Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Plans Passport Interoperability

Posted by ryuzaki0 on from the last-nail-in-that-coffin dept.

EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system. Computerworld has the story."

25 of 81 comments (clear)

  1. On a related note by __aahlyu4518 · · Score: 2

    They've changed their name to "The Alliance Project"

  2. So long as I can control it by grahamsz · · Score: 2

    I dont mind having the *choice* to let MS have some of my personal data.

    Interoperability is great if it increases choice - although I hope that we'll also have the choice not to interoperate.

  3. Nice for us. by miffo.swe · · Score: 4, Interesting

    I really hope it will work with linux. If it does we will have a free ride onto passport-only sites. I cant imagine MS letting off a passport client for linux by themselves (or anyone using it for that matter).

    --
    HTTP/1.1 400
    1. Re:Nice for us. by IamTheRealMike · · Score: 2
      I really hope it will work with linux. If it does we will have a free ride onto passport-only sites.

      I don't understand. Passport is browser neutral, you can access it with Mozilla on Linux for instance.

    2. Re:Nice for us. by cscx · · Score: 2

      You're misinformed. When you login to Hotmail you log into passport. Are you saying you can't log into hotmail from Linux? I think not.

  4. Last nail indeed... by Cloud+9 · · Score: 2
    from the last-nail-in-that-coffin dept.

    Sure, it's probably the last nail, but for which service? As much as the majority of the userbase hates MS, it doesn't really change these two simple facts:

    1) They have a single platform they can use to push their services from
    2) They have a Scrooge MacDuck style bank-vault to dip into whenever they start to feel the sting of competition. Interoperability with Passport is only going to force Liberty into anonymity, not give it the huge marketshare we're all hoping for.

    --
    Karma: Dyn-o-mite!(mostly affected by Jimmy Walker reading your comments)
    1. Re:Last nail indeed... by Gerry+Gleason · · Score: 2, Interesting

      1) They have a single platform they can use to push their services from

      Correct me if I'm wrong, but isn't the important part of this platform on the server, not the client? MS is still losing on the server, so if the LA supports passport clients in their server implementations, the game is up. MS clients such as IE are not likely to support LA client protocols, but so what? They will still be able to connect to all servers. More open clients can support both, but are only likely to do this if they can trust the passport implementations.

      So MS has three choices:
      1) Don't play (no non-MS client or server implementations of Passport allowed, I take no MS implementation of LA to be a given).
      2) Allow other clients (no non-MS servers).
      3) Allow other servers (no non-MS clients).

      In 1), if you use MS clients, you will only function with MS servers (.NET platform). This is a lose for them since they don't have much market penetration in the server side.

      With 2), only MS clients would be disadvantaged, unless they added LA support to their clients (won't happen).

      Case 3) would be interesting because all clients would be able to play with open servers, but only clients that adopt passport will be able to access .NET servers (I'm assuming MS server == .NET server until they abandon that for something new). This situation could persist for a while since non-MS clients and MS servers are likely to be the minorities for some time. It can't be helpful in selling .NET to a wider audience.

      I almost forgot that there is a forth case, but MS is not going to play nice, so that won't happen anyway.

  5. Timing and Priorities by e8johan · · Score: 4, Insightful

    This is too early to give in to Microsoft. As neither version has any significant market advantage yet it is not good to make the systems one-way compatible. This only makes it easier for customers to move to .Net, not the otherway around.

    The priority must be to compete with .Net, not to become the little brother of it. There are a number of points that need to be equally good/better than .Net:

    1. Ease of use (both user-wise and coder-wise).
    2. Security and user control of information
    3. User base (on both sides again).

    The first point is the reason of the project from the start and must be maintained.
    The second point is the advantage, no-one can reach me, and on-one can reach the customer-records of a competing company without authorization. Not only geek users should be afraid of giving too much info away, also the companies utilizing these platforms must be aware and protect their customer bases.
    The third point is probably the pass/fail issue of the entire project. It must get adopted, from the average user and by the service providing companies.

    1. Re:Timing and Priorities by Cloud+9 · · Score: 3, Insightful
      As neither version has any significant market advantage yet

      Wrong, amigo. Ever sign up for a Hotmail account? You were automatically signed up for Passport as well.
      In other words, for the Liberty Alliance, the fight was pretty much over before it began.

