Slashdot Mirror
Liberty Alliance Releases Specifications
Darren.Moffat writes "Has the time come for Passport to move over ? Technical Specs of the Liberty Alliance Project technology are now available from the website and were officially announced at the Burton Group conference today." We've done stories on the Liberty Alliance and digital identity before.
As I keep telling my friends who are Analog IC Engineers, there are only two identities for digits -- '0' and '1'. How hard can this be?
E-week story about this is here:
p
http://www.eweek.com/article2/0,3959,382210,00.as
I was thinking rather pessimistic about all this, until this little beauty popped up:
"The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so the identity of the user is safe, and specific details about the customer's identity are not shared. The user may choose which accounts he/she wants to link, and may maintain separate identities in different locations while still benefiting from a seamless sign-on experience."
So, it's cool. Well, not that Em Emalb would be targetted anyway, more along the lines of some poor dude named Pete Slashtaco (who for some reason, lives in New York City 10101) and makes $15,000 a year working as a CEO of a Fortune 500 business with 250,000 employees. Poor, poor Pete.
Sent from your iPad.
What companies are on the Liberty Alliance Management Board?
.. but in reality these companies are just as money hungry as Microsoft .. is entrusting your purchasing habits to these guys really a good idea?
A.There are currently 16 companies on the management board. They are: American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines, and Vodafone.
Some big names sure
Ironically, passport started as a stop AOL Instant Messenger affair. So I don't think it is impossible that Passport and Liberty will eventually merge.
On a technical level this is certainly possible and if folk look hard at the underlying SAML spec that Liberty is based on you will notice that there is an interesting intersection between SAML and the GXA world.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Stolen identity doesn't exist? Care to tell that to the thousands of people each year that have their credit hijacked. It's amazing the stuff you can do with a SSN.
a direct link to the specs is here
-BlueLines
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
It looks like this is something relatively simple (on a conceptual level), very flexible, and has a lot to offer businesses that need to interoperate without selling their soul to an unnamed software giant.
There also seems to be a lot of big names standing behind the Liberty Alliance, which gives it so much more clout in the business world than it could ever achieve through just good design.
The rest of the world may be expanding the digital world so fast that MS continues to shrink in relationship to it.
well, one can always hope.
"It is a greater offense to steal men's labor, than their clothes"
I was wondering why this thing was even getting mentioned, then I checked out the list of member companies and if anyone can get this in wide use it's these companies.
Maybe it has a chance.
What makes this better than passport? Is it just that it doesn't have MS in front of it? Is it because it has the word "Liberty" in it? Both have words relaiting to freedom: Pass and Liberty. Both have little to do with freedom. Absoultue Annonominity or Full Disclosure must be present for freedom. If there is a monitoring agency that can restrict what it sees to itself, it is inherently flawed. It must fully disclose everything, to everyone... And that is non trivial... But probably worth pursuing. Untill then, We should not have a self accountable agency like these systems that base decisions on limited, selected for cheapness/support viewpoint information. I propose that everyone give everyone else their MS passport passwords etc... make copies of fingerprints and retnas etc, and distribute them freely (An idea similar to one that Richard Stallman has promoted)
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
I downloaded the specification, but it's obnoxiously long/buzzwordish and my Linux PDF software sucks. I've got some pretty basic questions I'm hoping someone can answer:
One would hope they are only sent to the identity provider, and encrypted. But this talk of using existing deployed clients makes me nervous, since I don't see how both things are possible together.
They mention HTTP redirects...I think you go to the Service Provider's page, they redirect you to the identity provider as the form action, and they redirect you back, authenticated. That doesn't seem like a good plan to me, no one will actually check that the form action goes elsewhere.
I'd be much more comfortable with something similar to Kerberos: you get a TGT (ticket-generating ticket) from the Key Distribution Center (excuse me, Identity Provider) and use that to provide a ticket to the Service Provider. That ticket can't be used elsewhere and will be invalidated after a certain length of time.
I'd like to use it to authenticate with HTTP, SSH, IMAP, SMTP, and Jabber - probably others I'm forgetting, too. A GSSAPI and/or SASL mechanism would help a lot here.
I'd hope that anyone can set up Identity Providers and Service Providers at little or no cost and have them work with major players. I think this would require
Here, I think the answer is yes. They said something about opaque tokens that gave me hope. I'd like clarification, though.
Bad as in Trade Federation ???
Open Source or Closed Source. I don't need either of you to cure a symptom of my ailment. It does not cure the disease. We need strong enforcement of existing laws (never happen) and an educated consumer (never happen).
Strange women lying in ponds distributing swords is no basis for a system of government.
This is my fundamental problem with Liberty Alliance and Passport and whatever-all-else.
/have/ to sign up for something like that to access a service I can't get anywhere else, I don't care what they do or who else offers the same type of service. The day I must sign up to get that service...
What, really, is the point?
I am, in fact, actually capable of taking two seconds to type in my username and password on several different sites every day. If I don't want to, there are a number of programs--including Mozilla and IE--that are willing to save them for me and re-input them every time I visit that site, without holding any of my personal information on someone else's computer.
So why is this Passport stuff supposed to be all that important? Until the day comes that I
I stop using that service.
Really, I don't see why the benefits outweigh the drawbacks, no matter who happens to be running it.
First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)
This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:
A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.
The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.
The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.
If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.
Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)
This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.
Finkployd
I do not believe this limits you to any system. It seems to delegate the authentication/authorization to your "service provider" (not totally sure what they mean by that) who could potentially use ANY system. The important thing is that after you authenticate with them, it generates a short term certificate, signed by the "service provider" and encoded with authorization info.
