Slashdot Mirror
Liberty Alliance Plans Passport Interoperability
EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system.
Computerworld has the story."
Do we really WANT that? Seriously, the whole point (atleast for me) with this project was that my data was miles away from the non-security conciense microsoft. That i could pick the lesser of two evil's.
It would be best if it gave me an option.
But personally, i agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.
Microsoft IIS is to webserving as KFC is to healthy eating
They've changed their name to "The Alliance Project"
Microsoft's Passport single sign on system still has many security flaws, well as do all of Microsoft's products, but using the single sign on system for business transactions in the Liberty Alliance Project may not be a step in the right direction. The LAP should have designed a new system for login and account management.
I dont mind having the *choice* to let MS have some of my personal data.
Interoperability is great if it increases choice - although I hope that we'll also have the choice not to interoperate.
I really hope it will work with linux. If it does we will have a free ride onto passport-only sites. I cant imagine MS letting off a passport client for linux by themselves (or anyone using it for that matter).
HTTP/1.1 400
(For those who don't know, Mono is basically the open-source community's response to Microsoft's dotNet.)
This is going to fail for the same reason Mono isn't catching on yet: Microsoft's marketing budget. Liberty could become robust and do everything Passport claims to do, and yet the PHB's of the world will still be asking us web guys to develop Passport solutions, not Liberty solutions. Why? Because they see Microsoft's ad campaigns.
Sure, it's probably the last nail, but for which service? As much as the majority of the userbase hates MS, it doesn't really change these two simple facts:
1) They have a single platform they can use to push their services from
2) They have a Scrooge MacDuck style bank-vault to dip into whenever they start to feel the sting of competition. Interoperability with Passport is only going to force Liberty into anonymity, not give it the huge marketshare we're all hoping for.
Karma: Dyn-o-mite!(mostly affected by Jimmy Walker reading your comments)
There are reasons for them pushing it. Mostly the same as for supermarkets pushing loyalty cards, spammers harvesting addresses off lists, AOL pushing Netscape for Lindows. It is all about vertical marketing/selling and market share. They want to know who you buy what from how often, so they can know what to tempt you with next.
This is too early to give in to Microsoft. As neither version has any significant market advantage yet it is not good to make the systems one-way compatible. This only makes it easier for customers to move to .Net, not the otherway around.
.Net, not to become the little brother of it. There are a number of points that need to be equally good/better than .Net:
The priority must be to compete with
1. Ease of use (both user-wise and coder-wise).
2. Security and user control of information
3. User base (on both sides again).
The first point is the reason of the project from the start and must be maintained.
The second point is the advantage, no-one can reach me, and on-one can reach the customer-records of a competing company without authorization. Not only geek users should be afraid of giving too much info away, also the companies utilizing these platforms must be aware and protect their customer bases.
The third point is probably the pass/fail issue of the entire project. It must get adopted, from the average user and by the service providing companies.
Looks to me like Microsoft is getting far more than LAP out of this deal:
Hotmail will still tell you to get a Passport logon, no-one will tell you to get a liberty alliance logon. So MS still gets the majority of the customers.
Added to this, MS gets your information free from liberty alliance, so the obsessive geeks who just had to go with the minority service are still giving all their information to MS, so they get marketing info for even more people, basically at no cost to them.
Whereas liberty alliance gets.. nothing really. Maybe some people who wouldn't otherwise sign up will now that their logon works with Hotmail. But not many. Out of the 1% of the population that knows Liberty Alliance exists, 50% won't be signing up for either system if they can avoid it, because they understand the stupidity of the idea security-wise, and 90% of the people who do are signing up just because they don't like MS, so the added ability to use Hotmail is not going to make any difference.
" ... this option [interoperability] could be part of a 1.1 specification ... "
kinda sounds like a w3c statement about a new standard protocol or language. amazing how ballmer & co. said this would "have little chance of mattering". gee, looks like it matters now. big banks, all the major credit companies, several of the web's biggest commerce fronts - i'd call that a strong base of interest and support for Liberty.
maybe they need a 3rd party to mediate so everyone plays nice for a while
when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
I wonder if this will lead to the same type of issues the IM scene has: Microsoft releases new version/update of Passport which just happens to break Liberty Alliance stuff. LA, in retailiation, prevents Passport users from gaining access to LA sites.
:)
Repeat until single sign-on becomes an even bigger joke.
In the past, Passport has been shown to have zero security. See the Wired News article, Stealing MS Passport's Wallet.
On August 8, 2002, the U.S. Government's Federal Trade Commission (FTC) ordered Microsoft to stop lying about its Passport service. The FTC's order is titled Microsoft Settles FTC Charges Alleging False Security and Privacy Promises.
From: Windows XP Shows the Direction Microsoft is Going.
2) Even if they did decide to co-operate, it'd largely be meaningless. There are so few websites using Passport the list can fit into less than a screenful.
