Liberty Alliance Plans Passport Interoperability

EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system. Computerworld has the story."

Timing and Priorities

[e8johan]

This is too early to give in to Microsoft. As neither version has any significant market advantage yet it is not good to make the systems one-way compatible. This only makes it easier for customers to move to .Net, not the otherway around.

The priority must be to compete with .Net, not to become the little brother of it. There are a number of points that need to be equally good/better than .Net:

1. Ease of use (both user-wise and coder-wise).
2. Security and user control of information
3. User base (on both sides again).

The first point is the reason of the project from the start and must be maintained.
The second point is the advantage, no-one can reach me, and on-one can reach the customer-records of a competing company without authorization. Not only geek users should be afraid of giving too much info away, also the companies utilizing these platforms must be aware and protect their customer bases.
The third point is probably the pass/fail issue of the entire project. It must get adopted, from the average user and by the service providing companies.

Re:Timing and Priorities

[Cloud+9]

As neither version has any significant market advantage yet

Wrong, amigo. Ever sign up for a Hotmail account? You were automatically signed up for Passport as well.
In other words, for the Liberty Alliance, the fight was pretty much over before it began.

Here's an idea

[Peter+Lake]

How about a decentralized, open system which puts the user in control of her identity:

From PingID

Ping Identity exists because we believe that digital identity systems need to first uphold the rights of the identity holder. We exist because market momentum and existing approaches lack the fundamental attributes required to ensure our personal freedoms, choice, privacy and control. We exist because something as personally important to our future ability to communicate, interact and transact in a digital world must never come under the control of single entity, government or corporation.

Re:DO we want that?

[AJWM]

There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true!

Absolutely true. The annals of computer crime are full of cases where crackers have accessed systems B, C, D and E by harvesting passwords from system A and users re-used the same password on those other systems. Now true, if those other systems had some other gaping hole that would let them be compromised without a password, then in some theoretical absolute sense the security isn't any less because of the shared password (since there was no real security to start with), but such holes are bugs and fixable by the sysadmin, whereas shared passwords are not.

Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!". And it's still less-safe than multiple sign-on with different passwords. (Think about it -- if you're a big-time crook (or terrorist, etc), do you go for the high-stakes bank job, or just stick up a string of 7-11s? It all comes down to effort vs payoff.)

Trust is the bottom line

[kbielefe]

Why would I give Microsoft the password for my doctor's or stock trading website when I won't give my own family members the root password to my computer?

While I may trust Liberty Alliance more than Microsoft, I still would prefer to manage my passwords myself. Single sign on just provides a single point of attack.