Liberty Alliance Releases Specifications

Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.

First Post

[gibler]

yip I need one.

holy criznap

g to the oatse
c to the izzex
fo shizzle my nizzle no one cares about this story.

First Post?!

First Post?! Oh God, what have I done?

[xdfgf] Blah blah Fuck Jamie blah blah

BABEL

I woke up and I knew I was still in trouble. My arms from wrists and my legs from ankles ached shockingly, as if there were red-hot rods going through my bones and muscles. Another flow of fire was my spine.

It seemed I pissed myself while dozing - I didn't feel the urge now and the smell was there. Well, I didn't dirty my legs - not in this position, hanging on four chains attached to the ceiling. I was not spread-eagled, actually, though my limbs were pulled apart widely, granting access to any of my private places.

There was something poked into my ass; it hurt enormously. Another accord to the cacophony of pains.

I heard his steps when he was on the stairs. Then the key clicked in the lock and - with the door ajar - he came in a blaze. I screwed up my eyes shut for long seconds before I could look at the girandole in his hand. Yellow light was dancing on his stone-beautiful face and his eyes, long and narrow, were gleaming.

He stopped between my parted legs and scrubbed with his fingernails the seared flesh on my foot. I jerked swinging on the chains and gave him a cry.

"Good," he said tilting his head awry. "Make it loud. Please me!"

I watched him warily - the candles mostly - but he didn't seem to use them now. He put them on the small table and returned to me.

"Well," he said, "how is your ass? Is it ready for me now?"

He yanked the hilt of the whip out of my hole. A hot wave of pain rose to my chest - and a hot stream of blood ran down on my skin.

"Ready for another day of fun?" his low voice was void of emotion - while he approached the top of my body. These words. He didn't invent them. He just repeated.

He took my forearm in his palms and, raising me a little, rubbed my raw hand against the cuff. I felt like fainting. The cuffs were a little too loose for my wrists - they stopped where my hands started and cut there ferociously.

Now he was behind me. I felt his grip of my hair, him pulling my head back. I saw his turned upside-down figure in front of my eyes. My face was on the level of his crotch.

"Want to suck my dick?" he said tonelessly pressing the bulge of his pants to my mouth.

* * *

For the first time I saw him at The Kite inn, sitting alone at the table. Three or four empty glasses bunched already in front of him and one more he was raising to his lips now. He was young, about twenty-four, maybe; a tall reedy man and the loveliest one I've ever seen. His dark-brown hair was shoulder-blade-long and the collar of his laced shirt was open showing his smooth hairless chest.

He looked lost, deeply wounded mentally. Later I found out he mourned his brother who got killed in a stupid quarrel between two rich Southern planters. He was rich, too.

I winked to the inn-keeper. He didn't try to prevent me. He was paid - and paid well for being cooperative.

I shook my head letting my hair down freely before I came up to him. His eyes were glazed - he didn't want to see me until I touched his elbow.

"Monsieur," my voice was tiny, almost a whisper. "Are you lonely, monsieur?"

It seemed he needed time to realize what he saw. Then his mouth softened.

"Pretty girl," he spoke in an uncertain drawl, part due to his drunkenness, part to his French accent. "Pretty whorish girl visiting me."

"I am," I said leaning to his arm, with my fingers fondling him through the shirt.

"Pretty whore, pretty slut," he chanted. "Do you want a drink?"

"If it pleases you," I whispered. He ordered me wine. I sipped a little of it - I needed my head clear. He glanced at me when I put the glass away.

"Pretty wet lips," he said reaching for my lips with his finger. I took it into my mouth, sucking and biting it gently. He stroked my cheek with his other fingers - tender but detached.

I let his finger go and slid face down between his thighs. My hot breath caressed his cock through the material.

"Oh," he said - half-gasp, half-laughter. "You are quick, honey."

"I want to suck your dick," I whispered into his crotch.

His hand reached to unbutton the pants. I pushed it aside gently.

"Not here. Let's go."

His long thin arm enwrapped me. I heard the chink of two golden coins dropped on the table. We stood up. He was so much taller than me - my head only reached his chest. He chuckled absent-mindedly and held me tight.

I supported him. Twice we both were close to falling down, due to his drunken staggering. But when we were out-of-doors, he became better.

"Dolly," he said, "what is your name?"

"Babel," I said. He giggled, startled.

"Babel! What a weird name your parents gave to you!"

"They didn't give it to me," I said.

In the docks we stopped behind the barrack, where the breath of water was not so sharp. He raised me on my tip-toes taking my lips into his mouth. His hand reached to my chest under the scarf.

I hastily glided down on my knees. His cock was pressed painfully to the cloth of his pants. I released it - dark-pink, beautifully shaped 8-incher oozing pre-cum like small pearls. It went through my mouth right into my throat.

"Mon Dieu," he breathed out, with his voice almost a moan. "Yes, yes, don't stop, do it, do it!"

I did it. My lips were round and wet and tight and I slid up and down on his itching shaft, with every movement banging my forehead against the cloth of his pants and feeling his balls pressing to my chin.

His bony fingers massaged my head plaited in my hair - not really pulling me closer - I didn't need it - but because he probably liked the sensation. He was concentrated on his cumming. I felt he was close. And when his hips moved forward suddenly and urgently, I held my breath and let him in to my throat the farthest.

I began to breathe again when his cock became limp. He became limp himself - laughing under his breath, lazy, languid. My mouth was polishing his soft prick.

And then the voice of my big brother said:

"You've fucked my bitch."

I felt his huge smelly presence behind myself in the darkness. For a short moment the palm of my client lay on my shoulder in a kind of protective gesture.

Then another of my big brothers stepped out.

"Get away," he pushed me aside. I saw my man, big-eyed, arranging his clothes hurriedly. He darted quick glances from Hector to Castor.

"Look," his voice was amiable; that is, he made it sound amiably. "I am going to pay. Do you think I'll leave that sweet girl without payment?"

Hector laughed.

"We don't need no money. We are not pimps."

"What do you need, then?" now his voice was sharp.

"You," Castor said.

He looked from one of them to the other again. I wouldn't say he understood. He understood only that he was in trouble. His hand slid fleetly to the gun on his belt. There was no gun. For a moment he couldn't believe it - and then he looked at me with realization.

"Merde," his lips verbalized. And then Pollux approached him from behind and brought his heavy fist onto his temple.

He collapsed. Hector whistled and I heard soft neighing and tip-top of our horses. They threw him across the saddle of Hector's stallion and mounted themselves.

"Babel," Pollux called me, tapping the croup of his horse. I jumped up there and braced my arms around his chest.

* * *

The first thing I did when we got to the place was to change my clothes. Now, in pants, with my hair in tail and without streaks of coal on my lids I didn't look girlish at all. I went to my big brothers.

They didn't have their time wasted. The man was stripped naked and tied with his hands above his head. His ankles, however, still were not fixed - and he kicked desperately trying to reach any of my big brothers.

He was sober and fully conscious - only a little blood in his hair, nothing bad. The expression of his eyes was furious. But under all this fury I couldn't help seeing the terror that must have seized his heart.

He slid his glance by me, obviously not recognizing. He cursed. He threatened.

"What do you want from me? You white rubbish! How dared you to take my clothes?! Let me go or I swear you'll end up on the gallows!"

It was only Pollux who replied him occasionally.

"We don't get to the gallows, you fool. Because nobody will know."

I came up to the man, carefully, so that he couldn't reach me with his kick, and bent over him. I still was an unfamiliar boy for him. I took both my hands full of his soft sleek hair and drew my face closer to his.

"What is your name, dolly?" I asked in my hasty sing-sang whisper.

That was when he understood. His mouth worked for a moment - and then he spat in my face.

"Stay back," Hector ordered to me. "It's our turn to have fun."

I sat down on the window-sill wiping my face with the sleeve. I watched Hector and Castor approaching him. They caught his ankles and pulled them up spreading widely. There were loops attached on the level of his head - and they put his feet through them. He grunted - a suppressed moan. He stopped babbling. Now his eyes were very big and very startled - it seemed he couldn't believe his body was forced to take this position.

I knew what he felt. He was practically doubled - an inconvenient pose even if you are used to be flexible - and almost unbearable for the first time. My big brothers knew what they wanted. His ass, his cock and balls, his tiny flat tits, his face - nothing was out of their reach.

I saw Hector started moving his hands along his body. The foreplay. I felt sick in stomach. I knew it all so well. In a moment he would stroke his belly, play with hair of his bush, squeeze his balls in the palm.

I jumped down and moved closer. I felt shaky - but my 6-inch boner throbbed achingly in my pants - and I let it go. It was so good to sense my hand on it.

Hector was at the exposed hole of the man. His ass-cheeks were spread widely - and though he tried to get them together, it was hopeless. His hole was pink and tiny and very clean. It's so small, I thought, Hector won't be able to get into it. But he would, I knew, he would.

One of his hands played with the balls of the man - small balls now, pulled up into his belly. His other hand was unbuttoning his pants.

The man tried to see what was happening. His head was raised painfully, a frown between his brows. He didn't speak any more - either shocked or terrorized. Then Castor grabbed his hair and made him lie flat. I knew what for. He stepped behind him and leant down, putting his mouth on the mouth of the man.

For a moment he thrashed, disgusted. And then he felt Castor's teeth on his lips. My insides made somersault when I noticed how Castor's mouth started working sucking blood from his lips.

"Mnnn!" the man made some noise. His breath was short, almost gasps. It seemed, for a while he forgot about Hector approaching his ass.

