Slashdot Mirror
Liberty Alliance Completes Phase 2
g0_p writes "According to CNET the Liberty Alliance project released its phase 2 specifications for the Liberty Identity Web Services Framework. This will provide the much talked about 'single-sign-on' to multiple websites capability. Websites will be able to securely share information about the user including credit card data. The biggest benefit of sharing this kind of data is for people using web services through handhelds and mobile phones (Lesser buttons to click to buy birthday gift..). This may be significant, since many of the new phone models have web browsing capability and there is a considerable surge in sales. Now that this phase is complete we should start seeing this standard being implemented out there on the web. It would also be interesting to see how it stands up against Microsoft Passport in terms of security which has had troubles in the past."
phase 2 was ????
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.
No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.
...called the Interoperability Prototype for Liberty.
Just to see what would turn up, I ran PMD over the source code - it came out pretty clean.
The Army reading list
Frankly, I don't want "single-sign-on", and I don't get why other people would either. The information I'd want to be available to my bank is completely different from what I'd want to be available to "Jim's Hardware Shack".
Presumably, in order for this to work effectively, if you have one standardized set of information about "you", it would have to be the superset of information you'd need for all the sites you use. And, to be efficient from an implementation standpoint, I'd expect this information will be replicated all over the place in various caching mechanisms. This leaves your information fully available to web site operators reputable, disreputable, secure and hackable alike. As well as likely creating a situation where if your primary "record" is compromised, it could provide enough information to allow access "as you" to *all* the web sites you use. This seems like quite a high price to pay for the need to create a separate login for each site, which realistically, is probably on the order of a dozen or two registered sites a year for most users.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
You may be surprised how much of your personal information Mozilla has been quietly collecting by watching your web browsing. Has it captured your driver's license number or credit card numbers or mother's maiden name yet? Check and see.
I'd much rather control my own damn info and type the CC # into a lot of individual forms than have sites share my data. (Anyway, this problem is solved by browsers' auto-form-fill and auto-password features.)
sulli
RTFJ.
There is also Source-ID which is a very full featured open source java based implimentation.
http://www.sourceid.org/
the biggest bunch of fucking censoring hypocrates, thank you very much.
This tripe reads like a press release. Leading in with "According to CNET" is particularly deceptive when used here. I say that g0_p, the submitter, works for Ketchum, the public relations firm that represents Liberty Alliance. I also say that Robert Lemos the "CNET Staff Writer" responsible for the article, just took a press release and changed a few words. This is not his writing, nor are the other ten articles he "wrote" for CNET this week..
"They that can give up essential liberty to obtain a little temporary keystroke reduction deserve neither liberty nor keystroke reduction."
If Passport doesn't convert to the "Liberty Identity Web Services Framework", I fail to see how this can get wide consumer usage. Remember, people just want to buy stuff online, they don't want to learn about the differences between passport and a services framework. Somehow they're either going to have to persuade MS to use the framework, or make a superior client that's easy to download (maybe make it an ActiveX control?) Of course, the problem is, Passport ships with Windows/IE, so it's going to be more quickly available that any other client.
the biggest bunch of fucking censoring yet unable to spell hypocrites, thank YOU very much.
sulli
RTFJ.
censoring hypocrates
they're doctors?
If you are worried about this then stop clicking "Yes" to the "Do you want mozilla to remember this information" box. Or turn the feature off altogether.
Don't make Mozilla out to be wrong just because you don't know how to read dialogs.
Am I the only one here who's heard of Eduserv Athens? (Disclaimer: I am employed by Eduserv in a different department).
Athens has over 2,500,000 users (from UK and Irish Academia and the NHS) and allows secure single sign on to more than 300 resources. It has also been around for years (at least 7). So all this talk of secure single sign-on being "new" seems to be a bit of misinformation as far as I can tell.
Downside: Athens is not open-source :-(
Upside: Eduserv are a not-for-profit company that makes substantial grants back to academia.
