announced the contribution, Microsoft's first in Peru.
Toledo, elected last year, made technology and education a key focus, and initiated conversations with Microsoft, said Sandro Marcone Flores, executive director of the Huascaran project in Peru.
Marcone Flores downplayed whether the contributions could conflict with a proposal under debate in the Peruvian government. That proposal, by Congressman Edgar Villanueva, would obligate all public institutions to convert exclusively to open-source software, in which the underlying code is available to anyone wanting to revise or customize it.
The money will go toward training teachers as part of Toledo's Huascaran Project to improve the educational system with better instructors and technology. Microsoft's contributions will also be used to teach programming skills to potential software developers and help build a central government Web site that can deploy Internet-based services.
so you're saying that those penguinista rahbulls cooed have been hax0ring dammned peruvians for around 1/4 mill0? talk about hard times? kewl.
how much for that whoredoggIE to bark "windose"?
w00f w00f
caN'T couNT huh? know wunder you're losing the softwar.
peruvian presideNTs are @leased 3/4 mill0 after speeking to fuddles.
american presideNTshills are much cheaper, plus you get much more bunk for your billybuks.
you might think that mr peruvia.com walked away with only 500k to show for IT, but ucann bet your .asp there's a few more billybuks where those came from.
Ill eagle gangsterious softwar FraUDs are everywhere, & in a bumdance, anymore.
And in what may be a coincidence, XNS (eXtensible Naming Service) released their specs this week also. Under their system you have a master set of data and then a number of ecards with subsets of that data. You might have a business ecard for colleagues and business associates, a personal ecard for friends and family, and so on. The system keeps track of which ecards you gave to which people so if you move or change data, the other people's ecards get updated.
Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..
... as often as not it isn't ... but it should also be pointed out that the profit motive doesn't assure unethical behavior, and this looks like a clear case where ethical behavior actually offers a competetive advantage.
Yup, they're money hungry allright. And they've found a big, and likely to grow, niche, namely people who do not want to do business with companies that share and sell their private information, as if their customers were little more than product themselves, objects to be owned, ie. slaves.
They've bet that, by offering a service that provides the same convinience Passport claims to provide, while maintaining the integrity of their customer's privacy, that they will gain market share in so doing, at the expense of those who use passport and pass around their customer's private data like some cheap sexually transmitted disease.
And they are probably right, which means that by protecting our privacy from the likes of telemarketers and Microsoft, those money hungry companies are going to make even more money.
I'm the first to criticize the idiotic notion that capitalism is somehow a panacea for all our ills
is entrusting your purchasing habits to these guys really a good idea?
No, which is why you do not want to use Passport, and why the design of the Liberty Alliance scheme, which does not share or even link to personal information, is so much superior and preferable to Microsoft passport.
The Future of Human Evolution: Autonomy
Can we benefit Really Soon(tm) from LA being integrated into PAM?
The University of Illinois uses something similar: Bluestem. It supports inter-realm authentication, too.