Hector had his dark stiffened prick ready for invasion. I looked at it with a kind of fainting feeling. I knew it so well, every inch of it, every vein. And still, when he put it to the tiny hole of the man, I felt ready to erupt.

Now he recalled about Hector. He flinched - not of pain but of fright. Then Hector drove his dick in and the man shrieked.

A sharp, shrilling cry broken on half and muffled by Castor's mouth. I clenched my teeth and felt the jet of cum hitting my palm. White and slippery, it dripped on the floor from my hand and from the head of my cock.

I heard Pollux laughing.

"Babel likes it better than we do," he said.

Hector wanted to shove his dick in to the end - but, evidently, the grip was too tight. So, he was half in. When he started pulling out, the man puked. I saw Castor withdrawing hastily.

"Filthy pig!" he hissed through his blood-smeared teeth.

Both Pollux and Hector laughed.

The man had his eyes wide open. His chest was trembling - as if something was fluttering inside it. He breathed in and breathed in - and didn't breathe out. Pollux slapped him to relax - or he could pass out.

Hector thrust into him again, now until his balls hit the man's crack.

I had another hard-on ready for me. My hand on my cock moved in the same rhythm as Hector's cock moved inside the man.

Castor didn't try any more to kiss. Instead he took out his cock and, sticking it into the man's soft hair, started jerking off. It was Pollux who looked like one to many. So, he got the held of the man's tiny nipples and tweaked them.

Hector reached his usual speed in no time at all. There was no ass or cunt so tight he couldn't split open in a minute. Now he pumped the man so swiftly that his hips almost blurred. There was no way the man could breath in cadence with this frantic ride - so, he panted unevenly, giving a soft sob form time to time. His eyes were wild, unfocusing.

I cummed at the same moment with Hector. Castor cummed a little before, flooding the hair of the man with his jism. We all three gasped. Then Hector withdrew his limp cock from the hole and came up to the man's face.

He was too smart to give it him to the mouth to clean. The man will suck them, of course, in time - but not yet. He used the hair to wipe his dick.

Now there was a moment when nobody tormented the man. He quivered agonizingly, struggling with his own sobs. Then he saw Pollux taking position at his battered hole.

"No, please..." he stopped abruptly. There was no way they would obey him - and he knew it.

While Pollux was fucking him, Hector took a candle and brought it to the arm of the man. He moved the little flame along the inside of his upper arm. The man jerked greatly, trying not to groan.

"It feels so good," Pollux uttered.

"I know it's good," Hector said.

By the moment Pollux had his cum, Castor was hard once more. The man sucked air desperately, helpless against one more cock going into his torn opening. They gave him two other sources of pain, with Pollux torturing his swollen nipples and Hector slowly palming his balls. Sometimes he screamed inarticulately. His screams were what aroused me the most. When he started screaming I got my hard-on again.

My cock was dark-red and rubbed sore because of all my beating-off. I dropped on my knees - I was too exhausted to stand. My big brothers laughed at me a little.

With Castor done, they decided for a rest. I heard them planning to have late supper when they were leaving the room. Pollux called me to follow.

"The bitch is going to have her fun," Hector said.

When the door was shut after them, I stood up.

They didn't untie him. I walked around. Now, with nobody in the room except me, he didn't look so much destroyed. He still was gasping, clearly unable to regulate his breath - but his eyes were normal. And full of hatred.

"Pig," I hummed coming up to his exhibited ass. "Filthy pig shitted himself."

Now his hole had nothing similar with that tiny pinkish spot. It gaped insolently, turned inside out, wet and glistening with all the liquids mixed inside it. I knew I could drive my stiff rod into it - and it would be sloppy loose - but he would feel pain - the pain I didn't ever feel any more.

I didn't do it. What I did was to shove my two fingers in it. He winced greatly. I pulled them out, covered in blood, mucus and sperm of my big brothers. I licked my fingers.

He watched me warily and disgustedly. I was close to his face now. My hand danced on my cock.

"I'll kill you, damned kid," he said in a low voice but intently. "I'll kill every one of you."

"Speak, pig," I said, jerking my cock over his face, "you'll have some of it into your mouth."

He didn't get it into his mouth when I cummed. There was very little of my spunk and he got it on his face.

We held him for four days.

It was seven months ago.

* * *

"Beg me," he said rubbing his cloth-covered cock against my lips. "Beg me for forgiveness. And if you do it well enough, I'll probably leave you alive."

"I am sorry," I said; I had difficulty to speak with my head so much thrown back. He put his palm on my throat. I thought he would crush it now - but he only probed how it was moving when I spoke. "Please, please, forgive me, monsieur."

"Suck it!" he shoved the hilt of the whip into my mouth. "You like to suck things that went to the ass, don't you?"

The hilt had carving on it. That's how he injured my ass when fucking me with it. I took it into my mouth tasting blood. I was afraid he would thrust it into my throat deep, making with it the same he did with my bottom.

But he let me simply clean it of my own shit and then took it in hand.

"Beg," he said.

I saw him raising the whip and heard swish. It placed right on my crotch, stinging my balls and leaving worm-like trace up to my belly. I yelled.

"Pardon me, oh, God, pardon me!"

He chuckled a little. Another welt swelled on the inside on my thigh.

"Do you understand now how it feels?"

"Yes! Yes, sure," I tried not to start choking. He slashed me again.

"Do you have remorse?"

"Yes, yes, I have it!"

"You lie!" he whipped me once more. "Do you have remorse?"

"Yes!" I shouted.

"Don't you lie to me! Do you have remorse?"

"No!" I broke in tears. If only he didn't hit my balls...

"No?" he stopped. "Why?"

"Because I am hurt," I sobbed. "I can't think about you when I am hurt..."

"You are rotten bastard," he said with loathing. "You deserve to die."

He could kill me all right. With all these swamps around New Orleans he had enough place to dispose from the body. And nobody would notice the disappearance of a waif I was.

He took my hair and wound it around his fist.

"Beautiful hair," he said. "So soft, and yellow, and deceptive. I can tear it up, like that," suddenly he yanked his hand. I yelped - it felt like the roots of my hair were on fire. "I'll tear it up - and nobody will take you for a girl any more."

He pulled again. Tears rose in my eyes.

"Please, don't do it, monsieur."

He let me go. He walked around me pinching fresh welts on my chest and belly. I rocked on the chains trying to escape his hand.

"How old are you, Babel?" he asked coldly.

"Fifteen," I said.

"You are so young and so spoiled," he said musing. "You won't be better

when grow up."

My heart sank.

His fingernails were sticking into my nipple, piercing the skin.

"One of your big brothers, one of twins, said to me it was your idea. Isn't it?" he asked.

"No, I swear, no..."

"I don't know why," he went on, "but I believe him and not you. Why did you think of it?"

Because I was tired of being alone in all that, I thought. But there was no way he would make me confess and got killed for my confession.

"That is why you hate me so much?" I said. "Because you think it was me who suggested to kidnap you and others?"

"I hate all of you equally," he said flatly.

"But you didn't take them..."

"I took them," he answered. "A good brother you are not to know about it!"

"I am not their brother," I whispered under my breath. "I was not. Their father used to fuck my mother. When she died they took care about me. Succession, isn't it?"

"Anyway," he said - and his lips flickered a little mean smile. "I didn't have troubles with finding them. But I had to spend a lot of time to find you."

"I broke loose from them, at last," I explained struggling with pain. He still was hurting me with his fingers moving down along the welt - where the skin above my bush was burnt and blistered. "Soon after."

"I see," he said distantly. "Had a good time, prostituting at Palmetto Hotel in Baton Rouge, dancing in girl's clothes and sucking cocks of every merchant who wanted to pay for it."

He caught me there. He brought me tied and blindfolded - and I even didn't know it was him until we were at his estate.

"You have an appropriate name," he said. "A whore. You are a natural-born whore, aren't you, Babel?"

"No," I said. "I am not."

He moved again. He was between my legs once more. His fingers touched my hole, the scabs of blood around it.

"You didn't even feel when I fucked you," he said. "Maybe, now you will be more sensitive."

He pushed the tip of his prick into my hole. I felt bleeding again.

"Oui," he mumbled under his breath. "Feel it! Feel it like I felt. A whore feeling pain like a virgin."

I screwed up my eyes. He swung me on the chains, moving in and out. He moaned steadily. When he cummed, he pushed me away, freeing himself.

"Will you lick my dick, bitch?" he asked. "Or I'll knock out enough of your teeth so that you can't bite?"

"I'll lick it," I said. I didn't mind. It didn't hurt.

He pissed into my mouth then.

"Thank me, bitch," he said. "As I thanked you when you did it."

"Thank you," I said.

He took the girandole and went to the door.

"Two more days left," he said at the threshold.

Digital Identity?

[imadork]

As I keep telling my friends who are Analog IC Engineers, there are only two identities for digits -- '0' and '1'. How hard can this be?

Re:Digital Identity?

[Anonymous+Cowrad]

" Tell me what you eat, and I'll tell you what you are."

So that means that today I am a veggie burger, some now and laters, a small jalapeno and pineapple pizza, garlic bread, salad, 2 red bulls, and ten or so cokes.

Cool.

Oh, and a peanut butter twix bar. Damn those things are good.

About your post: there are three states : 0, 1 and undefined.

Borg?

[$carab]

Did anybody else find that person on the flash animation rather......Borgish looking with that thing over his/her eye?