Bus error in your favour. Collect 200kB
WS:Federation does.
In the federated identity world, the showdown is going to come between Liberty and WS:Fed. Liberty currently has the advantage of actually existing, and the spec followed a very open and transparent development model that was very inclusive (as spec development goes). WS:Fed on the other hand was developed behind closed doors by Microsoft and (to a lesser extent) IBM, and is just now applying for standards body recognition.
Another noteworthy point is that Liberty by design is very similar to Shibboleth, an Internet2 Middleware initiative for higher education federated authentication/authorization that has been very successful. Both are built off of Oasis's SAML spec. Shibboleth however places far more emphasis on user privacy.
Finkployd
the biggest bunch of fucking censoring homosexual hypocrates
you forgot 99% of the slashbot community are homosexual linux monkeys
It was dark and warm.
If I would see a car lot called "Honest Al's Used Cars", I'd hold on to my wallet. Honest people don't usually point out their own honesty.
And when bunch of big companies try to figure out easy and effective ways to share information about me, and call it "the liberty alliance", I doubt that liberty is uppermost in their minds.
As everyone has pointed out, no one wants this stuff, and we'd all be better off if it just went away.
Does it run (on) Coherent ^H^H^H Linux?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I only know that Sun has a liberty compliant implementation. Does anybody know of an OSS project geared at being compliant? Also, I think one thing this project needs to tackle next is authentication strength. I may have app A and app B authenticating to one backend data source (i.e. Active Directory, LDAP, IMAP, etc) but app A may have more critical data and may require additional creditional (i.e. biometrics, smart card, etc). Being able to chain these credentials to the applications desire authentication strength is going to be key.
You never saw a fish on the wall with its mouth shut.
I would be ok with a single sign on capability for a certain category of sites (like all newspaper sites, all computer resellers, etc) but a single sign on for a variety of categories would just make me a little nervous. And plus, I have multiple identities for the various things I do on the web (business, personal, pr0n, etc) and I wouldn't be able to decide on one un/pw combo.
These days you hear about some potential technology, then a group of 10-50 companies form a committee, then maybe 10 years later if you're lucky the technology will actually be implemented. Of course, by then the technology is pretty much obsolete, and probably unusable by most of the industry due to patent encumberance since most of the companies on the technology committee fought to have the pet patent inserted into the standard...
Sigh...The good ol' days!
When i think of ultimate security of my personal information it doesn't include giving it to some service to remember it for me because i am too lazy to pull out my wallet and type in some numbers. Heck, if i'm going that far I should just get a remote control for my computer so i can hit the amazon.com button on it and then hit the big red BUY! button. Anyway.. back to my point.. I dont trust that people that i don't know will take care of personal information better then i can.
Now my little brother only has to crack one password before he can buy his new Plasma screen...
Lesser?
My last customer (for a variety of reasons) was concurrently supporting iPlanet, Tomcat and JRun and wanted to be sure that their users could log into the central intranet site once and then have their credentials forwared securely to the rest of their web based applications. We did something custom but a open standard that was built into a J2EE compliant application container would have been a very nice thing.
yea i stole your sig- whats the big deal, it sucked anyway.
AAARRRGGGHHH! It's "fewer buttons to click", not "lesser buttons to click".
This is worth wasting karma over. If you can't communicate clearly, how do you expect others to take you seriously? How do you expect to be able to CODE well?
Transcript show: self sigs atRandom.
SSO should be independant of your data sources. SSO doesn't rely on your billing address/information for authentication.
SSO is a token/cookie/uri that is passwd between websties that accept the "token" as proof that you have been authenticated.
SSO doesn't take the users data store and pass that along, each vendor maintains its own store and uses the token to authenticate from via an agent that handles this.
For example you can implement RSA clear trust on all of your sites/services but each user store remains to the application. An Agent simply parses the token, passes to the auth server and verifies the information. Your credit card number isn't passed and would be kept independant of your SSO.
