Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liberty Alliance Completes Phase 2

Posted by Hemos on from the fighting-hailstorm dept.

g0_p writes "According to CNET the Liberty Alliance project released its phase 2 specifications for the Liberty Identity Web Services Framework. This will provide the much talked about 'single-sign-on' to multiple websites capability. Websites will be able to securely share information about the user including credit card data. The biggest benefit of sharing this kind of data is for people using web services through handhelds and mobile phones (Lesser buttons to click to buy birthday gift..). This may be significant, since many of the new phone models have web browsing capability and there is a considerable surge in sales. Now that this phase is complete we should start seeing this standard being implemented out there on the web. It would also be interesting to see how it stands up against Microsoft Passport in terms of security which has had troubles in the past."

9 of 105 comments (clear)

  1. Where this needs to come from... by pegr · · Score: 4, Insightful

    No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.

  2. centralization == bad by Empiric · · Score: 5, Insightful

    Frankly, I don't want "single-sign-on", and I don't get why other people would either. The information I'd want to be available to my bank is completely different from what I'd want to be available to "Jim's Hardware Shack".

    Presumably, in order for this to work effectively, if you have one standardized set of information about "you", it would have to be the superset of information you'd need for all the sites you use. And, to be efficient from an implementation standpoint, I'd expect this information will be replicated all over the place in various caching mechanisms. This leaves your information fully available to web site operators reputable, disreputable, secure and hackable alike. As well as likely creating a situation where if your primary "record" is compromised, it could provide enough information to allow access "as you" to *all* the web sites you use. This seems like quite a high price to pay for the need to create a separate login for each site, which realistically, is probably on the order of a dozen or two registered sites a year for most users.

    --
    ~ Whence do you come, slayer of men, or where are you going, conqueror of space?
    1. Re:centralization == bad by DrEldarion · · Score: 4, Insightful

      I still don't see why this idea came around where they HAVE to store all your information on someone's server somewhere. Why not have it all be stored client-side and just have the user click a button to send everything? It can be heavily encrypted on the hard drive and over the connection, and you won't have to worry about someone hacking the server and stealing everything or worry about unwanted information sharing.

    2. Re:centralization == bad by stevesliva · · Score: 4, Interesting
      SSO in its standard form simply allows using the same identity and credentials at multiple sites. Your SSO credentials are only the intersection of all sets of personal information needed by SSO sites, not the superset. Each site then stores additional information hashed with your unique SSO id. It's a matter of debate what that intersection should be:
      • Username/Identifier
      • Password/PIN/etc.
      • Secret Question?
      • Secret Answer?
      • Zipcode?
      • etc...
      It is possible to have SSO with only the first two, but the many numbnuts that forget their password require some secure form of reset.
      --
      Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
  3. Remember what Franklin said by Anonymous Coward · · Score: 5, Funny

    "They that can give up essential liberty to obtain a little temporary keystroke reduction deserve neither liberty nor keystroke reduction."

  4. So click No by brunes69 · · Score: 4, Insightful

    If you are worried about this then stop clicking "Yes" to the "Do you want mozilla to remember this information" box. Or turn the feature off altogether.

    Don't make Mozilla out to be wrong just because you don't know how to read dialogs.

  5. Passport does not compete against Liberty by finkployd · · Score: 4, Interesting

    WS:Federation does.

    In the federated identity world, the showdown is going to come between Liberty and WS:Fed. Liberty currently has the advantage of actually existing, and the spec followed a very open and transparent development model that was very inclusive (as spec development goes). WS:Fed on the other hand was developed behind closed doors by Microsoft and (to a lesser extent) IBM, and is just now applying for standards body recognition.

    Another noteworthy point is that Liberty by design is very similar to Shibboleth, an Internet2 Middleware initiative for higher education federated authentication/authorization that has been very successful. Both are built off of Oasis's SAML spec. Shibboleth however places far more emphasis on user privacy.

    Finkployd

  6. Any OSS implementation's by IA-Outdoors · · Score: 4, Interesting

    I only know that Sun has a liberty compliant implementation. Does anybody know of an OSS project geared at being compliant? Also, I think one thing this project needs to tackle next is authentication strength. I may have app A and app B authenticating to one backend data source (i.e. Active Directory, LDAP, IMAP, etc) but app A may have more critical data and may require additional creditional (i.e. biometrics, smart card, etc). Being able to chain these credentials to the applications desire authentication strength is going to be key.

    --
    You never saw a fish on the wall with its mouth shut.
  7. Passport Wars by Aspasia13 · · Score: 4, Funny

    Consumer: "Lord Gates, only you could be so bold. When the US senate hears about this..."

    Lord Gates: "Don't play games with me. You weren't on any mercy mission this time. We intercepted several credit card transmissions from you."

    Consumer: "I don't know what you're talking about, I'm on a shopping mission."

    Lord Gates: "You are a member of the Liberty Alliance and a traitor!" [to guards] "Take them away!" ....

    Later, in a Passport meeting:

    Lackey #1: "Holding her is dangerous... when the Senate hears about this..."

    Lord Gates: "That won't be a problem. The US Senate has been disbanded. The Regional Sales Leaders have direct control now."

    Lackey #2: "But how will you maintain control without the beaurocracy?"

    Lord Gates: "Fear will keep them in line. Fear of our legal department."

    The Saga Continues...