Slashdot Mirror
Liberty Alliance Having Problems
torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."
Umm... did you think this over, really seriously? I was a user of DigitalMe, and it made my Internet life a helluva easier. I could securely log into all of my services without having to know more than one password by heart. I could personalize most of those services, using just a browser and my account at DigitalMe. I had some messaging and e-mail options at disposal just as an added benefit. I all worked together. (Unfortunately, Novell discontinued the service, but that's their old illness: got a lot of cool technology, but incapable of making profit outta it.)
Nonetheless, I can clearly see the advantages the industry and private individuals would have from Liberty alliance's efforts. Note that I didn't even mention the B2B features that the Liberty Alliance is working on.
Sigged!
...stories like these were properly labeled as "MS Troll" instead of "Technology", that way I could filter them out.
The article basically says "We can't get into Passport's market share because MS forced people to sign up." That's a fair statement except for one minor detail: Massive numbers of people aren't running around saying "I need a single log-in point across multiple domains!".
If the demand's not there, bleating about MS beating you isn't going to make it better. Frankly, I think the only reason this article made it to Slashdot is that juicy little line about MS "forcing" people to sign up with Passport.
I can't be the only one who'd like to filter these stupid articles.
Except for a few select Microsoft sites which use it, (You really have the same thing for AOL), no site I have visited in the past 2 years has used Microsoft Passport (tm).
I can't believe they think that Microsoft has the market 'tied down'. How hard would it be to develop a new client authentication scheme and convince the millions of websites out there NOT using passport to use your new scheme? Sure it may be hard in some cases, but there is a hell of a lot of room for getting a huge chunk of the market.
As a browser plugin ? That way the person decides who can access their information ? The keys, credit card and personal information/etc. are stored in an encrypted file on the machine and only those with permission can get at the information ? It would eliminate the need for a hugemungous server (run by an evil corporation) and this way it would be pretty simple to access the information (with some authentication of course) and not need to pay an arm and a left testicle to an Evil Corporation..
UPS Sucks
I can log into my services securely too, and know only one password. It's quite easy.
:P
Set all of your passwords to be the same.
The only reason that Passport is useful is because it tries to dip its finger into a lot of pies at the same time. The end result is that corporations find out a lot more about your surfing/buying/playing habits than they otherwise would. In other words, it's *not* useful to the end user - it's useful to the service providers.
This article seems to have written in a deliberately misleading manner from a few out of context quotes. They put words in a Sun executives mouth (as far as I can see nobody has "conceded defeat") and then makes out that there is a rift because others haven't "conceded defeat".
One of the thing the Sun guy says is "I don't think it will be very long before we have a pervasive non-Microsoft client". That doesn't sound like conceding defeat to me.
My browser (Mozilla) stores my passwords. Don't see why I need a network-based service, controlled by someone else, subject to snooping, stealing, or worse, when the browser on a PC I control will do the trick.
sulli
RTFJ.
Give me liberty or give me something else. I'm cool with either, really.
Microsoft added a fake left curling single-quote to most of it's fonts about ten years ago. Toy 'desktop' systems like Word, MS Publisher, BOB use these quotes in order to look 'cool'.
Standards-based browsers: Netscape, Mozilla, Konqueror, Opera don't nesesarily display this non-standard 'quote' the way IE does. They default to showing a question mark when confronted with theis non-standard quote.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Well that was a refreshingly content-free article, allow me to summarize:
Sun: Windows is better at whatever Liberty/Passport does
Novell: Maybe in the home market, but we do whatever Liberty/Passport does much better in the Enterprise!
Netegrity: Maybe Microsoft does whatever Liberty/Passport does better on Windows, but the true value is doing that cross-platform and cross-domain!
I still don't see how any of this is more than a niche market. Yes, there is a need in large enterprises for single sign-on, but that's largely a Fortune 100 issue, so no huge market there. For smaller companies, it's far cheaper to staff a helpdesk than it is to do an enterprise single-sign-on implementation. Yes, home-users have to manage a lot of userids and passwords too, but integrated browser password functions cover the 90% of people who don't move from their base computer. So for the home as well it's a niche function.
The only value I see is the value of Microsoft or AOL with extending their MSN or AOL login to new functions and thereby making it more "sticky", giving users an effective barrier to leaving their service. To me, that's really all this posturing is about.
Also, I fail to see why my cell-phone and my SSH session need to share a password.
P.S. Justin Taylor is a big geek. 8-)
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
:s/correct all the mistakes they made in/make more money on
Six sick
The AOL-Sun-Netscape alliance and the other charter members definately have the ability to push Liberty, but perhaps not the will.
If they wanted to AOL, Netscape, Mastercard, Visa and American Express could deliver a *staggering* amount of particpants. This would dwarf the several million Microsoft passport holders overnight.
I think that the main problem here with Sun's technical leadership is that it's too busy trying to work out what it does for a business to worry about taking on Microsoft in yet another arena.
Another reason is that the when you're a holding a hammer, everything looks like a nail.
Sun sees Liberty as a battle with Microsoft, Novell sees it as glorified LDAP server, while the credit card and mobile phone companies see it as a targeted advertsing and aggregation tool.
The conflict is being caused by each charter member having a different vision of what Liberty actually *is*.