The irony is so crushing I just fell out of my chair....Well, actually the chair is broken....

Wonderful

[Procrasturbator]

Thanks to Sci-fi, we've got all sorts of horrible ideas ready for the technology that isn't here yet. Stolen identity, practically doesn't exist, blah blah blah.... People are always slow to take to such a technology.

Re:Wonderful

Stolen identity doesn't exist? Care to tell that to the thousands of people each year that have their credit hijacked. It's amazing the stuff you can do with a SSN.

Media Coverage

[jmd!]

E-week story about this is here:

http://www.eweek.com/article2/0,3959,382210,00.asp

Re:Media Coverage

[MMMMMMMMMMMMMMMMMMMM]

Mama! Mama! I want some milk!

Re:Media Coverage

YOu stupid fucking karma whore. YOu and peole like you are ruining SLashdot.

Re:Media Coverage

[__aahlyu4518]

LOL... next to the article there's a big square ad from Microsoft : 'Get your infrastructure ready for anything' :-)

whew...

[Em+Emalb]

I was thinking rather pessimistic about all this, until this little beauty popped up:

"The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so the identity of the user is safe, and specific details about the customer's identity are not shared. The user may choose which accounts he/she wants to link, and may maintain separate identities in different locations while still benefiting from a seamless sign-on experience."

So, it's cool. Well, not that Em Emalb would be targetted anyway, more along the lines of some poor dude named Pete Slashtaco (who for some reason, lives in New York City 10101) and makes $15,000 a year working as a CEO of a Fortune 500 business with 250,000 employees. Poor, poor Pete.

Re:whew...

Oh yeah, dumb fuck. The biggest chunk of your post was a quote from the goddamned article. Just report the whole fucking thing next time asshole.

Try to think up your own shit once in a while.

Re:whew...

Doesn't really matter if it's linked to personal information centrally--it'll be like the SSN--a primary key that links all your personal information across disparate sources.

Natalie Portman

I just loaded natalieportman.com in German. I don't read or speak a bit of German, but it automatically makes her hairier (if you know what I mean).

Mmmmmm.

can i link my karma?

[edrugtrader]

so i tie my ebay account and slashdot account, so when i buy something on ebay they know about my Excellent! karma

SIN/IdentiEze[SIC] (-1, Paranoid)

[buffer-overflowed]

All of these identification systems seem to be like the IdentiEze from the hitchhikers trilogy[Some slashdotter tosses a towel at me screaming "attack," I can see it now], or the SIN system popularized by Gibson and that genre of literature[As well as RPGs such as Shadowrun]. Eventually will we be moving to a point where anonymity is a comodity that puts you completely into some form of shadow world?

I hope not, I like my data being spread out, having one system (Passport or LA's) may be convienant, but it's certainly not good for those of us who like to wear tinfoil hats.

Re:SIN/IdentiEze[SIC] (-1, Paranoid)

/me throws a towel @ buffer-overflowed screaming, "Attack!"

Re:SIN/IdentiEze[SIC] (-1, Paranoid)

[Verteiron]

Actually, Passport (I haven't checked out the Liberty system yet) does remind me of the Ident-I-Eaze card... instead of the effective, reliable method of ID (fingerprint, skin scrapings, etc) all of the ID proof is rolled up into one tiny little package that can be easily stolen.

who to trust ..?

[jest3r]

What companies are on the Liberty Alliance Management Board?
A.There are currently 16 companies on the management board. They are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines, and Vodafone.

Some big names sure .. but in reality these companies are just as money hungry as Microsoft .. is entrusting your purchasing habits to these guys really a good idea?

Re:who to trust ..?

[Tony-A]

I'm sure the companies are all money hungry, but somehow I don't think any of them would accept any of the others using Liberty Alliance as their own private data source. There's more than one degree of separation going on here.

Re:who to trust ..?

[Pig+Hogger]

Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..

... and they don't want to pay the Microsoft tax...

Re:who to trust ..?

[pieces+of+poo]

It's much better to have the corporate weight distributed. Each one is money hungry, sure, but none of them wants to be culpable for any of the others' malfeasance. They'll police each other on these matters, certainly.

Also, if they want to find out your purchasing habits they already can and do. If you're worried about that but you still want to do business online, you're going to be in for a rude awakening.

Re:who to trust ..?

[fferreres]

but in reality these companies are just as money hungry as Microsoft

But they can't exploit it asif they where a single company, nor they can have exclusive rights to be members: everyone can join and support it.

It's MUCH better, can't you see that? If this passport thing is going to happen, then i'd preffer a lot of members and not a single provider, single technology.

Why would a 1 company monopoly be any better than this? I am totaly in for Liberty Alliance.

Re:who to trust ..?

[djsable]

You would trust AOL with your data?

a fool and his privacy are soon parted..

badger

Re:who to trust ..?

[redGiraffe]

From what I understand, Microsoft is buying into it as well?!?

Re:who to trust ..?

[fferreres]

Would you trust Microsoft? Also, bear in mind AOL is not producing any code here.

Re:whew...I'm coming for you, you bastard!

[Pete+Slashtaco]

I am coming for you, Mr Em Emalb. You are dead.

You hear me? You....are...DEAD.

Pete.

Interesting Convergence

[Zeinfeld]

The problem I have with Liberty is that Sun appear to be more focused on stopping Microsoft than on developing a product that is going to succeed on its own merits.

Ironically, passport started as a stop AOL Instant Messenger affair. So I don't think it is impossible that Passport and Liberty will eventually merge.

On a technical level this is certainly possible and if folk look hard at the underlying SAML spec that Liberty is based on you will notice that there is an interesting intersection between SAML and the GXA world.

Re:Interesting Convergence

Actually if you would get involved in the Liberty Alliance and look past most of you communistic attitudes you would see something different.

Companies are tired of re-inventing the wheel. Tired of recreating authentication systems, tired of having to rebuild user databases. Tired of having to build a trusted system that has been built by others 100 times but yet you have to do again.

Users are tired of creating account after account after account after account at different stores, forums, chat sites etc.

Wouldn't it be nice if your identity was as easy to use as a CC only better.

Using a computer should not be harder than using cash or a credit card it should be easier and quicker otherwise we should get rid of computers because everyone in the IT field has failed.

Let's say I find a store that has something on sale that I want to buy. Even if I have never visitied/registered at that site before I should be able buy/pay/checkout and verify something quicker than it takes me to walk in drop my 19.95 in cash and walk out the door of a real store that I just walked into. Again otherwise we have failed and online commerce is doomed. ( ok some some anarchists would love to see that )

Something has to work better than what we have today. YES MICROSOFT HAS A GOOD IDEA, its just nobody trusts them. Did you ever stop to think why the Libery Alliance is headed by a one of the largest Airlines in the world. Because they have huge problems with identification, this is one step in the rights direction whether you like or trust it or not is only a matter of importance for its implemention not its concept

Re:Interesting Convergence

[Malcontent]

Liberty alliance is more then just sun and there is nothing wrong stopping Microsoft.

Re:Interesting Convergence

[Zeinfeld]

Actually if you would get involved in the Liberty Alliance and look past most of you communistic attitudes you would see something different.

Liberty is based on SAML which is largely based on earlier research work I did.

If Liberty are to be successful they need to forget about what Microsoft is up to and just work on making their system the best it can be.

Re:Interesting Convergence

[pmz]

The problem I have with Liberty is that Sun appear to be more focused on stopping Microsoft than on developing a product that is going to succeed on its own merits.


This is unfounded. The Liberty Alliance is an association of companies who are looking for the most pragmatic (simplest) solution to dealing with on-line identities. There was an interview the chairman of the alliance, where he said that they would all pack up and go home if there were already a suitable technology. They just want something useful and not controlled by any single entity, so they can get on with their lives on the WWW.

Re:Interesting Convergence

[Rhonwyn]

That is a common misconception of Liberty. At the Burton Group conference, Eric Dean, Chairman of Liberty and CIO of United addressed this. Sun was one of the founders of Liberty, but immediately after it was formed, they stepped back and let the other companies drive. Liberty is not about designing a product, but about designing the standard for SSO.

Microsoft also announced at the conference that they will be developing SAML under WS-Security, which is a group under Oasis (http://www.oasis-open.org). It is still too soon to see if MS's SAML will be compatable with the main Oasis SAML or with Liberty's version.

Re:Interesting Convergence

[Zeinfeld]

That is a common misconception of Liberty.

It is a very well founded observation based on many hours of contact with the people behind Liberty.

Microsoft also announced at the conference that they will be developing SAML under WS-Security, which is a group under Oasis (http://www.oasis-open.org).

I very much doubt they said that. I suspect that what they said is that they will be working with WS-Security group in OASIS so that WS-Security can carry SAML authentication assertions as WS-Security credentials, just as the SAML group has stated that they will be developing a WS-Security binding of SAML.

Microsoft has no control over the WS-Security group in OASIS and I don't believe that their people would make a public statement which implied they did. A Microsoft person is nominated to be a co-chair of the WS-Security working group but the working group decisions are taken by the TC members and the meetings run acording to Roberts rules of order. If Microsoft wanted a rubber stamp they would have done what everyone else does and taken the thing to ECMA or whatever.

However it is fairly obvious that some people wanted the SAML/WS-Security harmonization was going to happen given that the editor of the core SAML spec is also an author of the original WS-Security proposal.

And, in related news...

Fremont, CA -

VAsoftware, formerly worth something as LNUX, is offering prizes to the hacker who can recover their lost source code.

