Slashdot Mirror
Liberty Alliance Having Problems
torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."
Related news:
AOL Pulls Rug From Under 'Magic Carpet'
Kriston
This article seems to have written in a deliberately misleading manner from a few out of context quotes. They put words in a Sun executives mouth (as far as I can see nobody has "conceded defeat") and then makes out that there is a rift because others haven't "conceded defeat".
One of the thing the Sun guy says is "I don't think it will be very long before we have a pervasive non-Microsoft client". That doesn't sound like conceding defeat to me.
However, it is a valid point that Passport has been a major failure up until now (tens of millions of forced signups and nothing substantive to show for it) and even with monopolistic momentum, a few new major Passport security failures could make a serious, well supported competitor that much more attractive.
Well? Is your company going to take the pay-off or are you going to stay with FreeBSD?
I think you have mistaken this AC for someone who writes his own comments.
Microsoft added a fake left curling single-quote to most of it's fonts about ten years ago. Toy 'desktop' systems like Word, MS Publisher, BOB use these quotes in order to look 'cool'.
Standards-based browsers: Netscape, Mozilla, Konqueror, Opera don't nesesarily display this non-standard 'quote' the way IE does. They default to showing a question mark when confronted with theis non-standard quote.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
It will be a while before anyone picks up this hot potato again. Until then, single sign-on is dead.
"Any time you use any Microsoft technology, you HAVE to sign-up for a passport license."
Not true. I've got people in my office today who have laptops running Windows XP. They are *not* forced to sign up for Passport. Let me repeat: They are not forced to sign up for Passport.
When you do need (note: I didn't say forced) to sign up for Passport is when you use their IM stuff. That is a choice you can make. It's a choice you make when you sign up for Hotmail. There's no forcing going on.
And no, Paypal doesn't require a Passport to sign up. I have no idea where you conjured up that idea.
go visit the register
thank God the internet isn't a human right.
I played Asheron's Call (online RPG published by Microsoft) for about 2 years. Then one day, poof, you can't log on to play the game without Passport. I guess you could argue that I didn't have to play that game, but after a 2 year investment... Personally, I'd call that an example of being forced to sign up for passport. It actually adds a step in the logon process, slowing things down for me.
I think Apple's Keychain is a good answer to this, especially if they could rig up iSync to sync Keychains between different computers. (The Keychain is an encrypted file that contains all your passwords, and can be moved from one computer to another.) Chimera (and any other program that wants to add the support) can store/retrieve passwords to/from the Keychain. All you need to know is the one password to unlock the Keychain. Right now, you have to manually copy the Keychain file between computers, but you could put it on any online storage you have available - no need for Microsoft in the loop at all.
Funnily enough, I heard about this article prior to its publication. So, we asked Jonathon via a contact at Sun whether this was indeed what he said, and the answer was "No - I asked Jonathon and he said that he didn't say that, and that he'd *never* say anything that even hinted that Sun conceded any segment of the marketplace to MS."
As someone "close to the Alliance", I should mention that the basic premise of the article is simply incorrect. The Liberty Alliance is about defining open standards (there's that open word - means it ought to run on any platform, including Windows); whereas Passport is a service operated by MS. Chalk & Cheese.
I wrote most of the SAML specs which are the basis of the Liberty design. I really wish that people would stop trying to define the problem as one company bashing another.
I have absolutely no interest in the issue of whether Sun can stop Microsoft or Microsoft can stop Sun. I have been trying to deploy global authentication schemes for ten years now, I believe that the problem is sufficiently hard that it is not going to be solve by any party that makes its primary objective the defeat of another party.
First off lets recognize that companies working together can be a good thing for the consumer and can also be a bad thing. It is good when stuff works together, it is bad when working together effectively means a cartel.
I don't fault Microsoft for using their deployed base to build the user base for passport. After all AOL did the same thing by buying up rival instant messaging services.
What I do not see is how any party can reasonably expect the idea of global authentication to turn into some sort of monopoly. The competative forces involved are just too great.
Consider the problem of getting access to my frequent flyer plan at United. It would be pretty handy if I could simply log on to United transparently through my browser without having the browser store lots of personal data on my machine that could itself be a security vulnerability. On the other hand I don't see United paying anyone $10 per year for the privillege of offering this facility or anything like it.
Now consider what happens if we have 50 single sign on schemes, I don't see any advantage over having separate log ins.
So there has to be a critical mass for any of these schemes to be worthwhile, there has to be a reasonable cost structure and there has to be confidence that the operators of the scheme will not impose new costs or hidden restrictions at a future date.
I think that there is a value here but I think that both Liberty and Passport need to be radically rethunk before either can achieve the stated goals.
Before that happens however I think that there has to be a political realignment. In particular I think we need to get Liberty to stop promoting itself as a 'stop Microsoft' scheme and we need Passport and Liberty to agree to some form of convergence in the same way that Visa and Mastercard converged.
Specifically we should adopt SAML as the underlying architecture for global authentication. The ability to carry kerberos tickets and passport credentials is already designed into the SAML specs.
Once there is agreement on a technology base Liberty and Passport would both evolve into federated authentication brands in the same way that Mastercard and Visa have. There would be a strong assumption that merchants and web sites would support both brands rather than expecting consumers to cope with both sets of credentials.
Finally we need to work out who is going to actually pay for such a system to be established. Charging end users is really hard, charging merchants cuts out sites like slashdot. Where is the compelling value proposition? I believe that there is one to be found but we have not got there yet.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/