Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Releases Open Source Tool for Project Liberty

Posted by ryuzaki0 on from the forget-your-passport dept.

ruisantos writes "After submiting the technical specifications for the project , Sun has finally launched an open source tool for its upcoming Sun ONE Identity Server version 6.0, the news can be found on CNET news."

18 of 113 comments (clear)

  1. Huh? by Ctrl-Z · · Score: 4, Interesting


    I don't get it. Is Sun ONE the same as the Liberty Alliance? The article that is referenced doesn't mention Sun ONE that I could see, just the Liberty Alliance.

    I didn't even know that the Liberty Alliance was still around since Hailstorm kinda fell through.

    I wonder if they're having much luck selling the idea to anyone. Microsoft sure didn't.

    --
    www.timcoleman.com is a total waste of your time. Never go there.
    1. Re:Huh? by arberya · · Score: 5, Informative

      The Liberty Alliance is a group of companies helping to define the specification. Sun propsed Project Liberty as an alternative to Passport. Sun have implemented the specification in their Sun ONE range of products. You will probably see Novell implement the specification within eDirectory as they are members of the alliance as well. As for selling the idea to anyone, it is not a matter of selling it, if you look at the specs it sells itself. Devolved identity management, no single company holding identity information, like Microsoft does with Passport.

    2. Re:Huh? by JediTrainer · · Score: 3, Informative

      I don't get it. Is Sun ONE the same as the Liberty Alliance?

      Not quite. Sun ONE is the competitor to the Microsoft .Net framework (meaning, it's a suite of server and development applications, including the Forte suite of IDEs, compilers and your application/web servers and whatnot). Liberty Alliance seems to be competing against Microsoft Passport and all that 'secure' global user profile shtuff.

      --

      You can accomplish anything you set your mind to. The impossible just takes a little longer.
    3. Re:Huh? by passthecrackpipe · · Score: 3, Informative

      Well, there is definetly a market for this kind of thing, it is just about the implementation. Basically, MS said: "give us all your data, you can trust us with it". Everybody fell over laughing, of course. That is why Hailstorm fell through.

      The Liberty Alliance is saying: "We don't want your data, we just want to give you the tools".That there is a need for the concept of identity management stands beyond any doubt. How many website logins do *you* have? Exactly. However, how the respective organisation plan to hndle all the data, and plan to implement the concept is what really matters here. That is why the Liberty Alliance has a much better change of actually being used.

      Of course, it is an extra kick in the face to MS that the first tool to come out is Open Source.....

      --
      People who think they know everything are a great annoyance to those of us who do.
  2. Uh by yem · · Score: 3, Insightful

    Why not just tell your browser to remember the login? Frankly I trust my computer a lot more than some corporation - Microsoft or otherwise.

    --
    No, I did not read the f***ing article!
    1. Re:Uh by Diabolical · · Score: 4, Insightful

      Yes... if that is the only computer you work with. But i have my personal systems at home, a system at work, when i'm visiting relatives i use their computer same when i visit friends. When i am on vacation i use a system in a cybercafe etc. etc. etc.

      It would be nice if i could use the info on a centralized system. Mind you, i'm just talking about the info. Not about data accumulated from online buying etc.

      This is where this system comes in, it allows to store information about a person on a central place while allowing online shops to hold on to their own info. MS Passport tries to gather all the info in one place, prefferably on their own servers.

    2. Re:Uh by awol · · Score: 3, Insightful

      It's not just about allowing you to login, but one of the fundamental problems of the "internet" is the proof of identity. As more and more important services become online, it becomes more and more important to be confident that Jo Public is actually a) Jo Public and not Mary Citizen and b) The Jo Public of 23 Main Street Bigtown.

      In meatspace, you prove identity by a "collection" of evidence from relatively trusted sources, a bank account, a gas bill and something with a photo. In the on line world being able to go to an online vendor and do a similar thing where you can prove that BANK A, utility co B and Company X all know about a Jo Public of 23 Main Street obviates the need for a "central" repository of identity, which, if you ask me, is a good thing (TM) (ie not having one is a good thing :-)

      So in addition to the peoples points about using multiple machines (an excellent point by the way), proof if identity is the killer app INM(NS)HO.

      --
      "The first thing to do when you find yourself in a hole is stop digging."
    3. Re:Uh by Sunnan · · Score: 3, Insightful

      With this, you can do a lot of stuff you can't do with just browser remembrance. You're at a travel page booking a flight, and it can book the bus trip for you as well without you having to log in to the bus company.

      But I agree that there are trust issues.

      The other day, me and my friend Kreiger was thumbing through some dumb "technical" magazines while we were in a waiting room, and I saw the news that some phone company had joined the liberty alliance. "Cool," said I and began talking about how this could make sites easier to use, how it was more trustworthy and less evil than Hailstorm. He was saying kinda the same things you are, and I said "It's good for users".