      --
      Karma: Dyn-o-mite!(mostly affected by Jimmy Walker reading your comments)
    2. Re:Timing and Priorities by pubjames · · Score: 2

      Ever sign up for a Hotmail account? You were automatically signed up for Passport as well.
      In other words, for the Liberty Alliance, the fight was pretty much over before it began.

      But does this really give Passport a huge advantage? The only advantage I can see is that they have got someone to fill in a form, once, and probably with junk.

      The most important thing is surely the websites that sign-up to use Passport/Liberty i.e. Amazon, eBay, the banks etc. To say the fight is over is somewhat defeatist at this early stage. There's still everything to play for.

  6. Good for MS's bank balance by james_underscore · · Score: 2, Interesting

    Looks to me like Microsoft is getting far more than LAP out of this deal:

    Hotmail will still tell you to get a Passport logon, no-one will tell you to get a liberty alliance logon. So MS still gets the majority of the customers.

    Added to this, MS gets your information free from liberty alliance, so the obsessive geeks who just had to go with the minority service are still giving all their information to MS, so they get marketing info for even more people, basically at no cost to them.

    Whereas liberty alliance gets.. nothing really. Maybe some people who wouldn't otherwise sign up will now that their logon works with Hotmail. But not many. Out of the 1% of the population that knows Liberty Alliance exists, 50% won't be signing up for either system if they can avoid it, because they understand the stupidity of the idea security-wise, and 90% of the people who do are signing up just because they don't like MS, so the added ability to use Hotmail is not going to make any difference.

  7. Re:DO we want that? by IamTheRealMike · · Score: 5, Interesting
    But personally, i agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.

    No, it's extremely smart security wise. Now, for all I know you may be the paragon of good security practice, but most people are not. In fact, most people, faced with a morass of passwords for various different services do something that is extremely bad and set all their passwords to the same thing. I've done this, for instance, because it's either that or write down all my passwords (which of course some people do) and keep them on my computer, which means I cannot access any services when I don't have that list.

    There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true! There's a reason most of us have 1 (perhaps 2) personal email accounts. We don't have 100 email accounts with different user names and passwords because the truly minor increase in security that would bring is nowhere near worth the major increase in hassle.

    Single sign on is coming people, and when it arrives not only will 95% of the computer using population be more secure because of it, but computers will be dramatically easier to use as well.

    I've read the liberty specs in more detail than most of the people here on slashdot I'd bet, as I'm working on a server that contains an (open source) implementation of them. No, it's not released yet, perhaps in a few months. But believe me, the LA specs are not scary, they will not force you to tell the government what your favourite colour is, they will not take your first born child. They will make your life easier.

  8. I thought Passport was dead. by Futurepower(R) · · Score: 5, Informative


    In the past, Passport has been shown to have zero security. See the Wired News article, Stealing MS Passport's Wallet.

    On August 8, 2002, the U.S. Government's Federal Trade Commission (FTC) ordered Microsoft to stop lying about its Passport service. The FTC's order is titled Microsoft Settles FTC Charges Alleging False Security and Privacy Promises.

    From: Windows XP Shows the Direction Microsoft is Going.

  9. A few things for people who didn't read it by IamTheRealMike · · Score: 5, Informative
    1) This is merely an offer from the Alliance to Microsoft. MS probably won't take it up.

    2) Even if they did decide to co-operate, it'd largely be meaningless. There are so few websites using Passport the list can fit into less than a screenful.

    3) Even if this wasn't a problem, making Passport interoperate with anything would be a major technical headache. It simply wasn't designed for that at all. It's centralised so badly it'd need to be ripped apart and rebuilt to allow for "federation". Notice how that using Kerberos to open it up idea seems to have faded away? That's because Kerby was never meant for that anyway, and because it's extremely hard to open up Passport.

    4) Passport is growing at a snails pace, with good reason. The gain you get from it is small (often the user needs to give a password anyway, regardless of whether they use passport or not) and the cost is huge, both in developer time and various costs involved in working with Microsoft.

  10. Re:DO we want that? by Salsaman · · Score: 2
    Single signon is a pretty stupid idea. What if I'm signed in, and reading some mail, and then I get up for a coffee. Now, while I'm AFK, somebody else comes along and starts using my browser to go to amazon.com. Since I'm already logged in, they can order a load of stuff on my credit card, and have it delivered to their own address.

    OK, this could happen already because I have an amazon cookie on my system which means I don't need to log in each time. But, I can always remove the cookie and force a sign on the next time I go there. With single sign on you won't have that option, you will always be logged in.

  11. I don't know but I've been told... by los+furtive · · Score: 2

    A chain is only as strong as it's weakest link. This may be good for garnering general acceptance, but for those of us who are looking for a complete alternative to Passport, is it really a good idea?

    --

    I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.

  12. Re:DO we want that? by MartinG · · Score: 2

    I see your point, but it could be argued that its not the signon system thats stupid - it's the person signing on and then walking away to get coffee.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  13. Re:DO we want that? by DEBEDb · · Score: 2

    Well, I have separate secure passwords for the few
    services I care about (like my bank, credit
    card, and other stuff); but I would happily
    have a single account for nytimes, slashdot,
    various online fora, and other sites that
    require membership - who really cares?

    --

    Considered harmful.
  14. Here's an idea by Peter+Lake · · Score: 2, Insightful
    How about a decentralized, open system which puts the user in control of her identity:

    From PingID

    Ping Identity exists because we believe that digital identity systems need to first uphold the rights of the identity holder. We exist because market momentum and existing approaches lack the fundamental attributes required to ensure our personal freedoms, choice, privacy and control. We exist because something as personally important to our future ability to communicate, interact and transact in a digital world must never come under the control of single entity, government or corporation.
    --

    All Rights Reversed.
  15. Huh? by jjoyce · · Score: 2

    What happened to all those people who were slamming single sign-on a few days ago?

  16. Re:DO we want that? by AJWM · · Score: 3, Insightful

    There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true!

    Absolutely true. The annals of computer crime are full of cases where crackers have accessed systems B, C, D and E by harvesting passwords from system A and users re-used the same password on those other systems. Now true, if those other systems had some other gaping hole that would let them be compromised without a password, then in some theoretical absolute sense the security isn't any less because of the shared password (since there was no real security to start with), but such holes are bugs and fixable by the sysadmin, whereas shared passwords are not.

    Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!". And it's still less-safe than multiple sign-on with different passwords. (Think about it -- if you're a big-time crook (or terrorist, etc), do you go for the high-stakes bank job, or just stick up a string of 7-11s? It all comes down to effort vs payoff.)

    --
    -- Alastair
  17. Trust is the bottom line by kbielefe · · Score: 3, Insightful

    Why would I give Microsoft the password for my doctor's or stock trading website when I won't give my own family members the root password to my computer?

    While I may trust Liberty Alliance more than Microsoft, I still would prefer to manage my passwords myself. Single sign on just provides a single point of attack.

    --
    This space intentionally left blank.
  18. Re:DO we want that? by IamTheRealMike · · Score: 3, Interesting
    Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!".

    Possibly, but bear in mind if you break into somebodies email account you can usually compromise most of their web passwords anyway, as almost all sites have an "email me my password feature". In effect, your email account is your digital identity, as it holds the keys to all your other passwords too. So that's also a pretty big target in a way, yet email breakins are fairly rare - possibly because people recognise its importance and choose good passwords?

  19. Irony by Dirtside · · Score: 3, Funny

    Yeah, let's hear it for the Liberty Alliance! You know, because I always associate "liberty" with "centralization of power and resources," as opposed to, "distrbution of power so that people may have more control over their destinies." 'Cause, you know, that would suck.

    (My weapon is the razor-sharp sting of sarcasm!)

    --
    "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  20. Re:DO we want that? by schon · · Score: 2

    What if I'm signed in, and reading some mail, and then I get up for a coffee. Now, while I'm AFK, somebody else comes along and starts using my browser to go to amazon.com

    Funny Story:

    A few years ago (1996 or so), a guy at work and I got into a practical joke war.. He got up to get himself cofee, and (as was his habit,) left his email client open.

    I went to an online personals site (new at the time :o), and created an account using his email address - as he was away, I was able to 'OK' the email confirmation on his behalf.. (and then promptly delete it :o)

    Using 'his' new account, I posted an ad in the Gay Encounter section, saying that he was just discovered his sexuality, and asking for someone who would be gentle with him..

    The look on his face when he started recieving photos was priceless.

    Now, he learned a lesson that he never forgot, and it's one that you should know as well - if you have sensitive windows open, close them or lock your workstation when it's unattended.

    Even before single sign-on's were thought of, the scenario you envision is still possible.