Slashdot Mirror
Liberty Alliance Having Problems
torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."
Whatever the solution, I'd feel much more secure with Sun hardware / software than I would with MS. They don't reinvent the wheel every 6 months in an attempt to correct all the mistakes they made in the previous version of the wheel.....
Umm... did you think this over, really seriously? I was a user of DigitalMe, and it made my Internet life a helluva easier. I could securely log into all of my services without having to know more than one password by heart. I could personalize most of those services, using just a browser and my account at DigitalMe. I had some messaging and e-mail options at disposal just as an added benefit. I all worked together. (Unfortunately, Novell discontinued the service, but that's their old illness: got a lot of cool technology, but incapable of making profit outta it.)
Nonetheless, I can clearly see the advantages the industry and private individuals would have from Liberty alliance's efforts. Note that I didn't even mention the B2B features that the Liberty Alliance is working on.
Sigged!
...stories like these were properly labeled as "MS Troll" instead of "Technology", that way I could filter them out.
The article basically says "We can't get into Passport's market share because MS forced people to sign up." That's a fair statement except for one minor detail: Massive numbers of people aren't running around saying "I need a single log-in point across multiple domains!".
If the demand's not there, bleating about MS beating you isn't going to make it better. Frankly, I think the only reason this article made it to Slashdot is that juicy little line about MS "forcing" people to sign up with Passport.
I can't be the only one who'd like to filter these stupid articles.
Except for a few select Microsoft sites which use it, (You really have the same thing for AOL), no site I have visited in the past 2 years has used Microsoft Passport (tm).
I can't believe they think that Microsoft has the market 'tied down'. How hard would it be to develop a new client authentication scheme and convince the millions of websites out there NOT using passport to use your new scheme? Sure it may be hard in some cases, but there is a hell of a lot of room for getting a huge chunk of the market.
As a browser plugin ? That way the person decides who can access their information ? The keys, credit card and personal information/etc. are stored in an encrypted file on the machine and only those with permission can get at the information ? It would eliminate the need for a hugemungous server (run by an evil corporation) and this way it would be pretty simple to access the information (with some authentication of course) and not need to pay an arm and a left testicle to an Evil Corporation..
UPS Sucks
Related news:
AOL Pulls Rug From Under 'Magic Carpet'
Kriston
I can log into my services securely too, and know only one password. It's quite easy.
:P
Set all of your passwords to be the same.
The only reason that Passport is useful is because it tries to dip its finger into a lot of pies at the same time. The end result is that corporations find out a lot more about your surfing/buying/playing habits than they otherwise would. In other words, it's *not* useful to the end user - it's useful to the service providers.
This article seems to have written in a deliberately misleading manner from a few out of context quotes. They put words in a Sun executives mouth (as far as I can see nobody has "conceded defeat") and then makes out that there is a rift because others haven't "conceded defeat".
One of the thing the Sun guy says is "I don't think it will be very long before we have a pervasive non-Microsoft client". That doesn't sound like conceding defeat to me.
My browser (Mozilla) stores my passwords. Don't see why I need a network-based service, controlled by someone else, subject to snooping, stealing, or worse, when the browser on a PC I control will do the trick.
sulli
RTFJ.
Give me liberty or give me something else. I'm cool with either, really.
However, it is a valid point that Passport has been a major failure up until now (tens of millions of forced signups and nothing substantive to show for it) and even with monopolistic momentum, a few new major Passport security failures could make a serious, well supported competitor that much more attractive.
You know, the whole concept behind Passport isn't far off from the purported usefulness of the "adult verification services": you pay them a LOW LOW monthly fee and supposedly get access to thousands of online porn sites.
It's good to know that Bill still surfs for pr0n every now and then.
Well? Is your company going to take the pay-off or are you going to stay with FreeBSD?
I think you have mistaken this AC for someone who writes his own comments.
Besides the question of how useful single sign of stuff is, security questions, and adoption rates, etc., this shows how nice it is to be one, large, powerful entity. In this case, MS says, "this is the way we'll go." No one else has the market share to do similar things without forming alliances and consortiums which, while they may have a better idea, usually falter for exactly this reason: they cannot agree on what it is they are doing or why.
The causes for this are interesting, but far to many, complicated, and inter-related to get into during a 5 minute work break. Too bad.
Microsoft added a fake left curling single-quote to most of it's fonts about ten years ago. Toy 'desktop' systems like Word, MS Publisher, BOB use these quotes in order to look 'cool'.