3) Even if this wasn't a problem, making Passport interoperate with anything would be a major technical headache. It simply wasn't designed for that at all. It's centralised so badly it'd need to be ripped apart and rebuilt to allow for "federation". Notice how that using Kerberos to open it up idea seems to have faded away? That's because Kerby was never meant for that anyway, and because it's extremely hard to open up Passport.
4) Passport is growing at a snails pace, with good reason. The gain you get from it is small (often the user needs to give a password anyway, regardless of whether they use passport or not) and the cost is huge, both in developer time and various costs involved in working with Microsoft.
"Hey, we let your guys in, why won't you let ours in? MONOPOLISTS!"
Not that I don't think that this should work, but still.. I think it is just a tactic here.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
I would hate to wake one morning and get an email from microsoft saying "sorry some one hacked passport and stole 100K user accounts including everyone's credit card info."
This is flaimbait yes? that or you've forgotten where you're posting to ;) that said, I'll bite:
"Passport was never for profit" - perhaps not directly but it's part of a wider buisness strategy which is exploitative and dependent on MS 'owning' lots of information about users, so really it *is* for profit, just indirectly
"the American way..." well, being from Scotland I can't say about that, but since MS aren't just 'trashed' in the states I think you're off base there...
back on-topic this seems like another great reason *not* to use one of these dumbass centralised passwords.
If you *really* can't manage holding all those bits of information in your own head (which is after all the only really secure approach) at least have the sense to keep control of where they're kept and use something like Mac OS's 'keychain'. As with anything else if you *must* store information all in one place, do it in your own home/buisness and on your own system, it's not like that's difficult...
A chain is only as strong as it's weakest link. This may be good for garnering general acceptance, but for those of us who are looking for a complete alternative to Passport, is it really a good idea?
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
http://www.liberty.edu/
It's good to see that you have upgraded your version to reflect that he's now 55 and not 54 and dead. It's amazing to see dead men age.
I think single-sign-on is more secure than using a keychain because: - the keychain ends up holding a wack of stuff. - its easer to attack the keychain physically than a service provided by a trusted third party. And No-one can keep track of more than a few high-entropy passwords. Most people have much less security by not using single-sign-on because their passwords are all the same or similar.
Depending on how this is done, it can be a good thing. The point is to have the greatest possible interoperability, without compromising the security of your personal information. The real critical issue in all of this is who (or more to the point, whose code) controls my private information. Even if the data is stored on a server, that's ok if it is encrypted and the private key is safely protected on my local machine under security protocols that I can control (choose). The private data can be held on any number of servers, and sent back to my local machine for parcelling out as required. Authentication shouldn't require sending out private data, but rather challenge/response that can only be correct if I possess the proper keys.
Passport must be made open to third party scrutiny if they want to play with everyone else. Industry standards are that they must publish their design and code for open third party review and analysis. I personally would not accept less, and would be shirking my professional responsibilities not to advise this to anyone I do work for. I assume they have not done so, nor do they plan to. I would also expect the Liberty Alliance to have a similar standard to mine, and if not I wouldn't advise anyone to use that either.
The logic of symetric and asymetric key systems isn't that deep, although their can be a lot of hazards in the implementation. The only good solution to this is lots of eyes, and all responsible professionals should insist on it.
But personally, I agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.
Well, not the browser itself, but an independant security module that can be accessed by the browser and any other program that needs to. Having one or many user names isn't really the issue, and the only password needed should be to open up your locally stored private key chain.
That puts all the load on protecting that private key chain, and anything you can do to secure that information is a good thing. Single point of failure isn't the issue that people make it out to be. The issue is keeping the most sensitive data, the private keys that can open up everything, private. Opening them up in the memory of your PC is better than trusting that function to a third party, but better is to never expose the private keys.
One cool job I had was for a company trying to market a secure messaging system. They went belly up before the dotcom crash, but the technology was very cool. It was a message hub system with key escrow and the works. The actual message processing was done by a purpose built box that had no disks or permanent storage, just a network connection. The keys were stored in PC/MCIA cards that had processors and non-volatile storage, and only half of the key was stored on each card. The only place you would ever have private or session keys in clear text was on the closed box or half of one inside the PC/MCIA cards.
The point is that it might be good to have a sub-processor that can do things with the private keys, but never have them in clear text outside of that. This could be done with the kind of physical tokens that some people have suggested when single sign on came up before. Although some will find this excessive, I think it is a good idea.
The name of each authentication effort implies that we'll be gaining some type of "freedom" in handling our online commerce affairs. But isn't this just bringing us one step closer to Larry Ellison's vision of user profiling on a nationwide -- perhaps even global -- scale?
In addition, there's no way I trust what a corporation is going to do with my data, given the ease with which privacy statements are altered. Maybe if I lived in the European Union, I might feel better about it -- those guys seem to take privacy seriously, even if their networks aren't as built-up as those in the US -- but I simply don't trust American Big Business at all these days.
Wasn't this supposed to be a feature (or even the point of?) of Novell 4.x NDS? (I could be wrong. Again.)