"We were high on cheap crack", said CEO Ali Jenab, "and we tried a new system that limited posting from trolls. The unfortunate side effect was that trolls started posting as AC from 0, instead of from -1".

Apparently, going back to the old system will not be easy. Jenab says, "We forgot the root password, and had to format and reinstall. Unfortunately, when recovering the tape backup, Malda forgot whether the command was 'tar xzvf' or 'tar czvf' and guessed wrong, so we lost the backup".

Now VAsoftware is offering free Taco Snots (TM) to whoever brings the old source code back. No females may apply, since the VAsoftware staff is, at the same time, 100% homosexual and fully dyke-free.

Re:And, in related news...

[GafTheHorseInTears]

Ali Jenab? That's a fucking raghead muslim terrorist goatfucker name if I've ever heard one. Why the fuck isn't he in jail?

LNUX:
Last Trade 3:56pm 0.83
Change -0.02 (-2.35%)

Only a matter of days now, kids.

Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email jamie@slashdot.org with your MD5'd IPID and SubnetID

Re:And, in related news...

Ali Jenab? That's a fucking raghead muslim terrorist goatfucker name if I've ever heard one

They say tere are good sand niggers and bad sand niggers, but they all would be better if dead.

yahoos!

do you really want to trust your information to a bunch of open source yahooos? At least Microsoft is a big name, and therefor accountable, or at least sueable!

Re:yahoos!

Surely the idea that microsoft is either accountable or sueable has been shown to be rubbish by all of the cases brought against them.

Microsoft employ the best lawyers they can afford (and they cann afford very expensive lawyers).

I would expect to see some sort of finality disclaimer that says you can't actually sue them if they get it wrong.

Re:yahoos!

..but yahoo.com already sold all my information..

if you don't want to register

[BlueLines]

a direct link to the specs is here

-BlueLines

Re:if you don't want to register

[Strike]

See, now if we already had registered with them, they could have required authentication. :) Maybe that little bit doesn't work yet.

I like it...

[mesozoic]

It looks like this is something relatively simple (on a conceptual level), very flexible, and has a lot to offer businesses that need to interoperate without selling their soul to an unnamed software giant.

There also seems to be a lot of big names standing behind the Liberty Alliance, which gives it so much more clout in the business world than it could ever achieve through just good design.

Re:I like it...

[Twylite]

Nothing which requires 1.8Mb of compressed PDFs to describe can fall into the category "simple".

Re:I like it...

[IamTheRealMike]

True Twylite, but like so many business documents from big corps, 99% of them is fluff. Several pages are blank, some are devoted to a list of sponsors etc. Quite a lot of it is like this: "Federated identity is the key to reducing this friction and realizing new business taxonomies and opportunities, coupled with new economies of scale".

Now to us lot, who are mainly I'd guess engineers, that sentance means nothing. It's just filling airspace, because it'll be read not just by developers but also their business oriented bosses who find stuff like this interesting and informative. Also - look at the prices! Do you think a company that spent $120,000 is going to be happy if all they get back for that work is a 10 page RFC?

Re:I like it...

[Twylite]

If my company spends $120,000 and I still have to spend two weeks thoroughly reading a document to comprehend it, then I shit all over the upper echelons. At that price I expect information, not data.

While I accept your point, I must counter that the Bindings and Profiles document runs over 50 pages (excluding title, ToC, references), and is almost purely technical. The Protocols and Schemes document is a further 20; and that's not the end of the technical specs.

Printed, the SOAP specification is a little under 20 pages, and XML a little under 50; both are laid out in a similar manner to these documents, and include examples, reference tables, etc. And XML can hardly be considered a simple specification (MS XML and Xerces are still trying to get fully compliant, many years on).

Re:I like it...

Which pages do you want to remove?

Moving too fast

[Alien54]

If this is implemented right, this may leave Microsoft gasping as their DRM and Palladium initiatives get left behind as "so 20th century"

The rest of the world may be expanding the digital world so fast that MS continues to shrink in relationship to it.

well, one can always hope.

Good industry support.

[Matt2000]

I was wondering why this thing was even getting mentioned, then I checked out the list of member companies and if anyone can get this in wide use it's these companies.

Maybe it has a chance.

Just as scary as Passport?

[aaron_pet]

What makes this better than passport? Is it just that it doesn't have MS in front of it? Is it because it has the word "Liberty" in it? Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom. Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed. It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing. Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information. I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)

Re:Just as scary as Passport?

[ergo98]

What makes either of them "scary"? Passport is quite simply a method of "one user, one identity" (and for that it is brilliant. I recently was tasked with designing an authentication required system, and Passport was a heavy contender. The alternative, of course, is that most people just leave after being forced to create YET ANOTHER identity at yet another site), but the reality is that you can have as many identities as you want, and nothing whatsoever guarantees that you've actually given Microsoft the correct information at all (I don't recall them requiring photo ID to sign up for a Hotmail account yet).

In a nutshell this is just a centralized user/password authentication system, because without something like this becoming widespread sites that require authentication will continue to seem to be more of a nuisance to people : How many times have you followed a link to be brought to the New York Times page only to say "Aw forget it...." (maybe you got an account at one point, but it's among hundreds of accounts that you've long since forgotten the passwords to).

Re:Just as scary as Passport?

[finkployd]

I take a stab at answering this here.

Finkployd

Re:Just as scary as Passport?

[SgtChaireBourne]

Well, Liberty Alliance will not carry personal data. An uses very different technology from MS-Passport.

Re:Just as scary as Passport?

[HiThere]

Basically it's less scary because it's less centralized. A single compromised authority doesn't take down everyone.

Fundamentally, this seems similar to a "web of trust", only the initial trusted parties are going to be corporations. Whether they will ever agree to trust someone else is an interesting question. But if they don't, then I won't trust them, though I may use them.

There's a lot of details not known yet, so it's too soon to start deciding just how to feel about it. If they handle it correctly, it could be a liberty enhancing thing. If not ...

Someone claimed that it was quite like the Shibbolith project http://shibboleth.sourceforge.net/ which is an LGPL licensed project. Be interesting to know how much of the code they used.

home page image

[darrellsilver]

yikes, who's that kid with the crosseyed flashlight in his eye on the front page?

What differentiates this from MS Passport?

[aaron_pet]

What makes this better than passport?

Is it just that it doesn't have MS in front of it?

Is it because it has the word "Liberty" in it?

Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom.

Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed.

It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing.

Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information.

I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)

Re:What differentiates this from MS Passport?

Shut up Jew.

Re:What differentiates this from MS Passport?

[pieces+of+poo]

Is it just that it doesn't have MS in front of it?

In part, yes. However, you could substitute the name of any other company for the letters MS and it would be equally true. What makes this different from and better than Passport is that it's a project backed by a consortium of companies rather than the brainchild of a single company.

Companies exist solely to make money. They don't make services to facilitate business for other companies unless they're going to get something out of it in the long run. It's more likely to be a benign service for facilitating commerce in general if it's backed by many companies.

None of them will make money from it directly, though they'll benefit from its simply being. Microsoft doesn't benefit from making business easier for everyone else. Passport has no purpose as a product if MS doesn't directly make cashmoney from it somehow. That is why it's creepy.

Re:whew...I'm coming for you, you bastard!

[damiam]

You, sir, have no life.

Great Start...

[MrHat]

You need to provide them with personal information in order to read about how they propose to manage your personal information. That's a fitting start.

What's the deal with the whole single sign-on thing, anyway? "Liberty" from Passport through yet another centralized login system. Great. Like having the enemy in your sights, turning the shotgun around, and blowing your own head off.

Re:Great Start...

[rjamestaylor]

You need to provide them with personal information in order to read about how they propose to manage your personal information.

I thought so, too, until I noticed that the first option on the "register" page is to skip registration and go straight to the download.

Re:Great Start...

[finkployd]

It is not centralized at all, please read the specs. There is no "them", it can use your existing "service provider" (assuming company auth system, university auth system, ISP auth system, etc). It is basically a "common authZ/authN" language that service providers can speak to each other.

Finkployd

Can someone translate into English?

[slamb]

I downloaded the specification, but it's obnoxiously long/buzzwordish and my Linux PDF software sucks. I've got some pretty basic questions I'm hoping someone can answer:

• Are passwords ever sent through service providers?

  One would hope they are only sent to the identity provider, and encrypted. But this talk of using existing deployed clients makes me nervous, since I don't see how both things are possible together.

  They mention HTTP redirects...I think you go to the Service Provider's page, they redirect you to the identity provider as the form action, and they redirect you back, authenticated. That doesn't seem like a good plan to me, no one will actually check that the form action goes elsewhere.

  I'd be much more comfortable with something similar to Kerberos: you get a TGT (ticket-generating ticket) from the Key Distribution Center (excuse me, Identity Provider) and use that to provide a ticket to the Service Provider. That ticket can't be used elsewhere and will be invalidated after a certain length of time.

• Does it work for protocols other than HTTP?

  I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too. A GSSAPI and/or SASL mechanism would help a lot here.

• Who can set up providers?

  I'd hope that anyone can set up Identity Providers and Service Providers at little or no cost and have them work with major players. I think this would require

  • a good Public Key Infrastructure. The existing X.500 PKI used for web stuff now costs ~ $100/yr/certificate to get a widely-trusted CA to sign your key. DNSSEC might end up being free (depends on what the TLD people do, I think) but isn't really deployed yet
  • addresses that make it obvious what Identity Provider they belong to. I.e., email-style with SRV records or something.