SSO does not mean "Cyber Wallet" if that is what you fear.
Microsoft's Single Signon is a combination of LDAP/Active Directory, SSO and Wallet. It usually takes the combindation thereof to complete that cycle. Hopefully this is not the direction of the stated sso implementation.
Consumer: "Lord Gates, only you could be so bold. When the US senate hears about this..."
....
Lord Gates: "Don't play games with me. You weren't on any mercy mission this time. We intercepted several credit card transmissions from you."
Consumer: "I don't know what you're talking about, I'm on a shopping mission."
Lord Gates: "You are a member of the Liberty Alliance and a traitor!" [to guards] "Take them away!"
Later, in a Passport meeting:
Lackey #1: "Holding her is dangerous... when the Senate hears about this..."
Lord Gates: "That won't be a problem. The US Senate has been disbanded. The Regional Sales Leaders have direct control now."
Lackey #2: "But how will you maintain control without the beaurocracy?"
Lord Gates: "Fear will keep them in line. Fear of our legal department."
The Saga Continues...
I accidentally typed libertyalliance.org into my location bar and what a suprise I recieved! Jerry Falwell is an asshole.
Healthcare article at Kuro5hin
There was a story here the other day about IBM filing a patent about this business practice. How will all of this pan out?
In case people have been asleep for the past 5-7 years, Yahoo has this already in place. I have a single login that I use to access my radio stations, my weather, my portfolio, my email, and for all Yahoo shops. The implementation is seamless and is working fine. This isn't breaking news, by any stretch of the imagination, and it certainly won't fly unless a major website (like Yahoo) is behind it.
Liberty Alliance is a way for BUSINESSES to establish trust relationships with regards to YOUR personal data. Yep.. trust one vendor, and if he's a friend to another vendor (duh) they get your info as well. Isn't that convenient.
One problem... you can't manage your own certificates!! HA!!
One group was intentionally left out of the Liberty Alliance... us!!
This just a Sun driven organziation whose goal is to make sure their rip-off of Passport succeeds. It may not use a server centric model, but the result is the same. Your information going to people you didn't want it to go to without any means by which you can shut it down.
In all fairness, I haven't seen this v2 thing. Maybe it has some fixes that protect the consumer in some way. When Sun did their presentation on this a year or so ago, EVERY major company in the audience RIPPED them apart with questions regarding the OWNERSHIP of their certificates. This is all about B2B and giving the shaft to the C.
"Privacy and security are fundamental components of the identity issue, and Liberty's work has been developed with this in mind," said Piper Cole, chair of Liberty's Public Policy Expert Group and vice president of global public policy for Sun Microsystems. "Privacy is good for business and Liberty's mission is to provide the technology tools and business guidance to ensure good privacy."
Your privacy is gone with the first trust made to a company YOU don't want to have your information. Until Liberty Alliance specifies a means by which certificates can be controlled, time limited and revoked by the INDIVIDUAL... this is just a Passport wannabe.
And so we continue to move closer to a single identifier per person. You're SS# is used for identity verification with nearly every social and financial service, and now we move closer to being wedded to another identifier. Whether we want it or not, Internet ID is going to move closer to this paradigm as time moves on. Ive seen a lot of flambait regarding 'YES to SSO' or 'DOWN with SSO!'. But this kind of consolidation is the same trend every vital service has moved towards.
Your mare does not require a login!
That's right, the human brain. Go ahead -- try to steal mine and decode the information stored within.
In fact, pulling it off would probably net you a Nobel prize to call your very own!
Somebody get that guy an ambulance!
As long as I've lived, I've been able to securely transfer money from my bank-account, and at least for a decade, I've been able to do so electronically. Why won't online merchants accept this?
When I buy something through mail-order, I order, you send an invoice (electronically, or by snail-mail), I pay, you send the goods. Is that too fucking hard?