Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Completes Phase 2

Posted by Hemos on from the fighting-hailstorm dept.

g0_p writes "According to CNET the Liberty Alliance project released its phase 2 specifications for the Liberty Identity Web Services Framework. This will provide the much talked about 'single-sign-on' to multiple websites capability. Websites will be able to securely share information about the user including credit card data. The biggest benefit of sharing this kind of data is for people using web services through handhelds and mobile phones (Lesser buttons to click to buy birthday gift..). This may be significant, since many of the new phone models have web browsing capability and there is a considerable surge in sales. Now that this phase is complete we should start seeing this standard being implemented out there on the web. It would also be interesting to see how it stands up against Microsoft Passport in terms of security which has had troubles in the past."

14 of 105 comments (clear)

  1. Where this needs to come from... by pegr · · Score: 4, Insightful

    No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.

    1. Re:Where this needs to come from... by pegr · · Score: 2, Insightful

      Sponsoring the project is not the same as assuming the risk. If it weren't for that little issue, this would have been done already (MS not withstanding). MS as muddied the waters for the already-risk averse...

    2. Re:Where this needs to come from... by ePhil_One · · Score: 3, Insightful
      No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.

      What they need is a compelling reason for consumers to want their web sites to share sign on information like credit card info. I certainly wont be shopping anywhere that plans to share my info with anybody else.

      All their marking fantasy will hit the brick wall of consumer distrust and make a digusting "splat" sound

      --
      You are in a maze of twisted little posts, all alike.
  2. centralization == bad by Empiric · · Score: 5, Insightful

    Frankly, I don't want "single-sign-on", and I don't get why other people would either. The information I'd want to be available to my bank is completely different from what I'd want to be available to "Jim's Hardware Shack".

    Presumably, in order for this to work effectively, if you have one standardized set of information about "you", it would have to be the superset of information you'd need for all the sites you use. And, to be efficient from an implementation standpoint, I'd expect this information will be replicated all over the place in various caching mechanisms. This leaves your information fully available to web site operators reputable, disreputable, secure and hackable alike. As well as likely creating a situation where if your primary "record" is compromised, it could provide enough information to allow access "as you" to *all* the web sites you use. This seems like quite a high price to pay for the need to create a separate login for each site, which realistically, is probably on the order of a dozen or two registered sites a year for most users.

    --
    ~ Whence do you come, slayer of men, or where are you going, conqueror of space?
    1. Re:centralization == bad by DrEldarion · · Score: 4, Insightful

      I still don't see why this idea came around where they HAVE to store all your information on someone's server somewhere. Why not have it all be stored client-side and just have the user click a button to send everything? It can be heavily encrypted on the hard drive and over the connection, and you won't have to worry about someone hacking the server and stealing everything or worry about unwanted information sharing.

  3. Who cares? by sulli · · Score: 1, Insightful
    Did I ask for a single sign-on to a bunch of unrelated sites? No!

    I'd much rather control my own damn info and type the CC # into a lot of individual forms than have sites share my data. (Anyway, this problem is solved by browsers' auto-form-fill and auto-password features.)

    --

    sulli
    RTFJ.
  4. MS Passport... by herrvinny · · Score: 3, Insightful

    If Passport doesn't convert to the "Liberty Identity Web Services Framework", I fail to see how this can get wide consumer usage. Remember, people just want to buy stuff online, they don't want to learn about the differences between passport and a services framework. Somehow they're either going to have to persuade MS to use the framework, or make a superior client that's easy to download (maybe make it an ActiveX control?) Of course, the problem is, Passport ships with Windows/IE, so it's going to be more quickly available that any other client.

    1. Re:MS Passport... by stevesliva · · Score: 2, Insightful
      Passport doesn't require a client, does it? I assume the real Passport server program ships with Windows Server 2003 and IIS, but there's no passport client per se... MSN messenger and originally XP registration forced you to get a MS Passport, but passport authentication works just fine with any modern web browser, or else Hotmail would be useless from non-Windows OSes.

      So anyways, if it's like Passport, really you just need to get large websites to use the Liberty Identity Service, and users of those websites will end up with Liberty Identity credentials.

      That's why MS loved signing eBay up for Passport...

      --
      Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
  5. So click No by brunes69 · · Score: 4, Insightful

    If you are worried about this then stop clicking "Yes" to the "Do you want mozilla to remember this information" box. Or turn the feature off altogether.

    Don't make Mozilla out to be wrong just because you don't know how to read dialogs.

  6. The name is horrible by astrashe · · Score: 3, Insightful

    If I would see a car lot called "Honest Al's Used Cars", I'd hold on to my wallet. Honest people don't usually point out their own honesty.

    And when bunch of big companies try to figure out easy and effective ways to share information about me, and call it "the liberty alliance", I doubt that liberty is uppermost in their minds.

    As everyone has pointed out, no one wants this stuff, and we'd all be better off if it just went away.

  7. Is it just me or.... by aberant · · Score: 3, Insightful

    When i think of ultimate security of my personal information it doesn't include giving it to some service to remember it for me because i am too lazy to pull out my wallet and type in some numbers. Heck, if i'm going that far I should just get a remote control for my computer so i can hit the amazon.com button on it and then hit the big red BUY! button. Anyway.. back to my point.. I dont trust that people that i don't know will take care of personal information better then i can.

  8. Went to a dog an pony show on this one by theendlessnow · · Score: 2, Insightful
    It was all crapola!!

    Liberty Alliance is a way for BUSINESSES to establish trust relationships with regards to YOUR personal data. Yep.. trust one vendor, and if he's a friend to another vendor (duh) they get your info as well. Isn't that convenient.

    One problem... you can't manage your own certificates!! HA!!

    One group was intentionally left out of the Liberty Alliance... us!!

    This just a Sun driven organziation whose goal is to make sure their rip-off of Passport succeeds. It may not use a server centric model, but the result is the same. Your information going to people you didn't want it to go to without any means by which you can shut it down.

    In all fairness, I haven't seen this v2 thing. Maybe it has some fixes that protect the consumer in some way. When Sun did their presentation on this a year or so ago, EVERY major company in the audience RIPPED them apart with questions regarding the OWNERSHIP of their certificates. This is all about B2B and giving the shaft to the C.

    "Privacy and security are fundamental components of the identity issue, and Liberty's work has been developed with this in mind," said Piper Cole, chair of Liberty's Public Policy Expert Group and vice president of global public policy for Sun Microsystems. "Privacy is good for business and Liberty's mission is to provide the technology tools and business guidance to ensure good privacy."

    Your privacy is gone with the first trust made to a company YOU don't want to have your information. Until Liberty Alliance specifies a means by which certificates can be controlled, time limited and revoked by the INDIVIDUAL... this is just a Passport wannabe.

    1. Re:Went to a dog an pony show on this one by MassacrE · · Score: 2, Insightful
      A business _could_ take your personal information and publish it on their website (ignoring legal reprocussions). What prevents them from doing so is this business policy that you are bashing.

      Businesses are.. well, in the business of making money. This means that they cannot afford to upset their customers by selling personal information. Even if you doubt this, they cannot risk the legal reprocussions of sharing your credit card information then having the remote site hacked. There are now heavy legal restrictions in place for sharing of someone's "personal" information, differing per country. Being publicly blasted for being insecure and taken to court by some government does not promote their primary goal.

      If anyone had even bothered to read the Liberty overview, you'd see that it is extremely user privacy focused. For the default case, for instance, a user must have accounts set up on both services and choose to link the two services in order for liberty to 'start'. The token each service uses to talk to the other about you is a unique id, preventing different sites from being able to cross-reference information about you. Finally, personal information sharing is a service - and this service can be run on your local PC or cell-phone. You actually do have the ability to exert absolute control over your personal information sharing, by having all requests (say hypothetically a weather site asking for your zip code) go through a local policy engine to choose whether to always allow, always refuse, or to prompt.

      The purpose of federated identity is not to steal and sell consumer's personal information; it is to reduce IT costs due to multiple passwords within an enterprise, and to make online purchasing more secure, more private, and thus more trusted by the user. Only by making online commerce feel 'safe' to the end consumer can they really encourage mainstream consumer (i.e. buying) usage of the internet.

  9. The internet equivalent of a Social Security # by j0keralpha · · Score: 2, Insightful

    And so we continue to move closer to a single identifier per person. You're SS# is used for identity verification with nearly every social and financial service, and now we move closer to being wedded to another identifier. Whether we want it or not, Internet ID is going to move closer to this paradigm as time moves on. Ive seen a lot of flambait regarding 'YES to SSO' or 'DOWN with SSO!'. But this kind of consolidation is the same trend every vital service has moved towards.