• Can multiple Service Providers requiring the same credentials without knowing the identity is the same?

  Here, I think the answer is yes. They said something about opaque tokens that gave me hope. I'd like clarification, though.

Re:Can someone translate into English?

[pdrayton]

re: "Does it work for protocols other than HTTP", even though it uses SOAP in places the thing is hardwired to HTTP and WAP. Other protocols (Jabber, SMTP, etc.) need not apply :-(.

There's plenty of other things to complain about in the current set of specs, I wrote up some of them on my weblog.

Digital Identity also has some initial comments here, and Doug Kaye is promising comments soon, too.

--Peter
http://www.razorsoft.net/weblog

Re:Can someone translate into English?

The service provider never has to see your identity provider identity information. It only needs to see your pseudonym as generated by the identity provider. If your service provider is not reputable, of course, it can prompt you to type in whatever it wants you to, and Liberty protocols can't stop it from prompting you. You will quite possibly need to establish a separate user account with the service provider, though, and then later go and link your service provider account with your identity provider account. But the service provider does not need your username or password at the identity provider to do this.

No support for things other than HTTP in this version of the protocols. These are just for signing into web sites using HTTP. This is just the first version of the spec, though.

Anyone can set up a provider. You can do it at home. Nobody else will probably want to use it. You probably want to join an affinity group with some group of service providers who want to authenticate from your provider. There is no central Liberty authority to register with, no global provider metadata repository.

The protocol definitely helps prevent collusion between identities. If the Identity Provider does its job right (you should pick a reputable one to do business with, whose privacy policy you like) then the two service providers have no idea they are dealing with the same identity provider account. Clearly there are other ways they can collude such as matching your IP address and the times you accessed the web site, or prompting you for your email address. Liberty cannot stop them from doing this, but it makes the problem no easier than if the sites were not linking accounts at all.

Re:Can someone translate into English?

[Zeinfeld]

Disclaimer, I have not yeat read the Liberty specs, but I did write part of the SAML specs which I am told Liberty is based on.

Are passwords ever sent through service providers?

Well your description of Kerberos is not quite right, a TGT is actually used to re-authenticate you to the KDC that issued it. You go to the KDC, get a TGT, then you go back to the KDC, give it the TGT and get back a ticket. The only time TGTs get flung arround is in some folks inter-realm stuff.

Assume that the Liberty people know all about security in Kerberos etc. and are not going to send passwords in the clear. The SAML group had at least eight or nine of the people who would appear on most informed peoples list of 'top 100 security protocol designers'.

Does it work for protocols other than HTTP?

SAML has an HTTP binding but the spec anticipates other bindings. We are currently working on a SOAP binding that uses WS-Security.

Who can set up providers?

I don't know, under SAML anyone can set up a server. It would be really nice to see a slashdot server for example.

Can multiple Service Providers requiring the same credentials without knowing the identity is the same?

SAML is designed to allow pseudonyms etc. In fact one of the original consumers for SAML was Shiboleth which is a single sign on system for academic libraries and such and so they have really big psuedonymity and anonymity requirements.

SAML does not provide Chaumian style cryptographic anonymity, but then again neither does Chaum for this application. I did discuss SAML with Chaum a few months ago and we conculded it was not an easy problem.

Federation. Good or bad???

[Pig+Hogger]

Good as in United Federation of Planets ???

Bad as in Trade Federation ???

Re:Federation. Good or bad???

[OracleX103]

Well these are companies involved in trade...

You do the math.

What license restrictions are there?

What's the catch?
How much do we have to pay to Sun or Verisign now?

Liberty Medical

Hi. I'm Wilford Brimley, and I've had diabetes for about 20 years. I stay active and I feel pretty good most of the time. See, I do things differently now. I'm not perfect, but I try to watch my diet and exercise. And I check my blood sugar, and I get all my diabetic testing supplies from Liberty Mutual.

Like I said, I'm not perfect. I guess.. some of the things I told you just now are downright fibs. Like the diet and exercise thing. When I said I watch my diet, I guess I mean I watch the minivan from Buddy's Barbecue pull up and unload about $200 worth of pork ribs onto my driveway. While I stand in the doorway hiding my food boulder in my Bermuda shorts.

When it comes to exercise, well that's just a boldfaced lie. I've never moved fast enough to sweat , except when I was making a baby. Even then, I took some much-needed breaks. My doctor isn't even sure I've got diabetes. He just says I look like somebody who would have it. I do check my blood-sugar every day, though, just in case. And Liberty Medical brings all the teting supplies right to my door, so it's easy to track my health.

[ sprays whipped cream into his mouth ]

Who am I kidding? That's bull hockey! I don't keep track of my health at all! People just assume I eat a lot of quaker Oats, so I must be okay. Hell, I wouldn?t eat oatmeal if it was the filling in a Dove bar. I can't stand that gobbledly gook! It always seems like somebody else ate it first. Sorry, Quaker, but I'm Wilford Brimley, I say it how I feel it.

You know what I do like, are them S'Mores. And old-fashioned wedding cake frosting - the kind that's still got lard in it. And merangue made out of egg yolks instead of egg whites. Some people call it cholestoral, I just call it good.

If you have diabetes, you check oyur blood sugar, and you check it often. There's no reason not to. Call Liberty. They can help you have a better life.

Now, I'm gonna go get off my horse by getting onto a smaller horse, and then onto a large dog, until I'm near enough to the ground to roll off.

You take care now.

Centralized Control Scares Me

[toupsie]

I just hate having to trust someone I don't see on a day to day basis -- not that you can always trust those you do but at least you can "reach out an touch them". Like they say, "Out of sight, out of mind". I want some sort of local control over my online actions away from a centralized database prone to Government intrusion. Its a lot harder for the Government to go after an individual than an organization it can specifically target through legislation. It takes a lot less testicular/ovarian fortitude to legislate against a faceless organization than someone that you want to vote for you next election and his/her friends. If the US Government would only strengthen my rights to personal privacy in my transactions of my choices and prosecute strongly those that violate my privacy, I don't think we would be talking about these Big Brotheresque solutions.

Open Source or Closed Source. I don't need either of you to cure a symptom of my ailment. It does not cure the disease. We need strong enforcement of existing laws (never happen) and an educated consumer (never happen).

[GafTheHorseInTears] Not Likely, Bitches.

Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email jamie@slashdot.org with your MD5'd IPID and SubnetID

A well a everybody's heard about the bird
B b b bird, bird, bird, b bird's the word
A well a bird, bird, bird, the bird is the word
A well a bird, bird, bird, well the bird is the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, well the bird is the word
A well a bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, well the bird is the word
A well a bird, bird, b bird's the word
A well a don't you know about the bird?
Well, everybody knows that the bird is the word!
A well a bird, bird, b bird's the word
A well a...

A well a everybody's heard about the bird
Bird, bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a bird, bird, bird, b bird's the word
A well a don't you know about the bird?
Well, everybody's talking about the bird!
A well a bird, bird, b bird's the word
A well a bird...

Surfin' bird
Bbbbbbbbbbbbbbbbbb... [retching noises]... aaah!

Pa pa pa pa pa pa pa pa pa pa pa pa pa pa pa pa
Pa pa pa pa pa pa pa pa pa pa pa pa pa pa ooma mow mow
Papa ooma mow mow

Papa ooma mow mow, papa ooma mow mow
Papa ooma mow mow, papa ooma mow mow
Ooma mow mow, papa ooma mow mow
Papa ooma mow mow, papa ooma mow mow
Papa ooma mow mow, papa ooma mow mow
Oom oom oom oom ooma mow mow
Papa ooma mow mow, papa oom oom oom
Oom ooma mow mow, papa ooma mow mow
Ooma mow mow, papa ooma mow mow
Papa a mow mow, papa ooma mow mow
Papa ooma mow mow, ooma mow mow
Papa ooma mow mow, ooma mow mow
Papa oom oom oom oom ooma mow mow
Oom oom oom oom ooma mow mow
Ooma mow mow, papa ooma mow mow
Papa ooma mow mow, ooma mow mow
Well don't you know about the bird?
Well, everybody knows that the bird is the word!
A well a bird, bird, b bird's the word

Papa ooma mow mow, papa ooma mow mow

But... why?

[Corvaith]

This is my fundamental problem with Liberty Alliance and Passport and whatever-all-else.

What, really, is the point?

I am, in fact, actually capable of taking two seconds to type in my username and password on several different sites every day. If I don't want to, there are a number of programs--including Mozilla and IE--that are willing to save them for me and re-input them every time I visit that site, without holding any of my personal information on someone else's computer.

So why is this Passport stuff supposed to be all that important? Until the day comes that I /have/ to sign up for something like that to access a service I can't get anywhere else, I don't care what they do or who else offers the same type of service. The day I must sign up to get that service...

I stop using that service.

Really, I don't see why the benefits outweigh the drawbacks, no matter who happens to be running it.

Re:But... why?

[small_dick]

how about...your identity and password are only authenticated/known in one trusted place as opposed to many hackable machines?

Re:But... why?

You're right, liberty solves a pretty simple thing. Here are the advantages:
- You don't have to invent a new username/password pair every time you sign up at a new website
- Your profile is accessible anywhere where you have web access. Internet Café, your friends PC, your WAP phone...
- You can use your profile on a PC you don't have control over (e.g. your office pc)
- Your data is not stored on your potentially insecure machine.

Hope that helps.

Re:But... why?