Standards-based browsers: Netscape, Mozilla, Konqueror, Opera don't nesesarily display this non-standard 'quote' the way IE does. They default to showing a question mark when confronted with theis non-standard quote.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Well that was a refreshingly content-free article, allow me to summarize:
Sun: Windows is better at whatever Liberty/Passport does
Novell: Maybe in the home market, but we do whatever Liberty/Passport does much better in the Enterprise!
Netegrity: Maybe Microsoft does whatever Liberty/Passport does better on Windows, but the true value is doing that cross-platform and cross-domain!
I still don't see how any of this is more than a niche market. Yes, there is a need in large enterprises for single sign-on, but that's largely a Fortune 100 issue, so no huge market there. For smaller companies, it's far cheaper to staff a helpdesk than it is to do an enterprise single-sign-on implementation. Yes, home-users have to manage a lot of userids and passwords too, but integrated browser password functions cover the 90% of people who don't move from their base computer. So for the home as well it's a niche function.
The only value I see is the value of Microsoft or AOL with extending their MSN or AOL login to new functions and thereby making it more "sticky", giving users an effective barrier to leaving their service. To me, that's really all this posturing is about.
Also, I fail to see why my cell-phone and my SSH session need to share a password.
P.S. Justin Taylor is a big geek. 8-)
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
The AOL-Sun-Netscape alliance and the other charter members definately have the ability to push Liberty, but perhaps not the will.
If they wanted to AOL, Netscape, Mastercard, Visa and American Express could deliver a *staggering* amount of particpants. This would dwarf the several million Microsoft passport holders overnight.
I think that the main problem here with Sun's technical leadership is that it's too busy trying to work out what it does for a business to worry about taking on Microsoft in yet another arena.
Another reason is that the when you're a holding a hammer, everything looks like a nail.
Sun sees Liberty as a battle with Microsoft, Novell sees it as glorified LDAP server, while the credit card and mobile phone companies see it as a targeted advertsing and aggregation tool.
The conflict is being caused by each charter member having a different vision of what Liberty actually *is*.
It will be a while before anyone picks up this hot potato again. Until then, single sign-on is dead.
Has anybody noticed that there are two other Passport-like systems floating out there as well?
.Net Passport so that you can use MSN Messenger, but there are millions of people who dashed to aim.aol.com to get AIM and therefore ScreenName Service account, and Yahoo's got an IM client too if you want it.
The first is AOL's. AOL Time Warner has gone around and tied the login systems of almost all of their properties from CNN to Netscape to use the same logon system as AOL/AIM ScreenNames. AOL has direct competitors to almost everything MSN has and then some, and can collect just as much personal info to send to a media empire.
The second is Yahoo's. Now, I know the Yahoo logon is only valid at the Yahoo.com domain, but Yahoo has within its domain content that MSN spreads out into dozens of domains. Everything including a Hotmail-like e-mail site, an Expedia-like travel site, a CNBC-like financial site, and an MSNBC-like news site all accept the same Yahoo logon. Yahoo wants your credit card numbers in your Yahoo Wallet let's not forget...
Yeah, Microsoft is the most annoying in getting you to sign up for a
There are really three web empires... yet only one is getting all the heat. What's up with that?
Good point, but you?ve got to admit, it?s an easy mistake to make.
Where Passport/Alliance etc. is useful is for corporations who can easier track your browsing/shopping habits to profile you and target you with more personalized spam.
Your pizza just the way you ought to have it.
With a single sign-on, you really have some security problems is return for the convenience. One shoulder-surfer can completely steal your online identity. And is anyone under the illusion that people will pick strong passwords for their Passport accounts? Nope, they'll pick their pets' names, kids' birthdays, favorite sports teams, etc.
MS may be insulated from competition with Passport, because the good guys wouldn't dream of implementing it insecurely, and that means their implemenbtations will be less convenient than MS's.
At this point, security is the one single strongest reason for people to switch away from MS and start using open-source software and open protocols. The problem is that very few people really care very much about security, and they don't really understand security well enough to know what they're missing.
Find free books.
I used to have different passwords for different services and had my browswer remember them. The problem was that if I needed to access something from somewhere else, it was a royal pain because I didn't remember all the passwords and my home computer is not accessable over the internet. There were times when I had to have a service email me my password, which opens up its own security problems.
Also, if you have your browser store passwords at work, then you're extremely insecure as well.
I used to think different passwords for different services was more secure, but I now use the same password for all sites and then change this password everywhere periodically. It's a minor hassle to change them but it's probably more secure than either Passport or browser storage, and I can access everything no matter where I am.