      Just minutes after that, we came upon an article about Intels new DRM-iniative. It was totally slanted! "Intel builds in protection against virii and hackers." What the...? I'm totally against DRM and the slant pissed me off! I began complaining loudly about it. Kreiger just looked at me, and said sarcastically:

      "It's good for users."

      What an eye opener. Paranoia against corporations is my philosophy from now on.

  3. Re:Open source... by passthecrackpipe · · Score: 4, Insightful

    Well, not to start a flamewar or anything, but, as another poster pointed out, the SISL is an OSI approved license. Now, I quite agree with you that the GPL is the ultimate in Free Software licenses, but the provision of the GPL are not to everybodies taste. I too would be happier with the GPL, but as things stand today, this is bit better then no OSS license at all.Also, would you care to point out where the SISSL is incompatible with the GPL? or do the words "Commercial Use" just get your panties in a bunch?

    --
    People who think they know everything are a great annoyance to those of us who do.
  4. Direct Link by dica · · Score: 3, Informative

    http://www.experimentalstuff.com/data/ipl-0.1.zip

  5. The Slashdot Effect: A new form of terrorism. by Anonymous Coward · · Score: 3, Funny

    As an assistant member of the security team of a large fortune 500 company, I have discovered a new form of terrorism stemming from the deepest underground of the Internet. A site catering to hackers, communists and anti-Americans called Slashdot.org has created a new type of denial-of-service attack known as 'the Slashdot effect'. This attack has been used against what are seen as the enemies of the 'Open source movement' which include many large American companies such as Microsoft as well as many American media companies such as Time-Warner-AOL. The Slashdot Effect could have a potentially crippling effect on the American computer industry and I feel it is justified to offer my own advice on this problem.

    What is the Slashdot Effect?

    The Slashdot Effect (also known as Slashdotting) is a new form of denial-of-service attack stemming from the site Slashdot.org. Once they find a 'target' (whether it be a large media company or small personal homepage) the URL of the site is posted on the front page of Slashdot.org. Members of this site attempt as quickly as they can to follow these links and overload the target server. This causes the 'target' website to slow to a grinding halt before going offline. It can sometimes take days or even weeks for the site to recover from such a surge of traffic, and often the servers can be damaged beyond repair (that is, they cannot be fixed with a simple defrag!).

    Who is normally the target of the Slashdot Effect and how is it done?

    Many American companies have already been attacked by the Slashdot Effect. Targets often include news sites such as the New York Times as well as well as large American companies such as Intel. Sites that criticize the open-source movement are a prime target. For example, lets say an American media website such as the London Times does a review of a little known operating system known as Linux. Linux is an operating system developed by a hacker from communist Finland, which is based on code stolen from an American operating system known as Unix. It was created in cooperation with a communist group known as g.n.u. (Which stands for Glorified Novelty Unix) and is generally unusable by non-hackers. Obviously since it is such an archaic and unstable operating system compared to those made by American companies such as Microsoft it would get a bad review on the London Times. Once a Slashdot member discovers this honest review the URL would be posted on the front page of Slashdot.org. A flood of users would follow the link to the site and bring the server to a grinding halt. Since most of these users are terrorists they would probably have ads disabled using European hacking software. This would mean a potential loss of thousands of dollars worth of ad revenue. To top it off, members of Slashdot.org often plagiarize the articles and post it on illegal mirrors, furthering the loss of ad revenue. Members of Slashdot are rewarded for plagiarizing in the form of 'Karma', a form of hacker currency, on Slashdot.org.

    What can I do to avoid the Slashdot Effect and how would I deal with it if it happened?

    The easiest way to avoid the Slashdot effect is to refrain from posting anything about any open-source software, especially Linux. Focus your website on fine American companies such as Microsoft. You can also set up your server to reject any links from Slashdot.org, something many people have done. If you think your site is being attacked by the Slashdot Effect, contact the authorities immediately and report this act of terrorism. The penalties against hacker/terrorists are stiff and you can feel confident that the perpetrators of this terror will be punished in the harshest possible means.

    by Anonymous Pancake

    1. Re:The Slashdot Effect: A new form of terrorism. by CTalkobt · · Score: 3, Funny

      >> I don't mean to sound like a downer, if anyone actually finds it funny, but I feel compelled to speak out and say that, well, I don't find this particular bit to be amusing, at all.

      Ah - I see - Can you post a link to your website that previously got slashdotted? :-)

      Many thanks,

      --
      There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
  6. Can I run my own personal identity server? by goingware · · Score: 4, Insightful
    So would this mean I can run the server on my home linux box, and store all my private information only on my own machine, in my own house, so that websites would query the server I am operating when I want to log in?



    If so, then I might have some enthusiasm for it, and I imagine lots of others would as well.



    If my identity data is to be stored by some commercial service, even a Liberty Alliance member, I'm afraid I have no plans to participate.



    I won't use any website that requires me to sign up for Passport. I've done a lot of Windows development the last couple years, and I can well imagine it would be to my benefit to pay for M$' developer program, but my understanding is that it requires Passport to participate, so I won't have any part of it.



