Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Plans Passport Interoperability

Posted by ryuzaki0 on from the last-nail-in-that-coffin dept.

EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system. Computerworld has the story."

7 of 81 comments (clear)

  1. DO we want that? by nervlord1 · · Score: 1, Interesting

    Do we really WANT that? Seriously, the whole point (atleast for me) with this project was that my data was miles away from the non-security conciense microsoft. That i could pick the lesser of two evil's.

    It would be best if it gave me an option.

    But personally, i agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.

    --
    Microsoft IIS is to webserving as KFC is to healthy eating
    1. Re:DO we want that? by IamTheRealMike · · Score: 5, Interesting
      But personally, i agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.

      No, it's extremely smart security wise. Now, for all I know you may be the paragon of good security practice, but most people are not. In fact, most people, faced with a morass of passwords for various different services do something that is extremely bad and set all their passwords to the same thing. I've done this, for instance, because it's either that or write down all my passwords (which of course some people do) and keep them on my computer, which means I cannot access any services when I don't have that list.

      There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true! There's a reason most of us have 1 (perhaps 2) personal email accounts. We don't have 100 email accounts with different user names and passwords because the truly minor increase in security that would bring is nowhere near worth the major increase in hassle.

      Single sign on is coming people, and when it arrives not only will 95% of the computer using population be more secure because of it, but computers will be dramatically easier to use as well.

      I've read the liberty specs in more detail than most of the people here on slashdot I'd bet, as I'm working on a server that contains an (open source) implementation of them. No, it's not released yet, perhaps in a few months. But believe me, the LA specs are not scary, they will not force you to tell the government what your favourite colour is, they will not take your first born child. They will make your life easier.

    2. Re:DO we want that? by Anonymous Coward · · Score: 0, Interesting


      Here's a technique for creating good passwords,
      that are different for each site, and still
      memorable:

      Find a phrase or sentence that has some meaning
      to you, that you can *memorize*. As an example
      'we have nothing to fear but fear itself'.
      If you need a password for a web site choose
      one letter from each word and use them as your
      password. At web site #1 I chose to use the
      first letter of each word:

      'we have nothing to fear but fear itself'

      The first letter of each word capitalized:
      'We Have Nothing To Fear But Fear Itself'

      Yields a password of
      'WHNTFBFI'

      At web site #2 you need a password, but you
      want it to be different. So you choose the
      second letter of each word:

      'we have nothing to fear but fear itself'

      'wE hAve nOthing tO fEar bUt fEar iTself'

      Yields a password of
      'EAOOEUET'

      If the word in your phrase is too short then
      substitute a number or letter, or just leave it
      out.

    3. Re:DO we want that? by IamTheRealMike · · Score: 3, Interesting
      Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!".

      Possibly, but bear in mind if you break into somebodies email account you can usually compromise most of their web passwords anyway, as almost all sites have an "email me my password feature". In effect, your email account is your digital identity, as it holds the keys to all your other passwords too. So that's also a pretty big target in a way, yet email breakins are fairly rare - possibly because people recognise its importance and choose good passwords?

  2. Nice for us. by miffo.swe · · Score: 4, Interesting

    I really hope it will work with linux. If it does we will have a free ride onto passport-only sites. I cant imagine MS letting off a passport client for linux by themselves (or anyone using it for that matter).

    --
    HTTP/1.1 400
  3. Good for MS's bank balance by james_underscore · · Score: 2, Interesting

    Looks to me like Microsoft is getting far more than LAP out of this deal:

    Hotmail will still tell you to get a Passport logon, no-one will tell you to get a liberty alliance logon. So MS still gets the majority of the customers.

    Added to this, MS gets your information free from liberty alliance, so the obsessive geeks who just had to go with the minority service are still giving all their information to MS, so they get marketing info for even more people, basically at no cost to them.

    Whereas liberty alliance gets.. nothing really. Maybe some people who wouldn't otherwise sign up will now that their logon works with Hotmail. But not many. Out of the 1% of the population that knows Liberty Alliance exists, 50% won't be signing up for either system if they can avoid it, because they understand the stupidity of the idea security-wise, and 90% of the people who do are signing up just because they don't like MS, so the added ability to use Hotmail is not going to make any difference.

  4. Re:Last nail indeed... by Gerry+Gleason · · Score: 2, Interesting

    1) They have a single platform they can use to push their services from

    Correct me if I'm wrong, but isn't the important part of this platform on the server, not the client? MS is still losing on the server, so if the LA supports passport clients in their server implementations, the game is up. MS clients such as IE are not likely to support LA client protocols, but so what? They will still be able to connect to all servers. More open clients can support both, but are only likely to do this if they can trust the passport implementations.

    So MS has three choices:
    1) Don't play (no non-MS client or server implementations of Passport allowed, I take no MS implementation of LA to be a given).
    2) Allow other clients (no non-MS servers).
    3) Allow other servers (no non-MS clients).

    In 1), if you use MS clients, you will only function with MS servers (.NET platform). This is a lose for them since they don't have much market penetration in the server side.

    With 2), only MS clients would be disadvantaged, unless they added LA support to their clients (won't happen).

    Case 3) would be interesting because all clients would be able to play with open servers, but only clients that adopt passport will be able to access .NET servers (I'm assuming MS server == .NET server until they abandon that for something new). This situation could persist for a while since non-MS clients and MS servers are likely to be the minorities for some time. It can't be helpful in selling .NET to a wider audience.

    I almost forgot that there is a forth case, but MS is not going to play nice, so that won't happen anyway.