[ShadowDrake]

Brilliant. Why not hang a neon sign out in front saying "Welcome crackers!" Diversity is a strength.

Say I have various accounts at 40 different firms. Say one is compromised. If I do things right (vary passwords, don't store appealing information like account numbers where it's not absolutely necessary), at least some of the other 39 are safe.

On the other hand, say LA or Passport is cracked. Suddenly, my electronic doppelganger is running up charges at CheapBytes and eBay and, worse yet, ruining my rep on /.!

Why not a use random username/password generator, store the results as a file on your local machine, and encrypt it. I can even see storing that as a good use for one of those "USB-connected flash on a keychain" toys.

Re:But... why?

[Strike]

I think the question isn't so much "why do it at all?", but "why, since MS is pushing people to do it, don't we push them an alternative way to do it?" MS stuff has an alarming tendency to become ubiquitous no matter how stupid or poorly done it may be. Rather than allow a MS-controlled incarnation take hold, I think the initiative here is to either: a) stem the tide so that it doesn't reach ubiquity, or b) at least have an alternative out there so that the MS way isn't accepted as the "universal" way of doing whatever stupid thing they are trying to do this week.

Re:But... why?

[DigitalCH]

You guys obviously don't do enterprise development. If you did you would understand the need.

There will always be cases where you are subscribing or offering services to other large companies. Very quickly it becomes handy to be able to set policies on what those users can do as groups. Even more important is that you don't want to do provisioning... cause provisioning costs lots of cash and it would be more efficent if the company subscribing to you services did the provisoning on their side. So what you end up with is a need to trust all the users from their domain and integrate it with your systems as well as set policy on how the trust will work.

It's hard to explain unless you have seen the problem but trust me this is a killer problem for large corporations. I've seen hundreds of millions spent on solving this issue at just two companies.

Re:whew...I'm coming for you, you bastard!

[MMMMMMMMMMMMMMMMMMMM]

I have seven lifes. I'm a cat pimp mastah.

This is good, right?

[pieces+of+poo]

Even if this service doesn't provide an ideal situation, an alternative to a proprietary service is always worthwhile. If nothing else, it gives the proprietary services more work to do, which means better products for the consumers.

It's also good to have someone competing with MS Passport for the authentication game, lest we further our nation's decline into corporate plutocracy. The internet is less of a ghetto and more of an integrated part of the actual world we live in--this is no longer a shadow world, but a real extension of our lives wherein our security is just as important as it is anywhere else.

I confess that the PDF itself was a bit cumbersome (i.e., I didn't read all/most of it), but from what I could tell this appears to be a pretty well thought out project. I encourage everyone to support it however possible, as that's the only way projects like this sustain themselves.

Addendum

[slamb]

I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too

Also LDAP, PostgreSQL, Oracle

And another question:

• Is the authentication to the Identity Provider flexible?

  Someone said that the best authentication systems use two of:

  • something you are (biometrics)
  • something you have (smart card)
  • something you know (password)

  It would be nice if this system was flexible enough to accomodate that idea, rather than limiting it to a password.

  Especially if I have one password for many important systems, I won't want to type it into an untrusted terminal. There are plenty of other choices:

  • Ideally, I would have a small (smartcard-like) physical device that carries an encrypted private key and has a small keypad. I plug it into the terminal. I enter into my device a PIN number (not the terminal! the terminal should never know the password), it (again, my device, not the terminal) uses the password to decrypt its private key and then sign a mutually agreed-on token. So no replay attacks. Someone would need to grab your smart card and guess your PIN number to compromise your identity. With just a password, anyone who can tamper with the terminal would be able to log in as you whenever they want. Bad enough when it's just one system.
  • One-time password systems can accomplish the same goal (defeating replay attacks) without requiring a physical device and attachments on terminals. At a cost, of course. If it's stolen, you're screwed. If you run out before you get back to a secure terminal, you can't log in.
  • etc, etc...there are a million schemes with their advantages and disadvantages. Best to use a system that doesn't limit you to one.

Re:Addendum

[finkployd]

I do not believe this limits you to any system. It seems to delegate the authentication/authorization to your "service provider" (not totally sure what they mean by that) who could potentially use ANY system. The important thing is that after you authenticate with them, it generates a short term certificate, signed by the "service provider" and encoded with authorization info.

Finkployd

Re:Addendum

[Quimo]

According to the spec there will be multiple levels of authentication will be possible.

So say I went and logged on to Slashdot using my Liberty account I would only be required to enter my username and password. However when I want to go to my bank my username and password isn't enough and I now have to provide my smarcard as well. My username and password was required for the bank but it was already there because I had logged into Slashdot.

From the looks of the spec there are no restrictions on what type of authentication method could be used beyond the initial authentication assertion (Username password.)

Serena Williams

I'd go down on her immediately after she played 3 hours of the sweatiest, hottest tennis game.

Some useful info

[finkployd]

First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)

This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:

A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.

The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.

The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.

If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.

Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)

This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.

Finkployd

Re:Some useful info

The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.

If Uni B requires a valid Oracle un/pw because the access to the data behind the web pages is acl protected based on who the Oracle identity is, then the real problem is how the web page at Uni B, once it trusts that the user is who he says he is, logs into the Oracle db with the correct un/pw. How are the valid credentials converted to the right un/pw?

Yes, you're right, most websites don't require Oracle specific un/pw nor do they enforce access control using db intrinsics. However, this analogy applies to the more general case.

If Oracle (or whatever your authn or authz at Uni B) only accepts a valid un/pw to establish identity and grant access, what technology (or whose software) is responsible for converting the credentials to this un/pw? Where is this un/pw stored?

Re:Some useful info

[finkployd]

If Uni B requires a valid Oracle un/pw because the access to the data behind the web pages is acl protected based on who the Oracle identity is, then the real problem is how the web page at Uni B, once it trusts that the user is who he says he is, logs into the Oracle db with the correct un/pw. How are the valid credentials converted to the right un/pw?

That certainly would be unfortunate. Although if you allow yourself to be locked into an auth solution that is not flexible and that you have no control over, there is not much that ANY technology can do to fix that. I suppose you could design a system that stored the username and password on your backend and match it up with the certificate data. Kinda circumvents the whole point if you ask me though...

In a situation like that, how would you even design an INTER-organization single sign on system? Assuming you wanted to use PKI or Kerberos, you would still have to solve the same problem. Until you have that, an intra-organization single sign on system is impractical.

If Oracle (or whatever your authn or authz at Uni B) only accepts a valid un/pw to establish identity and grant access, what technology (or whose software) is responsible for converting the credentials to this un/pw? Where is this un/pw stored?

You would probably have to do it yourself. I would hope the un/pw would be stored on the same machine as the DB, and that security on that machine would be tight.

Finkployd

Only Sun....

Only Sun would use Macromedia Flush all over a site whose audience should (if this intiative is going to take off) be mostly technical people... who of course hate Flash with a passion.

I've only glanced at the specs... I hope they aren't as misguided as the web site...

Netscape's Roaming Access

[microbob]

Sounds more like Netscape 4.X's roaming access.

I used to be able to go to any Netscape 4.X system, point it to my web server server and have it pull down my bookmarks, mail filters, cookies, mail server configurations, and a few other things (like digital certs).

That is the only reason I would like a single-sign on.

You'll get no more personal information from me than I want you to have. Personally, I could care less if you get my zdnet/slashdot uesr id and password. BFD.

But, you'll NEVER find me storing credit card numbers, my on-line banking user id/passwords, my stock trading site user id/password.

a brave new world

[LotsOfBlankSpaceHere]

______ _______(____>\ /C___)(______>| |C____)(_____>| |C_____)STRETCHINGOUTTHEPAGE(___>/ (_C_____)_// \|__(__/ \____) copyright 2002 by LotsOfBlankSpacehere.

Better names...

They probably just weren't trying hard enough, but I can think of a few better names and mottoes in the vein of "Liberty Alliance":

Super Ethical Freedom Alliance
motto: "Tracking your every move, with tender corporate care."

Friendly Good Group
motto: "We're the good guys."

Ultra Freedom Watcher
motto: "Verifying your identity for liberty!"

On a more serious note, did you wonder why most of the United States' large banking interests are contributors to this system? They have every right to be concerned about Microsoft's Passport becoming a middleman to all of their transactions. But do you think that their actions are likely to lead to "liberty" for anyone else?

The architecture of this system could potentially allow independent networks of verification. However, from reading through the specs, it is very easy to imagine an "open" protocol where the only Authentication Providers who are actually trusted (on a widespread basis) are the early adopting companies. Kind of like the web site certificate situation -- anyone can be a certificate server, but if you don't get a certificate from one of the major 3-4 providers, everyone coming to your web site will get a security error.

Re:Better names...

But do you think that [Banks'] actions are likely to lead to "liberty" for anyone else?

At least the federal government has the cahones and ability to control the behavior of banks in no small or indirect manner. Do I trust the federal government with my money more than Microsoft? Hell yes.

Re: One User One Identity:Brilliant

[aaron_pet]

One ID string would be nifty per person.

I think we should have peer to peer authentication. Each person will be their own central certification system, and certify friends and family to use their ID. This would form a large network. That should be traceable.

I am the only central identification system for myself. NO piece of paper or bits represents me officially. No signatures, no pictures, no retnal scans, no fingerprints.

I personally like to have multiple usernames and passwords with varing security.