Full disclosure time, I work for Andre Durand who setup Jabber Inc and whos latest venture is PingID. We got together, along with Adam Theo (who got our server slashdotted with the ransom thingy a few weeks back) because we'd been working on open source digital identity for about a year. Andre knows the balance between commercial and open source well in our opinions, and he's been sponsoring the effort.
I've been to DIDW 2002, met the guys designing the protocols and met Justin Taylor from Novell. All those links were to say, I've been following this scene since before people were talking about "identity" and I want to shout my thoughts loud and clear.
Firstly, the idea that Microsoft have authentication tied down is laughable. Passport is in its current incarnation a piece of crap. By version 3.1 I'm sure it'll be peachy, but right now it stinks. The extent of their "integration" with Windows is having IE6 use some native dialog boxes instead of web forms and being able to automatically sign on when you login (does anybody actually use that?). It is most definately possible to do something better than this in a seamless enough way that users would go for it. In fact when I was in Denver me and Adam sketched out an idea for how to do it.
Secondly, the Alliance is a rather mixed organisation. It's made up of lots of big corps who are not in fact enormous big baddies who want to steal your privacy just for the hell of it, but they do want to enable better business relationships. The example Esther Dyson gave was that the airline company should remember whether she likes window seats or not. I'm sure some Slashdotters would find this freaky/scary but she is a smart lady and she knew that she wanted that kind of information to make her life easier.
BUT - the LA is attempting to tackle a slightly different problem to the one that interests me and Adam. What we want to do is simple: we want to be able to run a server on theoretic.com that lets me sign in to Slashdot with my network address, lets me sign up for mailman mailing lists without inventing passwords each time, links my Jabber account with my email account with my personal profiles so people can locate me based on interest, so I can sign in to Linux GDM with my network address and get my roaming desktop and so on. We have LOTS of ideas! :)
What the LA are doing is linking currently existing identities together. They gave a demo of the technology in Denver. In fact, it was Justin Taylor who did this demo. It was entirely corporate focussed, they started from an intranet and were automatically signed in to some flight reservation service. That sort of tech has its place, and they're being realistic in that linking identities is a good way to start until people start getting their own identities hosted for them like email addresses.
The LA has some good points to it, don't mindlessly bash it. However, it also has some bad points. One is the stupid requirements for membership, which they admitted to me privately are basically to keep the little guys out. Another is the hideous complexity of their protocols. The ones we've developed sacrifice a small amount of flexibility for a huge increase (imho) in implementability and understandability.
Well having plugged it now (i seem to be plugging a lot of my projects today), I guess I'd better point out that what we're doing actually consists of two parts. The first is the protocol. This is (currently) called the Genio Protocol, and will be getting its own website soon (look for an announcement here when it does). It's simple, open and as far as we know free of IP claims. The second is the SourceID reference server, which is under a pseudo open source license.
We have user profiles working, and I was coding up basic tickets functionality (authentication/authorization tokens) last weekend. Hopefully genioprotocol.org will be up soon and then it'll make more sense.
Believe me, this is totally scratching an itch on my part (though I do get paid for it now too [grin]) because I think a good set of solid open digital identity protocols will make my life easier, and totally kick ass into the bargain.
I wrote most of the SAML specs which are the basis of the Liberty design. I really wish that people would stop trying to define the problem as one company bashing another.
I have absolutely no interest in the issue of whether Sun can stop Microsoft or Microsoft can stop Sun. I have been trying to deploy global authentication schemes for ten years now, I believe that the problem is sufficiently hard that it is not going to be solve by any party that makes its primary objective the defeat of another party.
First off lets recognize that companies working together can be a good thing for the consumer and can also be a bad thing. It is good when stuff works together, it is bad when working together effectively means a cartel.
I don't fault Microsoft for using their deployed base to build the user base for passport. After all AOL did the same thing by buying up rival instant messaging services.
What I do not see is how any party can reasonably expect the idea of global authentication to turn into some sort of monopoly. The competative forces involved are just too great.
Consider the problem of getting access to my frequent flyer plan at United. It would be pretty handy if I could simply log on to United transparently through my browser without having the browser store lots of personal data on my machine that could itself be a security vulnerability. On the other hand I don't see United paying anyone $10 per year for the privillege of offering this facility or anything like it.
Now consider what happens if we have 50 single sign on schemes, I don't see any advantage over having separate log ins.
So there has to be a critical mass for any of these schemes to be worthwhile, there has to be a reasonable cost structure and there has to be confidence that the operators of the scheme will not impose new costs or hidden restrictions at a future date.
I think that there is a value here but I think that both Liberty and Passport need to be radically rethunk before either can achieve the stated goals.
Before that happens however I think that there has to be a political realignment. In particular I think we need to get Liberty to stop promoting itself as a 'stop Microsoft' scheme and we need Passport and Liberty to agree to some form of convergence in the same way that Visa and Mastercard converged.
Specifically we should adopt SAML as the underlying architecture for global authentication. The ability to carry kerberos tickets and passport credentials is already designed into the SAML specs.
Once there is agreement on a technology base Liberty and Passport would both evolve into federated authentication brands in the same way that Mastercard and Visa have. There would be a strong assumption that merchants and web sites would support both brands rather than expecting consumers to cope with both sets of credentials.
Finally we need to work out who is going to actually pay for such a system to be established. Charging end users is really hard, charging merchants cuts out sites like slashdot. Where is the compelling value proposition? I believe that there is one to be found but we have not got there yet.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/