    Even if I had my own personal server storing my identity, you can bet I will configure my firewall so it will only accept queries from sites I consciously want to have the information.

    --
    -- Could you use my software consulting serv
    1. Re:Can I run my own personal identity server? by matsh · · Score: 3, Interesting

      Would you trust, say, the Free Software Foundation, if they set up a server? I think I would, and I think I would be willing to pay some money to make sure they have the hardware and personel to maintain a damned safe version of such a server.

      Mats

  7. Re:Oh come on by shaper · · Score: 5, Interesting

    My brother works at fedex and they are turning into an all Windows shop.

    This assertion is completely and utterly incorrect. It is so far from the truth that one might consider it a deliberate fabrication. Real core production FedEx systems revolve around serious IBM mainframe hardware. Nothing else really supports the necessary transaction volume. Many applications are front-ended by web interfaces running on lots and lots of Sun servers. And Sun boxes being phased out are being upgraded, not replaced. No one at FedEx seriously considers Windows for any core business application, server side. No way it could handle the volumes of data.

    For example, one of our smallest non-core-business systems handles maintenance on our vehicles. We periodically look for an off-the-shelf system to buy. Vendors come in all bright and happy and tell us how wonderful their application is. It's easy to use and runs on nice commodity PC hardware under Windows. They tell us they have customers supporting fleets with several thousand vehicles with no problems. And they say it as if we should be impressed about someone operating fleets of 1, 2 or even 3 or 4 thousand trucks. We say, "Great! We have over 160,000 assets, over 60,000 of which are big rigs alone. We have more than 2,000 mechanics scattered over the globe performing 5,000-10,000 different repair actions on those assets every business day, year round, to keep them running. Those repairs generate 500-1000 potential vendor warranty claims per day which must be processed and filed as fast as they are created. And we must automate every possible part of the process chain that we can. Oh, and we need to retain all that data on-line for anywhere from 18 months to 5 years for various business and regulatory reasons. Can your system handle that?" And they look back with a deer-in-the-headlights look and promise to get back to us. And back we go to those old mainframes just chugging happily along, with nice spiffy web front-ends and feeding big honkin' data warehouses on Sun servers. And this is an example of one of the tiniest systems we have! Never mind about really important stuff like flight planning, scheduling or, heaven forbid, the Sort!

    Oh, and we can't forget the millions of lines of custom COBOL that have been written and tailored to FedEx business processes. Code that would take some terrible amount of programmer-decades to re-engineer if we ever moved off mainframes.

    Just because your delivery-truck driving brother uses a Windows PC at his station or strapped to his wrist does not at all mean that FedEx is in any way using Windows for anything other than client access. We use what makes sense, where it makes sense. For clients, at this point in history that's mostly Windows. For most everything else with really big requirements, Windows just doesn't make sense, whether for reliability, scalability or performance.

  8. Keep your passwords in a safe at night by goingware · · Score: 4, Interesting
    I try to have different passwords at each website, but of course that is unmanageable. I have no trust in Microsoft Passport, and while I think Sun is more honorable in what they are doing here, I think such information as my online identity is too important to trust even to them.

    I think the best solution is to store one's passwords under hard encryption, and keep the physical storage medium in a safe - a physical metal box with a combination lock - when not in use.

    I'm not using it yet, but at some point I'd like to get a Palm or Handspring Visor just so I can use Keyring for PalmOS (formerly GNU Keyring).

    An alternative would be to put compact flash readers on all my machines and use a compact flash card.

    Finally, there is WiebeTech's FireWire KeyChain, which stores up to 1 GB of data in a tiny package convienent to hold your metal keys and keep in your pocket.

    The advantage of the PalmOS keychain is that it requires no software or hardware support on the computers it is used with, and it can be quickly moved from computer to computer. The advantage of compact flash and WiebeTech's product is that software support can pop the password onto the clipboard for you for convenient pasting into your browser.

    --
    -- Could you use my software consulting serv
  9. Hello point.... you missed it. by MosesJones · · Score: 3, Insightful

    This isn't just about browsers, its about mobile phones, PDAs, servers, TVs, Set-top boxes, smart cards etc etc.

    And its not just about Web content, its about authorisation systems as a whole.

    A browser is just one very very small part of what Liberty could be used for. And while a browser remembers a password, it doesn't know who you are and cannot prove that you are that person.

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  10. Misconceptions by finkployd · · Score: 4, Insightful

    There seems to be alot of misconceptions about Liberty. As I understand it, the framework allows you to "assert" your identity to a remote location by a trusted third party. Perhaps your trusted third party is your bank, or your University, or your ISP. You authenticate with them, then a packet of data asserting who you are is digitally signed by this trusted third party and sent to where ever. If the remote location trusts the third party to assert identities, then you are in.

    This does not seem to be about having the same password on every site, or even having ANY password on a site. It is federated authentication (and possibly authorization, but I don't know how they would do that, possibly with SAML assertions).

    Finkployd