... on http://developer.java.sun.com/developer/codesample s/liberty.html
--
4R34'.
From PingID
All Rights Reversed.
I wonder why they use Windows 2000 and IIS? I though Sun was the founder of this project.
I was at SunNetwork last week. They had a demo of Liberty in one of the Keynotes. As the demo went on, my stomach turned and I blanched.
Instead of Microsoft holding your balls, Sony will.
Feel better now?
Clearly there's a whole whack of MANAGERS and BUSINESS TYPES at Sun and in the Alliance who are simply putting together their own version of Passport, which allows the corporation who sets up the given "circle of trust" between inter-acting corporations to hold the bag. Guess whose likely to be holding the bag? Whoever has the most clout. In the demo, it was Sony.
It's *not* a bunch of techies doing the right thing. Somehow we've all been conned into "oh it's not Microsoft and so it's less evil".
Bullshit.
With this new interoperability I can refuse to use either of them interchangably!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
What happened to all those people who were slamming single sign-on a few days ago?
Yes, a single point of authentication is easier to manage (for the user) and more secure in some implementations.
This is not one of them.
By forcing users to store their "identity" information with a central provider, you have immediately destroyed any benefits you might have gained from a single login. The only way a single login system will be (somewhat) secure is if the user controls that single identity.
You may argue that the Liberty Alliance specs allow for a decentralized system. In theory, that's true, but in practice, there is no way the system will be decentralized.
The Liberty Alliance, and all similar plans for that matter, depend on a very ugly non-automated system of trust among identity providers. The result is that only a few large identity providers (Microsoft, Verisign, Thawte, etc.) will ever be accepted as "legitimate." Using any other will cause your identity to appear as "invalid or expired" in all daily transactions.
Why would I give Microsoft the password for my doctor's or stock trading website when I won't give my own family members the root password to my computer?
While I may trust Liberty Alliance more than Microsoft, I still would prefer to manage my passwords myself. Single sign on just provides a single point of attack.
This space intentionally left blank.
You forgot your tags.
(Or you forgot that slash would eat them if unescaped.)
-- Alastair
Why do we need the whole concept of Passport. It's a broken idea to be giving this kind of data to a third party -- any third party.
... WHY DOES THIS HAVE TO BE CENTRALIZED?
Would you give just any Microsoft employee your bank card PIN?
Good lord.
Now, Mozilla has a file where you can keep form data, including passwords. When you hit the page, the fields are filled for you.
That does the job for anyone sitting at "their" PC.
If you move about, then all they have to provide is some serverish sort of thing whereby Mozilla can query/update that file on your PC , or a server of your choice, from wherever you are working. All kept fairly secret using PKI/gpg.
Now all you have to do is worry about the level of trust you have in the owner of the version of Mozilla you're using. They may hack mozilla to record your data, but I'd rather take that risk than hand it over to N employees at Microsoft.
You could go further and create a web site security standard other than a simple password. It would offer a public key meta field, then Mozilla could query YOUR server to get a cert that containted an encrypted password to be handed over.
The point is
Easy solution: Make every AOL/AIM screename the default Liberty logon.
AOL is part of the Liberty Alliance.
Yeah, let's hear it for the Liberty Alliance! You know, because I always associate "liberty" with "centralization of power and resources," as opposed to, "distrbution of power so that people may have more control over their destinies." 'Cause, you know, that would suck.
(My weapon is the razor-sharp sting of sarcasm!)
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
I don't like the idea of my passwords being stored anywhere, except in my wetware. That said, I think local storage of passwords (e.g. the password managers built into some major browsers) is a good solution for many users. Many people who would use a tool to remember their passwords don't need to access the same service from different computers anyway, and for those who do there's always networked filesystems. (roaming profiles, etc.) Of course there's a way around it for smart people, and the clueless don't have a clue of the badness of Passport (doh).
Please correct me if I got my facts wrong.
Does someone (the dotGnu project, perhaps) have
a big matrix of all SSI proposals, both open
and closed? Since I came up with my own, TJAIS
or DGAIS (since AIS is completely useless as
a searchable term due to noise from AI), about
a year ago, I can't stop myself from mentioning
it as if it has any hope at all of getting mindshare
(what? David Nicol? That crank? Isn't he a DJB
sock puppet or something?) in the free SSI protocol
space.
Seriously, looking at theoretic.com gives links to
PingID. Way to hold back, IamTheRealMike! I lack
your fortitude. AIS description, such as it is,
hangs off of
http://pay2send.com/cgi/ais/about
AIS is a protocol for exporting a SSI domain (any kind) to remote web services, passing messages
via both the user, by Location headers, and a
back-channel between the remote service and the
AIS service.
There are a few defined primitives, and room to
expand.
It is offered as a standards-track proposal.
david nicol (hurried and working on other things)
"For that matter, compare your pocket computer with the massive jobs of
a thousand years ago. Why not, then, the last step of doing away with
computers altogether?"
-- Jehan Shuman
- this post brought to you by the Automated Last Post Generator...