Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Releases Specifications

Posted by chrisd on from the fraternity-and-equality-are-next dept.

Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.

4 of 127 comments (clear)

  1. Media Coverage by jmd! · · Score: 3, Informative

    E-week story about this is here:

    http://www.eweek.com/article2/0,3959,382210,00.asp

  2. if you don't want to register by BlueLines · · Score: 5, Informative

    a direct link to the specs is here

    -BlueLines

    --
    --BlueLines "The cost of living hasn't affected it's popularity." -anonymous
  3. Some useful info by finkployd · · Score: 5, Informative

    First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)

    This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:

    A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.

    The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.

    The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.

    If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.

    Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)

    This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.

    Finkployd

  4. Re:Interesting Convergence by Zeinfeld · · Score: 3, Informative
    Actually if you would get involved in the Liberty Alliance and look past most of you communistic attitudes you would see something different.

    Liberty is based on SAML which is largely based on earlier research work I did.

    If Liberty are to be successful they need to forget about what Microsoft is up to and just work on making their system the best it can be.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/