Liberty Alliance Having Problems

torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."

Who uses passport anyway

[esac17]

Except for a few select Microsoft sites which use it, (You really have the same thing for AOL), no site I have visited in the past 2 years has used Microsoft Passport (tm).

I can't believe they think that Microsoft has the market 'tied down'. How hard would it be to develop a new client authentication scheme and convince the millions of websites out there NOT using passport to use your new scheme? Sure it may be hard in some cases, but there is a hell of a lot of room for getting a huge chunk of the market.

Slashdot poll idea:

[chunkwhite86]

Do you use Micro$oft Passport?

- Yes
- No
- I'm Afraid to
- Cowboyneal is my Passport

Zero knowledge

I implemented a single-sign on solution quite easily for my own side project (see suprasphere). It uses a zero-knowledge proof called the "Secure Remote Password Protocol" done by Thomas Wu of stanford. My solution is full Java, but there are other implementations, some of which I think even work for SSH.

The way it works is that the password is never sent to the remote host, ever. Instead, it only proves that you know the password beyond a statistical reasonable doubt. The advantage to this, is that I can use the same password "verifier" many places without having to trust them.

Just for the heck of it, I decided to provide a way to use a 1024 bit random integer as the basis for a roaming profile. You can use a human memorizable passphrase to login one place (such as your PC), and then pick up the large random number that will be used to prove yourself to all of the sites where you have an account. Assuming you use the 1024 bit number for verification, there's virtually no chance that someone will be able to forge your identity.

This is no different than using a private key in conjunction with a public key, but it's nice because it also works with human passwords, with a nice migration path to using more secure authentication means. Furthermore, since you in theory don't know if a verifier was created using a human password or a big integer, it makes it highly improbable to try to brute force guess using either an offline or online dictionary attack.

Also, I just came across this IBE solution, also from Stanford that works for regular email, which suprasphere doesn't support yet. (see Stanford IBE Crypto) My email is david@suprasphere.com if you want to contact me.

Grrrrrrrr

[IamTheRealMike]

OK, this type of article pisses me off.

Full disclosure time, I work for Andre Durand who setup Jabber Inc and whos latest venture is PingID. We got together, along with Adam Theo (who got our server slashdotted with the ransom thingy a few weeks back) because we'd been working on open source digital identity for about a year. Andre knows the balance between commercial and open source well in our opinions, and he's been sponsoring the effort.

I've been to DIDW 2002, met the guys designing the protocols and met Justin Taylor from Novell. All those links were to say, I've been following this scene since before people were talking about "identity" and I want to shout my thoughts loud and clear.

Firstly, the idea that Microsoft have authentication tied down is laughable. Passport is in its current incarnation a piece of crap. By version 3.1 I'm sure it'll be peachy, but right now it stinks. The extent of their "integration" with Windows is having IE6 use some native dialog boxes instead of web forms and being able to automatically sign on when you login (does anybody actually use that?). It is most definately possible to do something better than this in a seamless enough way that users would go for it. In fact when I was in Denver me and Adam sketched out an idea for how to do it.

Secondly, the Alliance is a rather mixed organisation. It's made up of lots of big corps who are not in fact enormous big baddies who want to steal your privacy just for the hell of it, but they do want to enable better business relationships. The example Esther Dyson gave was that the airline company should remember whether she likes window seats or not. I'm sure some Slashdotters would find this freaky/scary but she is a smart lady and she knew that she wanted that kind of information to make her life easier.

BUT - the LA is attempting to tackle a slightly different problem to the one that interests me and Adam. What we want to do is simple: we want to be able to run a server on theoretic.com that lets me sign in to Slashdot with my network address, lets me sign up for mailman mailing lists without inventing passwords each time, links my Jabber account with my email account with my personal profiles so people can locate me based on interest, so I can sign in to Linux GDM with my network address and get my roaming desktop and so on. We have LOTS of ideas! :)

What the LA are doing is linking currently existing identities together. They gave a demo of the technology in Denver. In fact, it was Justin Taylor who did this demo. It was entirely corporate focussed, they started from an intranet and were automatically signed in to some flight reservation service. That sort of tech has its place, and they're being realistic in that linking identities is a good way to start until people start getting their own identities hosted for them like email addresses.

The LA has some good points to it, don't mindlessly bash it. However, it also has some bad points. One is the stupid requirements for membership, which they admitted to me privately are basically to keep the little guys out. Another is the hideous complexity of their protocols. The ones we've developed sacrifice a small amount of flexibility for a huge increase (imho) in implementability and understandability.

Well having plugged it now (i seem to be plugging a lot of my projects today), I guess I'd better point out that what we're doing actually consists of two parts. The first is the protocol. This is (currently) called the Genio Protocol, and will be getting its own website soon (look for an announcement here when it does). It's simple, open and as far as we know free of IP claims. The second is the SourceID reference server, which is under a pseudo open source license.

We have user profiles working, and I was coding up basic tickets functionality (authentication/authorization tokens) last weekend. Hopefully genioprotocol.org will be up soon and then it'll make more sense.

Believe me, this is totally scratching an itch on my part (though I do get paid for it now too [grin]) because I think a good set of solid open digital identity protocols will make my life easier, and totally kick ass into the bargain.

ISO latin-1 characters

[Hubert+Q.+Gruntley]

The acute accent U+00B4 is in the ISO latin-1 character set. Alternatively, the author might have used one of the Unicode characters:

U+2018 ‘ left single quotation mark
U+2019 ’ right single quotation mark

But when it's posted without a character-encoding MIME type, the processor just sees a strange character, and replaces it with a default character, in this case a question mark.

Re:what about registration?

[gorilla]

Wouldn't it be even easier to have a standardized registration process that the browser could interact with on it's own?

There is already the ability to negotiate image formats, languages and authentication schemes. Adding in registration shouldn't be a problem.