Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Releases Specifications

Posted by chrisd on from the fraternity-and-equality-are-next dept.

Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.

6 of 127 comments (clear)

  1. whew... by Em+Emalb · · Score: 4, Interesting

    I was thinking rather pessimistic about all this, until this little beauty popped up:

    "The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so the identity of the user is safe, and specific details about the customer's identity are not shared. The user may choose which accounts he/she wants to link, and may maintain separate identities in different locations while still benefiting from a seamless sign-on experience."

    So, it's cool. Well, not that Em Emalb would be targetted anyway, more along the lines of some poor dude named Pete Slashtaco (who for some reason, lives in New York City 10101) and makes $15,000 a year working as a CEO of a Fortune 500 business with 250,000 employees. Poor, poor Pete.

    --
    Sent from your iPad.
  2. Interesting Convergence by Zeinfeld · · Score: 4, Interesting
    The problem I have with Liberty is that Sun appear to be more focused on stopping Microsoft than on developing a product that is going to succeed on its own merits.

    Ironically, passport started as a stop AOL Instant Messenger affair. So I don't think it is impossible that Passport and Liberty will eventually merge.

    On a technical level this is certainly possible and if folk look hard at the underlying SAML spec that Liberty is based on you will notice that there is an interesting intersection between SAML and the GXA world.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  3. Can someone translate into English? by slamb · · Score: 4, Interesting

    I downloaded the specification, but it's obnoxiously long/buzzwordish and my Linux PDF software sucks. I've got some pretty basic questions I'm hoping someone can answer:

    • Are passwords ever sent through service providers?

      One would hope they are only sent to the identity provider, and encrypted. But this talk of using existing deployed clients makes me nervous, since I don't see how both things are possible together.

      They mention HTTP redirects...I think you go to the Service Provider's page, they redirect you to the identity provider as the form action, and they redirect you back, authenticated. That doesn't seem like a good plan to me, no one will actually check that the form action goes elsewhere.

      I'd be much more comfortable with something similar to Kerberos: you get a TGT (ticket-generating ticket) from the Key Distribution Center (excuse me, Identity Provider) and use that to provide a ticket to the Service Provider. That ticket can't be used elsewhere and will be invalidated after a certain length of time.

    • Does it work for protocols other than HTTP?

      I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too. A GSSAPI and/or SASL mechanism would help a lot here.

    • Who can set up providers?

      I'd hope that anyone can set up Identity Providers and Service Providers at little or no cost and have them work with major players. I think this would require

      • a good Public Key Infrastructure. The existing X.500 PKI used for web stuff now costs ~ $100/yr/certificate to get a widely-trusted CA to sign your key. DNSSEC might end up being free (depends on what the TLD people do, I think) but isn't really deployed yet
      • addresses that make it obvious what Identity Provider they belong to. I.e., email-style with SRV records or something.

    • Can multiple Service Providers requiring the same credentials without knowing the identity is the same?

      Here, I think the answer is yes. They said something about opaque tokens that gave me hope. I'd like clarification, though.

  4. Better names... by Anonymous Coward · · Score: 1, Interesting

    They probably just weren't trying hard enough, but I can think of a few better names and mottoes in the vein of "Liberty Alliance":

    Super Ethical Freedom Alliance
    motto: "Tracking your every move, with tender corporate care."

    Friendly Good Group
    motto: "We're the good guys."

    Ultra Freedom Watcher
    motto: "Verifying your identity for liberty!"

    On a more serious note, did you wonder why most of the United States' large banking interests are contributors to this system? They have every right to be concerned about Microsoft's Passport becoming a middleman to all of their transactions. But do you think that their actions are likely to lead to "liberty" for anyone else?

    The architecture of this system could potentially allow independent networks of verification. However, from reading through the specs, it is very easy to imagine an "open" protocol where the only Authentication Providers who are actually trusted (on a widespread basis) are the early adopting companies. Kind of like the web site certificate situation -- anyone can be a certificate server, but if you don't get a certificate from one of the major 3-4 providers, everyone coming to your web site will get a security error.

  5. Where is Apache CollabNet, and O'Reilly? by CondeZer0 · · Score: 3, Interesting

    Does any body know what happened to the Apache Software Foundation,
    CollabNet, and O'Reilly?

    When the Liberty Alliance was first presented around one year ago,
    this three organizations where listed as founder members, but I can't
    find them any more in the members list... what happened to them?

    Their involvement in the project was the only thing that gave it
    a minimum credibility in my eyes... well, probably Sun is screwing
    up once more by thinking that they live alone in the universe...
    *sigh*

    \\Uriel

    --
    "When in doubt, use brute force." Ken Thompson
  6. Tinfoil hats has little to do with it. by Wrexs0ul · · Score: 2, Interesting

    The technology itself is not inherently evil. I would love a centralized system to manage my entire life for the sheer fact that it's simplicity allows me more time to do other things than manually manage aspects of my life which automation could (and should) coordinate. Unfortunately greed (aka business) has become so desensitized to the layman that they honestly couldn't care less what you do with the service provided someone makes a buck.

    Problem is too many businesses are like this. You don't make money by being nice to people, and functionality to benefit us can just as easily grab and administer marketing strategies. Take the internet for example: originally designed as an amazing place for people to exchange information at a dizzying pace. To simplify session handling for something as limited as a website we developed the cookie. Enter the Gator (or your favourite brand of greed-motivated advertiser) who sees the potential to capitalize on this wealth of knowledge and voila, 200 popup windows before I manage to wade through onto slashdot. Did I mistakenly post my email address describing my company's services? Obviously that means I want info on naturally enlarging my penis through a home based business that can earn me $500 per day offering a flavour of the month pyramid scheme.

    Bottom line: It's a good idea, but wouldn't work in a system where knowledge is power is money. ...Just you wait, my next Toyota with the voice activated system will one day say: "We've opened your door Matt, would've been faster had you bought a Lexus"

    Thank you from Telus.

    -Matt

    ---

    Got web hosting? RackNine

    --
    --- Need web hosting?