I give out my password to things that I view as public (My hotmail account is public... and now The stupid people at microsoft have made it my "Passport")

I tell my friends my root password on my toy machines,

I tell select individuals the password to public servers

For "Secure" sites, I will seal the password in an envelope and put it in a safe deposit box

For Super Secure sites, I would do more.

I give passwords to my friends for subscriptions to online content. If I buy so many credits, I should be able to give them to somebody else.

So:I guess what I am saying is:

We need an Identity Tunneling system, where I can authorize my friends to act in my name... and so then... I would be the central identity server For myself...

Oh wait... If we let microsoft be the identity server, wouldn't microsoft etc be liable for all actions done on our account? If that is the case, Yippie, Create a username and password for me... We will be acting under the central authentication networks name!

Re:whew...I'm coming for you, you bastard!

What a fucking moron, this is not even funny.

Local storage vs. Central storage

[NortWind]

Opera fills in all the fields for me, making creating an account easy. I can give each vendor exactly the information I want. (This could be automated even further, I think, while control of my info still remains on my machine.) PayPal alows me to pay without exposing my credit card number to each vendor. Why would I want to give the care of my info and identity away to some company, any company, even one I trusted? Even good companies go bad, or get bought out.
Nobody trusts Microsoft for plenty of good reasons.

Re:Local storage vs. Central storage

[Zeinfeld]

Opera fills in all the fields for me, making creating an account easy. I can give each vendor exactly the information I want.

That is not as usefull. What companies want is a way that people can login to a site without having to register.

The nytimes and the latimes do not really want to know all that much about individual readers, but they do want to be able to tell advertisers that 60% of readers come from zipcodes where 30% of households are in the A1 income bracket and such.

The yahoo and raging bull don't really give a monkeys about who you really are but they do need to be able to tell the SEC that they can at least tie a poster to an email address if necessary. Same at slashdot.

The identity business will work a lot better if the sites we log into do not need to maintain statistics at the level of the individual account.

OK in extremis someone might get litigious and file a lawsuit and get info from the identity broker, but that is likely to have a lot more safeguards for the individual if the identity is held by an identity broker for whom identity (and pseudonymity) is a business. It really does not take that big a threat for yahoo to rat you out. There is a lawsuit going on at the moment in Texas in which a company which has made less than $150K in revenues in any quarter for the past five years is suing visa over nasty statements one of their employees made about them on a Web site - the topic today is apparently claiming that the nasty statements cost the company over a billion dollars.

I have no idea if this is what Liberty will eventually end up doing but I know how SAML could be used to achieve that.

PS I predict that if Liberty would let up on the anti-Microsoft hecktoring for a few months we could actually broker a union of Passport/Liberty and make them at least interoperable at a certain level.

.....why?

[piznut]

I don't have a universal digital ID now, and I honestly don't really feel a need for one. What is the real purpose? To keep absent minded people from having to remember more than one password? Thanks...Ill pass. Given all the political and privacy BS that is coming about...it just seems like more trouble than it's worth.

So when will -Slashdot- use this stuff, huh?

[Mordant]

That's what I thought - never in a million years.

Nobody gives a damn about Passport, or Liberty, or any of that crap. Nobody who runs a Web site worth a damn is going to allow authentication to/from anything he himself doesn't control.

First looks...

[deathinc]

I've just finished reading through the overview in detail, and skimming the other documents.

Before everyone starts bringing out their copy of 1984 (sorry - not going to link to Amazon, thank you very much) to compare lets take a good look at what they're doing.

First, a Service Provider (some place you might want to use your "Liberty" ID) has no requirment to use the Liberty IDs exclusively. The Service Provider can authenticate you with a 'local' username/password as well. (It's up to them.) The examples they use indicate this as well.

Second, if you don't trust an Identity Provider (The entity that you have your cross-site identity with), you don't have to use them -- there can (and hopefully will) be others. There's no built in monopoly, like some other system.

Lastly, if you're worried about your Identity Provider (who holds your 'master account') knowing all sorts of jucy information about you, you can relax (mostly). Other then when and where you signed on, or re-signed on, no personal information gets transferred from Service Provider to the Identity Provider. (With the exception of information needed to verify the identity you give.) This is unlike this system who wants to hold alot of information for itself. The key here is that there is no requirment forcing the Identity Provider to do this, and if you don't like it - don't use it.

If enough people stand up and say "NO", we can affect change.

On the positive side, if the Identity Provider has reasonable policies regarding the use of my personal information, and a compelling base of like-minded Service Providers using it's authentication service, I would likely avail myself of it's use. At the same time I'd burn a monopolistic Identity Provider in effigy.

Re:First looks...

A very accurate analysis. You said:

if you're worried about your Identity Provider (who holds your 'master account') knowing all sorts of jucy information about you, you can relax (mostly).

Most of the people who you will be Identity Providers already know more about you than you would care they did: Your ISP, your banks, your telco. You already have accounts with them and frequently you trust them (well, sort of...) These guys are going to be the ones authenticating you to the Ma and Pa shops and fly-by-night dot-coms.

Where is Apache CollabNet, and O'Reilly?

[CondeZer0]

Does any body know what happened to the Apache Software Foundation,
CollabNet, and O'Reilly?

When the Liberty Alliance was first presented around one year ago,
this three organizations where listed as founder members, but I can't
find them any more in the members list... what happened to them?

Their involvement in the project was the only thing that gave it
a minimum credibility in my eyes... well, probably Sun is screwing
up once more by thinking that they live alone in the universe...
*sigh*

\\Uriel

interesting

[writing on dennys bathroom wall]

the size of cmdrtacos penis is a direct correlation(sp?) to the number of interesting stories on slashdot.

man id hate to have his penis right about now, it prolly looks like an "innie" belly button.

Open Source??

[bryam]

Hi:

Is not Apache and Collab.net in the first work of Liberty? Why they are not here? Some discrepance with Sun?

-Bryam

Read the article still have some questions.

[will_die]

Maybe someone can answer theses for me. 1) Who hold and owns the central database which contains all this information? 2) Can I setup my own central database using thier technology just to authenticate people to my own servers or intranet even? Or is the libery alliance aways going to require that I use main repository?

Re:Read the article still have some questions.

[deathinc]

1) There are 2 'obvious' databases. First is the database held by the identity provider. This is the entity that holds your 'master' username/password. They own the database, and you cede them rights as they lay out in their privacy document. There can be multiple identity providers (unlike passport).
The 2nd is the database held by the service provider (site/system/etc you are logging in to). They know no other information about you from the identity provider other then what is needed to authenticate you (username, identity, expiration, etc). That database is owned by the Service Provider.
Neither the SP or the IP exchange information other then what is *technically* needed to authenticate you. (username, id hashes, expiration info etc).
2) Yes. (IAMAL - but there are patents involved in this technology - read the disclamers on the documents. I don't know about licences or enforcement on those patents tho.)

Re:Read the article still have some questions.

[a_n_d_e_r_s]

1. No one - there is no central database.
2. Yes.

Then this is what you should like...

[MosesJones]

Liberty is explicitly about de-centralised control, you have the id, possibly a "smart-card" credit card. It does the identification then passes credentials to others to allow you access.

Very nice, very sweet, very personal.

Amex et al killed Passport not the common man...

[MosesJones]

Passport was doomed to fail, not because you or I disliked it but for a much more simple reason.

The MS idea was that all transactions would be arbitrated via Passport, thus of course they would have the ability to charge a commision. The end game here is of course that online transactions would therefore all result in payment to MS, with MS having the ability to offer lower cost online credit than Amex, Visa et al.

It was amazing in its presumption, it was in fact the biggest ever salami scam attempt. Liberty works differently by giving control to the individual, this is great for Amex et al as the identification piece will be their credit-cards (notice the smart chip already on Amex Blue?) which make them even more useful.

This was big business v MS, and MS lost when faced with all of the banks, consumer giants like Sony, and underneath it all a simple technology stack based on....

Java

Tinfoil hats has little to do with it.

[Wrexs0ul]

The technology itself is not inherently evil. I would love a centralized system to manage my entire life for the sheer fact that it's simplicity allows me more time to do other things than manually manage aspects of my life which automation could (and should) coordinate. Unfortunately greed (aka business) has become so desensitized to the layman that they honestly couldn't care less what you do with the service provided someone makes a buck.

Problem is too many businesses are like this. You don't make money by being nice to people, and functionality to benefit us can just as easily grab and administer marketing strategies. Take the internet for example: originally designed as an amazing place for people to exchange information at a dizzying pace. To simplify session handling for something as limited as a website we developed the cookie. Enter the Gator (or your favourite brand of greed-motivated advertiser) who sees the potential to capitalize on this wealth of knowledge and voila, 200 popup windows before I manage to wade through onto slashdot. Did I mistakenly post my email address describing my company's services? Obviously that means I want info on naturally enlarging my penis through a home based business that can earn me $500 per day offering a flavour of the month pyramid scheme.

Bottom line: It's a good idea, but wouldn't work in a system where knowledge is power is money. ...Just you wait, my next Toyota with the voice activated system will one day say: "We've opened your door Matt, would've been faster had you bought a Lexus"

Thank you from Telus.

-Matt

---

Got web hosting? RackNine

Who would you chose as your Authent.-Operator?

[PatSmarty]

I think, frankly, that the discussion here has been mostly unrelated to the possibilities and dangers of liberty alliance so far.

Here's something to consider: Is there an Authentication Network Operator that you would *really* trust?

So far, you hadn't much of a choice: For payments, you could choose between MC and AMEX, and one of these two would handle the whole shopping side of your life.

But now, with the Liberty Alliance Projekt, you can choose a company that covers your whole online life. Would you trust MC or AMEX again? Better not, they already know too much of you. IBM? How do they guarantee you that your data will be safe? Yahoo - bad track record, no way. Google - no experience in the field but good track record.

I think that we would need a new type of company for this, under close inspection by the public - does anybody agree?

Re:Who would you chose as your Authent.-Operator?

Is there an Authentication Network Operator that you would *really* trust?

How about your bank? Or the telco/ISP. Both of these currently manage your identity very well. The former is regulated and has billions to lose if its systems are broken. The later has less information about you, but authenticates you every time you switch on your home Internet connection or use your mobile phone.

These big mothers are the ones who'll come out on top here.

better than a steinking penguin doll?

Microsoft Makes Donation to Peru
By THE ASSOCIATED PRESS

Filed at 7:54 p.m. ET

REDMOND, Wash. (AP) -- Microsoft Corp. is providing about $550,000 in money, software and consulting services to the Peruvian government for educational and ``e-government'' initiatives.

In a news conference Monday, Microsoft Chairman Bill Gates and Peruvian President Alejandro Toledo announced the contribution, Microsoft's first in Peru.

Toledo, elected last year, made technology and education a key focus, and initiated conversations with Microsoft, said Sandro Marcone Flores, executive director of the Huascaran project in Peru.

Marcone Flores downplayed whether the contributions could conflict with a proposal under debate in the Peruvian government. That proposal, by Congressman Edgar Villanueva, would obligate all public institutions to convert exclusively to open-source software, in which the underlying code is available to anyone wanting to revise or customize it.

The money will go toward training teachers as part of Toledo's Huascaran Project to improve the educational system with better instructors and technology. Microsoft's contributions will also be used to teach programming skills to potential software developers and help build a central government Web site that can deploy Internet-based services.

we own you politicull puppets for almost nothing

REDMOND, Wash. (AP) -- Microsoft Corp. is providing about $550,000 in money, software and consulting services to the Peruvian government for educational and ``e-government'' initiatives.

In a news conference Monday, Microsoft Chairman Bill Gates and Peruvian President Alejandro Toledo announced the contribution, Microsoft's first in Peru.

Toledo, elected last year, made technology and education a key focus, and initiated conversations with Microsoft, said Sandro Marcone Flores, executive director of the Huascaran project in Peru.

Marcone Flores downplayed whether the contributions could conflict with a proposal under debate in the Peruvian government. That proposal, by Congressman Edgar Villanueva, would obligate all public institutions to convert exclusively to open-source software, in which the underlying code is available to anyone wanting to revise or customize it.

The money will go toward training teachers as part of Toledo's Huascaran Project to improve the educational system with better instructors and technology. Microsoft's contributions will also be used to teach programming skills to potential software developers and help build a central government Web site that can deploy Internet-based services.

Open Source Development HOW-TO by poopbot

Credits: onby

1. Introduction

As everyone knows, Open Source software is the wave of the future. With the market share of GNU/Linux and *BSD increasing every day, interest in Open Source Software is at an all time high.

Developing software within the Open Source model benefits everyone. People can take your code, improve it and then release it back to the community. This cycle continues and leads to the creation of far more stable software than the 'Closed Source' shops can ever hope to create.

So you're itching to create that Doom 3 killer but don't know where to start? Read on!

2. First Steps
The most important thing that any Open Source project needs is a Sourceforge page. There are tens of thousands of successful Open Source projects on Sourceforge; the support you receive here will be invaluable.

OK, so you've registered your Sourceforge project and set the status to '0: Pre-Thinking About It', what's next?

3. Don't Waste Time!

Now you need to set up your SourceForge homepage. Keep it plain and simple - don't use too many HTML tags, just knock something up in VI. Website editors like FrontPage and DreamWeaver just create bloated eye-candy - you need to get your message to the masses!

4. Ask For Help

Since you probably can't program at all you'll need to try and find some people who think they can. If your project is a game you'll probably need an artist too. Ask for help on your new Sourceforge pages. Here is an example to get you started:

"Hi there! Welcom to my SorceForge page! I am planing to create a Fisrt Person Shooter game for Linux that is going to kick Doom 3's ass! I have loads of awesome ideas, like giant robotic spiders! I need some help thouh as I cant program or draw. If you can program or draw the tekstures please get in touch! K thx bye!"

Thousands of talented programmers and artists hang out at Sourceforge ready to devote their time to projects so you should get a team together in no time!

5. The A-Team

So now you have your team together you are ready to change your projects status to '1: Pre-Bickering'. You will need to discuss your ideas with your team mates and see what value they can add to the project. You could use an Instant Messaging program like MSN for this, but since you run Linux you'll have to stick to e-mail.

Don't forget that YOU are in charge! If your team doesn't like the idea of giant robotic spiders just delete them from the project and move on. Someone else can fill their place and this is the beauty of Open Source development. The code might end up a bit messy and the graphics inconsistant - but it's still 'Free as in Speech'!

6. Getting Down To It

Now that you've found a team of right thinking people you're ready to start development. Be prepared for some delays though. Programming is a craft and can take years to learn. Your programmer may be a bit rusty but will probably be writing "hello world" programs after school in no time.

Closed Source games like Doom 3 use the graphics card to do all the hard stuff anyhow, so your programmer will just have to get the NVidia 'API' and it will be plain sailing! Giant robot spiders, here we come!

7. The Outcome

So it's been a few years, you still have no files released or in CVS. Your programmer can't get enough time on the PC because his mother won't let him use it after 8pm. Your artist has run off with a Thai She-Male. Your project is still at '1: Pre-Bickering'...

Congratulations! You now have a successful Open Source project on Sourceforge! Pat yourself on the back, think up another idea and do it all again! See how simple it is?

- posted by poopbot: lovely snot! wonderful snot!

GSu3SP0RM5

Cheap at twice the price?

so you're saying that those penguinista rahbulls cooed have been hax0ring dammned peruvians for around 1/4 mill0? talk about hard times? kewl.

how much for that whoredoggIE to bark "windose"?

w00f w00f

ediot

caN'T couNT huh? know wunder you're losing the softwar.

peruvian presideNTs are @leased 3/4 mill0 after speeking to fuddles.

american presideNTshills are much cheaper, plus you get much more bunk for your billybuks.

check his pockets

you might think that mr peruvia.com walked away with only 500k to show for IT, but ucann bet your .asp there's a few more billybuks where those came from.

Ill eagle gangsterious softwar FraUDs are everywhere, & in a bumdance, anymore.

Re:check his pockets

how any of you can suggest that anything the kingdumb dooes is subject to suspicion/screwtinny, is weigh beyond me. phreaking whiners. looks like you coulda won the peruvian thing for around 3/4 mill0. cheapskates.

Where's the Implementation?

[Mojojojo]

This has not been implemented yet...having a "spec" is nice and all, but noone can use it until it has an implementation. Passport has been around for a while now and has a large base of users and sites supporting it. I don't like MS controling my identity any more than the next guy, but 2 or 3 news stories in major publications isn't going to change the fact that thousands of websites already support Passport and Passport has probably millions of users thanks to MS making that mandatory for @hotmail.com and @msn.com users.

There needs to be a kick ass implementation and a network of sites supporting it, not to mention some business agreements for the big sites already using Passport to support both. Then we can let them play the protocol game, screwing the end users (which, lets face it, there's only a handful of people working on this software, so that's everyone on the net that's an end user).

XNS

[ek_adam]

And in what may be a coincidence, XNS (eXtensible Naming Service) released their specs this week also. Under their system you have a master set of data and then a number of ecards with subsets of that data. You might have a business ecard for colleagues and business associates, a personal ecard for friends and family, and so on. The system keeps track of which ecards you gave to which people so if you move or change data, the other people's ecards get updated.

Trust No One, But Use Liberty not Passport

[FreeUser]

Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..

Yup, they're money hungry allright. And they've found a big, and likely to grow, niche, namely people who do not want to do business with companies that share and sell their private information, as if their customers were little more than product themselves, objects to be owned, ie. slaves.

They've bet that, by offering a service that provides the same convinience Passport claims to provide, while maintaining the integrity of their customer's privacy, that they will gain market share in so doing, at the expense of those who use passport and pass around their customer's private data like some cheap sexually transmitted disease.

And they are probably right, which means that by protecting our privacy from the likes of telemarketers and Microsoft, those money hungry companies are going to make even more money.

I'm the first to criticize the idiotic notion that capitalism is somehow a panacea for all our ills ... as often as not it isn't ... but it should also be pointed out that the profit motive doesn't assure unethical behavior, and this looks like a clear case where ethical behavior actually offers a competetive advantage.

is entrusting your purchasing habits to these guys really a good idea?

No, which is why you do not want to use Passport, and why the design of the Liberty Alliance scheme, which does not share or even link to personal information, is so much superior and preferable to Microsoft passport.

Realistically, how long until Linux adoption?

[mikehoskins]

Can we benefit Really Soon(tm) from LA being integrated into PAM?

Smells like bluestem

[Denium]

The University of Illinois uses something similar: Bluestem. It supports inter-realm authentication, too.

Re:Smells like bluestem

[finkployd]

I had not heard of that one, pretty interesting.

One difference though is that Bluestem only provides authentication, leaving it up to the application to supply its own authorization database. Shibboleth (and Liberty Alligence, the more I read the tech specs, the more I am positive they are the same thing) provides authorizaztion information along with the authentication.

Finkployd