Finkployd
It is not centralized at all, please read the specs. There is no "them", it can use your existing "service provider" (assuming company auth system, university auth system, ISP auth system, etc). It is basically a "common authZ/authN" language that service providers can speak to each other.
Finkployd
Does any body know what happened to the Apache Software Foundation,
CollabNet, and O'Reilly?
When the Liberty Alliance was first presented around one year ago,
this three organizations where listed as founder members, but I can't
find them any more in the members list... what happened to them?
Their involvement in the project was the only thing that gave it
a minimum credibility in my eyes... well, probably Sun is screwing
up once more by thinking that they live alone in the universe...
*sigh*
\\Uriel
"When in doubt, use brute force." Ken Thompson
Liberty is explicitly about de-centralised control, you have the id, possibly a "smart-card" credit card. It does the identification then passes credentials to others to allow you access.
Very nice, very sweet, very personal.
An Eye for an Eye will make the whole world blind - Gandhi
Passport was doomed to fail, not because you or I disliked it but for a much more simple reason.
The MS idea was that all transactions would be arbitrated via Passport, thus of course they would have the ability to charge a commision. The end game here is of course that online transactions would therefore all result in payment to MS, with MS having the ability to offer lower cost online credit than Amex, Visa et al.
It was amazing in its presumption, it was in fact the biggest ever salami scam attempt. Liberty works differently by giving control to the individual, this is great for Amex et al as the identification piece will be their credit-cards (notice the smart chip already on Amex Blue?) which make them even more useful.
This was big business v MS, and MS lost when faced with all of the banks, consumer giants like Sony, and underneath it all a simple technology stack based on....
Java
An Eye for an Eye will make the whole world blind - Gandhi
1. No one - there is no central database.
2. Yes.
Just saying it like it are.
The technology itself is not inherently evil. I would love a centralized system to manage my entire life for the sheer fact that it's simplicity allows me more time to do other things than manually manage aspects of my life which automation could (and should) coordinate. Unfortunately greed (aka business) has become so desensitized to the layman that they honestly couldn't care less what you do with the service provided someone makes a buck.
...Just you wait, my next Toyota with the voice activated system will one day say: "We've opened your door Matt, would've been faster had you bought a Lexus"
Problem is too many businesses are like this. You don't make money by being nice to people, and functionality to benefit us can just as easily grab and administer marketing strategies. Take the internet for example: originally designed as an amazing place for people to exchange information at a dizzying pace. To simplify session handling for something as limited as a website we developed the cookie. Enter the Gator (or your favourite brand of greed-motivated advertiser) who sees the potential to capitalize on this wealth of knowledge and voila, 200 popup windows before I manage to wade through onto slashdot. Did I mistakenly post my email address describing my company's services? Obviously that means I want info on naturally enlarging my penis through a home based business that can earn me $500 per day offering a flavour of the month pyramid scheme.
Bottom line: It's a good idea, but wouldn't work in a system where knowledge is power is money.
Thank you from Telus.
-Matt
---
Got web hosting? RackNine
--- Need web hosting?
Some big names sure .. but in reality these companies are just as money hungry as Microsoft ..
... as often as not it isn't ... but it should also be pointed out that the profit motive doesn't assure unethical behavior, and this looks like a clear case where ethical behavior actually offers a competetive advantage.
Yup, they're money hungry allright. And they've found a big, and likely to grow, niche, namely people who do not want to do business with companies that share and sell their private information, as if their customers were little more than product themselves, objects to be owned, ie. slaves.
They've bet that, by offering a service that provides the same convinience Passport claims to provide, while maintaining the integrity of their customer's privacy, that they will gain market share in so doing, at the expense of those who use passport and pass around their customer's private data like some cheap sexually transmitted disease.
And they are probably right, which means that by protecting our privacy from the likes of telemarketers and Microsoft, those money hungry companies are going to make even more money.
I'm the first to criticize the idiotic notion that capitalism is somehow a panacea for all our ills
is entrusting your purchasing habits to these guys really a good idea?
No, which is why you do not want to use Passport, and why the design of the Liberty Alliance scheme, which does not share or even link to personal information, is so much superior and preferable to Microsoft passport.
The Future of Human Evolution: Autonomy
That is not as usefull. What companies want is a way that people can login to a site without having to register.
The nytimes and the latimes do not really want to know all that much about individual readers, but they do want to be able to tell advertisers that 60% of readers come from zipcodes where 30% of households are in the A1 income bracket and such.
The yahoo and raging bull don't really give a monkeys about who you really are but they do need to be able to tell the SEC that they can at least tie a poster to an email address if necessary. Same at slashdot.
The identity business will work a lot better if the sites we log into do not need to maintain statistics at the level of the individual account.
OK in extremis someone might get litigious and file a lawsuit and get info from the identity broker, but that is likely to have a lot more safeguards for the individual if the identity is held by an identity broker for whom identity (and pseudonymity) is a business. It really does not take that big a threat for yahoo to rat you out. There is a lawsuit going on at the moment in Texas in which a company which has made less than $150K in revenues in any quarter for the past five years is suing visa over nasty statements one of their employees made about them on a Web site - the topic today is apparently claiming that the nasty statements cost the company over a billion dollars.
I have no idea if this is what Liberty will eventually end up doing but I know how SAML could be used to achieve that.
PS I predict that if Liberty would let up on the anti-Microsoft hecktoring for a few months we could actually broker a union of Passport/Liberty and make them at least interoperable at a certain level.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I had not heard of that one, pretty interesting.
One difference though is that Bluestem only provides authentication, leaving it up to the application to supply its own authorization database. Shibboleth (and Liberty Alligence, the more I read the tech specs, the more I am positive they are the same thing) provides authorizaztion information along with the authentication.
Finkployd