I implemented a single-sign on solution quite easily for my own side project (see suprasphere). It uses a zero-knowledge proof called the "Secure Remote Password Protocol" done by Thomas Wu of stanford. My solution is full Java, but there are other implementations, some of which I think even work for SSH.
The way it works is that the password is never sent to the remote host, ever. Instead, it only proves that you know the password beyond a statistical reasonable doubt. The advantage to this, is that I can use the same password "verifier" many places without having to trust them.
Just for the heck of it, I decided to provide a way to use a 1024 bit random integer as the basis for a roaming profile. You can use a human memorizable passphrase to login one place (such as your PC), and then pick up the large random number that will be used to prove yourself to all of the sites where you have an account. Assuming you use the 1024 bit number for verification, there's virtually no chance that someone will be able to forge your identity.
This is no different than using a private key in conjunction with a public key, but it's nice because it also works with human passwords, with a nice migration path to using more secure authentication means. Furthermore, since you in theory don't know if a verifier was created using a human password or a big integer, it makes it highly improbable to try to brute force guess using either an offline or online dictionary attack.
Also, I just came across this IBE solution, also from Stanford that works for regular email, which suprasphere doesn't support yet. (see Stanford IBE Crypto) My email is david@suprasphere.com if you want to contact me.
Full disclosure time, I work for Andre Durand who setup Jabber Inc and whos latest venture is PingID. We got together, along with Adam Theo (who got our server slashdotted with the ransom thingy a few weeks back) because we'd been working on open source digital identity for about a year. Andre knows the balance between commercial and open source well in our opinions, and he's been sponsoring the effort.
I've been to DIDW 2002, met the guys designing the protocols and met Justin Taylor from Novell. All those links were to say, I've been following this scene since before people were talking about "identity" and I want to shout my thoughts loud and clear.
Firstly, the idea that Microsoft have authentication tied down is laughable. Passport is in its current incarnation a piece of crap. By version 3.1 I'm sure it'll be peachy, but right now it stinks. The extent of their "integration" with Windows is having IE6 use some native dialog boxes instead of web forms and being able to automatically sign on when you login (does anybody actually use that?). It is most definately possible to do something better than this in a seamless enough way that users would go for it. In fact when I was in Denver me and Adam sketched out an idea for how to do it.
Secondly, the Alliance is a rather mixed organisation. It's made up of lots of big corps who are not in fact enormous big baddies who want to steal your privacy just for the hell of it, but they do want to enable better business relationships. The example Esther Dyson gave was that the airline company should remember whether she likes window seats or not. I'm sure some Slashdotters would find this freaky/scary but she is a smart lady and she knew that she wanted that kind of information to make her life easier.
BUT - the LA is attempting to tackle a slightly different problem to the one that interests me and Adam. What we want to do is simple: we want to be able to run a server on theoretic.com that lets me sign in to Slashdot with my network address, lets me sign up for mailman mailing lists without inventing passwords each time, links my Jabber account with my email account with my personal profiles so people can locate me based on interest, so I can sign in to Linux GDM with my network address and get my roaming desktop and so on. We have LOTS of ideas! :)
What the LA are doing is linking currently existing identities together. They gave a demo of the technology in Denver. In fact, it was Justin Taylor who did this demo. It was entirely corporate focussed, they started from an intranet and were automatically signed in to some flight reservation service. That sort of tech has its place, and they're being realistic in that linking identities is a good way to start until people start getting their own identities hosted for them like email addresses.
The LA has some good points to it, don't mindlessly bash it. However, it also has some bad points. One is the stupid requirements for membership, which they admitted to me privately are basically to keep the little guys out. Another is the hideous complexity of their protocols. The ones we've developed sacrifice a small amount of flexibility for a huge increase (imho) in implementability and understandability.
Well having plugged it now (i seem to be plugging a lot of my projects today), I guess I'd better point out that what we're doing actually consists of two parts. The first is the protocol. This is (currently) called the Genio Protocol, and will be getting its own website soon (look for an announcement here when it does). It's simple, open and as far as we know free of IP claims. The second is the SourceID reference server, which is under a pseudo open source license.
We have user profiles working, and I was coding up basic tickets functionality (authentication/authorization tokens) last weekend. Hopefully genioprotocol.org will be up soon and then it'll make more sense.
Believe me, this is totally scratching an itch on my part (though I do get paid for it now too [grin]) because I think a good set of solid open digital identity protocols will make my life easier, and totally kick ass into the bargain.
Every password-protected site requires a separate registration process. Wouldn't it be simpler to cache registration information on a central server?
