Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Having Problems

Posted by Hemos on from the running-into-problems dept.

torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."

7 of 143 comments (clear)

  1. know BiG surprise by Anonymous Coward · · Score: 1, Interesting

    "The main reason for choosing Open Source software was:
    - Licensing Cost for Server Software
    - Openness, i.e. the ability to change software to fit our purpose
    - Security & Reliability and (last not least)
    - Low hardware requirements.

    The fourth reason was very important as I didn't want to buy any new hardware for the servers and instead reuse existing old hardware and extend its lifetime by using Open Source Server software. We decided to Use FreeBSD, Apache, mySQL+PostgreSQL, Perl+PHP

    The company I am working with is a pure-Microsoft company, i.e. they only used to use Microsoft software, and they even didn't know anything about Open Source.

    It was a painful but successful transition. But this is not the reason I am writing.

    The reason is Microsoft itself. When the local Microsoft rep "heard" (someone inside the company tipped them off), they asked to meet my team(!) and discuss the reasons for our Open Source use.

    In fact, it was a meeting of 2 1/2 hours with 3 Microsoft sales/consulting reps trying to persuade us not to use Open Source (mainy they talked about "Linux" until we told them that we don't use Linux and that we don't understand what they are talking about :-) because "it is inherently insecure, unreliable" and, what was their biggest argument, "there is nobody in this country who could give you any support for Open Source", etc.

    Also, they wanted(!) (actually they "required") us to tell them the reasons why we are using Open Source instead of the already introduced and long-time proven Microsoft Software in this company.

    Then I started explaining the four reasons above, and when we came to the point of "Licensing Costs", they offered us TO give the Windows server licences for free.

    I am not kidding. When I told them that I'd need at least ten licenses and at $400/each, this would be too much for me for the beginning, they offered to give us the license for free - and not only for now, but also for the future when we kept working on Microsoft.

    Of course, they knew that if we implement succesful projects based on Open Source in the New Media Group, this might extend to other areas, too, e.g. data servers (we are in fact planning to create a print archive fully based on Open Source now that the technicians in the company see that Open Source can be successfully implemented).

    I just wanted to let you know about this fact. The meeting was very funny as they were trying to explain us that Microsoft software is more reliable, secure and cheaper than Linux and I was trying to explain to them that a) we are not using Linux, and b) that they have wrong numbers about TCO and c) that I could prove that Open Source is cheaper and lastly d) that any survey trying to figure out the TCO is definitely wrong as they try to please the company who ordered the survey, etc. etc."

  2. Who uses passport anyway by esac17 · · Score: 4, Interesting

    Except for a few select Microsoft sites which use it, (You really have the same thing for AOL), no site I have visited in the past 2 years has used Microsoft Passport (tm).

    I can't believe they think that Microsoft has the market 'tied down'. How hard would it be to develop a new client authentication scheme and convince the millions of websites out there NOT using passport to use your new scheme? Sure it may be hard in some cases, but there is a hell of a lot of room for getting a huge chunk of the market.

  3. Slashdot poll idea: by chunkwhite86 · · Score: 2, Interesting

    Do you use Micro$oft Passport?

    - Yes
    - No
    - I'm Afraid to
    - Cowboyneal is my Passport

    --
    I'd rather be a conservative nutjob than a liberal with no nuts and no job.
  4. Zero knowledge by Anonymous Coward · · Score: 3, Interesting

    I implemented a single-sign on solution quite easily for my own side project (see suprasphere). It uses a zero-knowledge proof called the "Secure Remote Password Protocol" done by Thomas Wu of stanford. My solution is full Java, but there are other implementations, some of which I think even work for SSH.

    The way it works is that the password is never sent to the remote host, ever. Instead, it only proves that you know the password beyond a statistical reasonable doubt. The advantage to this, is that I can use the same password "verifier" many places without having to trust them.

    Just for the heck of it, I decided to provide a way to use a 1024 bit random integer as the basis for a roaming profile. You can use a human memorizable passphrase to login one place (such as your PC), and then pick up the large random number that will be used to prove yourself to all of the sites where you have an account. Assuming you use the 1024 bit number for verification, there's virtually no chance that someone will be able to forge your identity.

    This is no different than using a private key in conjunction with a public key, but it's nice because it also works with human passwords, with a nice migration path to using more secure authentication means. Furthermore, since you in theory don't know if a verifier was created using a human password or a big integer, it makes it highly improbable to try to brute force guess using either an offline or online dictionary attack.

    Also, I just came across this IBE solution, also from Stanford that works for regular email, which suprasphere doesn't support yet. (see Stanford IBE Crypto) My email is david@suprasphere.com if you want to contact me.

  5. Grrrrrrrr by IamTheRealMike · · Score: 5, Interesting
    OK, this type of article pisses me off.

    Full disclosure time, I work for Andre Durand who setup Jabber Inc and whos latest venture is PingID. We got together, along with Adam Theo (who got our server slashdotted with the ransom thingy a few weeks back) because we'd been working on open source digital identity for about a year. Andre knows the balance between commercial and open source well in our opinions, and he's been sponsoring the effort.

    I've been to DIDW 2002, met the guys designing the protocols and met Justin Taylor from Novell. All those links were to say, I've been following this scene since before people were talking about "identity" and I want to shout my thoughts loud and clear.

    Firstly, the idea that Microsoft have authentication tied down is laughable. Passport is in its current incarnation a piece of crap. By version 3.1 I'm sure it'll be peachy, but right now it stinks. The extent of their "integration" with Windows is having IE6 use some native dialog boxes instead of web forms and being able to automatically sign on when you login (does anybody actually use that?). It is most definately possible to do something better than this in a seamless enough way that users would go for it. In fact when I was in Denver me and Adam sketched out an idea for how to do it.

    Secondly, the Alliance is a rather mixed organisation. It's made up of lots of big corps who are not in fact enormous big baddies who want to steal your privacy just for the hell of it, but they do want to enable better business relationships. The example Esther Dyson gave was that the airline company should remember whether she likes window seats or not. I'm sure some Slashdotters would find this freaky/scary but she is a smart lady and she knew that she wanted that kind of information to make her life easier.

    BUT - the LA is attempting to tackle a slightly different problem to the one that interests me and Adam. What we want to do is simple: we want to be able to run a server on theoretic.com that lets me sign in to Slashdot with my network address, lets me sign up for mailman mailing lists without inventing passwords each time, links my Jabber account with my email account with my personal profiles so people can locate me based on interest, so I can sign in to Linux GDM with my network address and get my roaming desktop and so on. We have LOTS of ideas! :)

    What the LA are doing is linking currently existing identities together. They gave a demo of the technology in Denver. In fact, it was Justin Taylor who did this demo. It was entirely corporate focussed, they started from an intranet and were automatically signed in to some flight reservation service. That sort of tech has its place, and they're being realistic in that linking identities is a good way to start until people start getting their own identities hosted for them like email addresses.

    The LA has some good points to it, don't mindlessly bash it. However, it also has some bad points. One is the stupid requirements for membership, which they admitted to me privately are basically to keep the little guys out. Another is the hideous complexity of their protocols. The ones we've developed sacrifice a small amount of flexibility for a huge increase (imho) in implementability and understandability.

    Well having plugged it now (i seem to be plugging a lot of my projects today), I guess I'd better point out that what we're doing actually consists of two parts. The first is the protocol. This is (currently) called the Genio Protocol, and will be getting its own website soon (look for an announcement here when it does). It's simple, open and as far as we know free of IP claims. The second is the SourceID reference server, which is under a pseudo open source license.

    We have user profiles working, and I was coding up basic tickets functionality (authentication/authorization tokens) last weekend. Hopefully genioprotocol.org will be up soon and then it'll make more sense.

    Believe me, this is totally scratching an itch on my part (though I do get paid for it now too [grin]) because I think a good set of solid open digital identity protocols will make my life easier, and totally kick ass into the bargain.

  6. ISO latin-1 characters by Hubert+Q.+Gruntley · · Score: 2, Interesting

    The acute accent U+00B4 is in the ISO latin-1 character set. Alternatively, the author might have used one of the Unicode characters:

    U+2018 ‘ left single quotation mark
    U+2019 ’ right single quotation mark

    But when it's posted without a character-encoding MIME type, the processor just sees a strange character, and replaces it with a default character, in this case a question mark.

    --
    Laugh at my Lisp and I keeell you.
  7. Re:what about registration? by gorilla · · Score: 3, Interesting
    Wouldn't it be even easier to have a standardized registration process that the browser could interact with on it's own?

    There is already the ability to negotiate image formats, languages and authentication schemes. Adding in registration shouldn't be a problem.