Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Plans Passport Interoperability

Posted by ryuzaki0 on from the last-nail-in-that-coffin dept.

EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system. Computerworld has the story."

6 of 81 comments (clear)

  1. Timing and Priorities by e8johan · · Score: 4, Insightful

    This is too early to give in to Microsoft. As neither version has any significant market advantage yet it is not good to make the systems one-way compatible. This only makes it easier for customers to move to .Net, not the otherway around.

    The priority must be to compete with .Net, not to become the little brother of it. There are a number of points that need to be equally good/better than .Net:

    1. Ease of use (both user-wise and coder-wise).
    2. Security and user control of information
    3. User base (on both sides again).

    The first point is the reason of the project from the start and must be maintained.
    The second point is the advantage, no-one can reach me, and on-one can reach the customer-records of a competing company without authorization. Not only geek users should be afraid of giving too much info away, also the companies utilizing these platforms must be aware and protect their customer bases.
    The third point is probably the pass/fail issue of the entire project. It must get adopted, from the average user and by the service providing companies.

    1. Re:Timing and Priorities by Cloud+9 · · Score: 3, Insightful
      As neither version has any significant market advantage yet

      Wrong, amigo. Ever sign up for a Hotmail account? You were automatically signed up for Passport as well.
      In other words, for the Liberty Alliance, the fight was pretty much over before it began.

      --
      Karma: Dyn-o-mite!(mostly affected by Jimmy Walker reading your comments)
  2. Here's an idea by Peter+Lake · · Score: 2, Insightful
    How about a decentralized, open system which puts the user in control of her identity:

    From PingID

    Ping Identity exists because we believe that digital identity systems need to first uphold the rights of the identity holder. We exist because market momentum and existing approaches lack the fundamental attributes required to ensure our personal freedoms, choice, privacy and control. We exist because something as personally important to our future ability to communicate, interact and transact in a digital world must never come under the control of single entity, government or corporation.
    --

    All Rights Reversed.
  3. Re:DO we want that? by AJWM · · Score: 3, Insightful

    There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true!

    Absolutely true. The annals of computer crime are full of cases where crackers have accessed systems B, C, D and E by harvesting passwords from system A and users re-used the same password on those other systems. Now true, if those other systems had some other gaping hole that would let them be compromised without a password, then in some theoretical absolute sense the security isn't any less because of the shared password (since there was no real security to start with), but such holes are bugs and fixable by the sysadmin, whereas shared passwords are not.

    Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!". And it's still less-safe than multiple sign-on with different passwords. (Think about it -- if you're a big-time crook (or terrorist, etc), do you go for the high-stakes bank job, or just stick up a string of 7-11s? It all comes down to effort vs payoff.)

    --
    -- Alastair
  4. Trust is the bottom line by kbielefe · · Score: 3, Insightful

    Why would I give Microsoft the password for my doctor's or stock trading website when I won't give my own family members the root password to my computer?

    While I may trust Liberty Alliance more than Microsoft, I still would prefer to manage my passwords myself. Single sign on just provides a single point of attack.

    --
    This space intentionally left blank.
  5. Mozilla already has a base to work from. by Anonymous Coward · · Score: 1, Insightful

    Why do we need the whole concept of Passport. It's a broken idea to be giving this kind of data to a third party -- any third party.

    Would you give just any Microsoft employee your bank card PIN?

    Good lord.

    Now, Mozilla has a file where you can keep form data, including passwords. When you hit the page, the fields are filled for you.

    That does the job for anyone sitting at "their" PC.

    If you move about, then all they have to provide is some serverish sort of thing whereby Mozilla can query/update that file on your PC , or a server of your choice, from wherever you are working. All kept fairly secret using PKI/gpg.

    Now all you have to do is worry about the level of trust you have in the owner of the version of Mozilla you're using. They may hack mozilla to record your data, but I'd rather take that risk than hand it over to N employees at Microsoft.

    You could go further and create a web site security standard other than a simple password. It would offer a public key meta field, then Mozilla could query YOUR server to get a cert that containted an encrypted password to be handed over.

    The point is ... WHY DOES THIS HAVE TO BE CENTRALIZED?