The obvious disadvantage to this is that a poorly designed system could release personal info to unscrupulous businesses. A well-designed system could show you which fields a particular site wanted and ask for your approval. Better yet you could configure your account to release different levels of info to sites based on their privacy policy.
Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows
Pardon me for being a bit cranky and harsh, but why does Sun always seem to pull this line? They are declaring defeat before the battle really begins. If they want to pull out and quit then let them, but they have no need to declare the whole project a failure.
Besides, isn't a bit early for them to start their standard "we can't do this because of Microsoft" whine.
And when it's compromised? I have set all my passwords to be the same for about a year now, and it's the only way I can stay sane with the number of separate accounts/identities I have. My password has been compromised twice now :(
Luckily both times the people who saw it were friends. The first time I had to tell Adam my password so he could setup my new email/shell account for me. The second time a stupid MS connection wizard of all things printed out the password in plaintext at the end, just to helpfully confirm you'd chosen it right.
Not to mention the difficulties I had finding a password that was easy to remember but fitted into all the various rules some sites/systems have about passwords
Good passwords should be changed regularly. To do that, you need 1 password. To do that, you need digital identities.
"My browser (Mozilla) stores my passwords. Don't see why I need a network-based service, controlled by someone else, subject to snooping, stealing, or worse, when the browser on a PC I control will do the trick."
So basically you've written your passwords down underneath your keyboard, and think you are secure because nobody is going to look there.
I wrote most of the SAML specs which are the basis of the Liberty design. I really wish that people would stop trying to define the problem as one company bashing another.
I have absolutely no interest in the issue of whether Sun can stop Microsoft or Microsoft can stop Sun. I have been trying to deploy global authentication schemes for ten years now, I believe that the problem is sufficiently hard that it is not going to be solve by any party that makes its primary objective the defeat of another party.
First off lets recognize that companies working together can be a good thing for the consumer and can also be a bad thing. It is good when stuff works together, it is bad when working together effectively means a cartel.
I don't fault Microsoft for using their deployed base to build the user base for passport. After all AOL did the same thing by buying up rival instant messaging services.
What I do not see is how any party can reasonably expect the idea of global authentication to turn into some sort of monopoly. The competative forces involved are just too great.
Consider the problem of getting access to my frequent flyer plan at United. It would be pretty handy if I could simply log on to United transparently through my browser without having the browser store lots of personal data on my machine that could itself be a security vulnerability. On the other hand I don't see United paying anyone $10 per year for the privillege of offering this facility or anything like it.
Now consider what happens if we have 50 single sign on schemes, I don't see any advantage over having separate log ins.
So there has to be a critical mass for any of these schemes to be worthwhile, there has to be a reasonable cost structure and there has to be confidence that the operators of the scheme will not impose new costs or hidden restrictions at a future date.
I think that there is a value here but I think that both Liberty and Passport need to be radically rethunk before either can achieve the stated goals.
Before that happens however I think that there has to be a political realignment. In particular I think we need to get Liberty to stop promoting itself as a 'stop Microsoft' scheme and we need Passport and Liberty to agree to some form of convergence in the same way that Visa and Mastercard converged.
Specifically we should adopt SAML as the underlying architecture for global authentication. The ability to carry kerberos tickets and passport credentials is already designed into the SAML specs.
Once there is agreement on a technology base Liberty and Passport would both evolve into federated authentication brands in the same way that Mastercard and Visa have. There would be a strong assumption that merchants and web sites would support both brands rather than expecting consumers to cope with both sets of credentials.
Finally we need to work out who is going to actually pay for such a system to be established. Charging end users is really hard, charging merchants cuts out sites like slashdot. Where is the compelling value proposition? I believe that there is one to be found but we have not got there yet.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
In other words, it's *not* useful to the end user - it's useful to the service providers.
Sure it is. We implemented a passport-like service for all of our corporate systems. This way, you change your password once, and it changes everywhere. It has reduced the "I forgot my password" requests considerably, and allows us to enfoce regular password changes on a global level, instead of having each system deal with passwords differently.
The percieved problem of central systems on a global scale is simply that once the password is compromised, the whole system is compromised. Remember when car makers used to make one key for the door, and the other to the ignition? In the end it was proven that this generally added little to no security because both keys were on the same key ring. The same goes for passwords. I personally use 2 - 3 passwords accross all sites. You get one of my passwords and you can access almost half of the sites that I visit. Furthermore, most people that I talk to already use one password anyway.
My biggest concern for security is not the concept of centralized passwords, rather, it revolves around Microsoft's ability to design a secure protocol, and if that protocol becomes an industry standard so that Microsoft doesn't have Ultimate Power over the system.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips