The Liberty Alliance Grows Again

sempf writes "The Liberty Alliance, a Sun-backed open-specification alternative to the Microsoft platform's Passport system, has added two very powerful members, Oracle and Intel. Now over 150 members, one wonders at the future of a world where we have two single sign-on systems. With the three big IM platforms joining forces, is the identity standard of the world going to be Microsoft, or Sun? Is this going to be the next Browser War?"

Re:No.

[16K+Ram+Pack]

That's for a number of reasons.

- You have to pay to use it for your site.

- Lots of people don't trust Microsoft's security.

- Some people are concerned about single platform/single corporation.

I'd love to have a single ID.

Patent

[millahtime]

Does Microsoft have a patent on this kind of single signon? It sure wouldn't suprise me if they have one or one in the works.

They're all terrified of MS' power

So they're all finally joining forces.

Intel is terrified that Longhorn's .NET hardware independent toolset will allow MS to move away from x86 at will and set up their own chip division. MS can't grow their software division much more in a saturated market, but if they use their own chipset (or licence it to a couple of 3rd party suppliers) they can take over all of Intel's current profit.

Oracle is of course competing against SQL Server.

All these large IT companies have known for years that MS is going to eat their lunch, but they couldn't work out what to do about it.

The penny has finally dropped - the only way to combat MS is for them all to work together using common standards : hence, their support for Linux, the Liberty Alliance, J2EE and so on.

Re:They're all terrified of MS' power

[TheRaven64]

Actually, I think Intel is more keen to ditch x86 than MS. They tried to with the i860. They are trying with the IA64. I recall a few months ago an Intel representative stating that they thought x86 only had a couple of generations left. Unfortunately, they can't jump ship if AMD doesn't. Hopefully Longhorn will ship for several CPU architectures (as NT did), and will include something based on VirtualPC for running legacy x86 code.

Note that the only non-x86 architecture properly supported by Windows at the moment is IA64.

Re:They're all terrified of MS' power

[mikrorechner]

MS can't grow their software division much more in a saturated market, but if they use their own chipset (or licence it to a couple of 3rd party suppliers) they can take over all of Intel's current profit.

Mind you, it's not so easy to design a new chip with a performance comparable to Intels' recent x86 processors (or AMDs', for that matter). It would take a few years at least, and that is with buying some technology from others.
No, I think the only thing that might happen is a MS system based on PowerPC chips, as is happening with the next Xbox, AFAIK.

A pretty good standard

[Cyberax]

Liberty is a pretty good standard, it allows federated and distributed authoring instead of Microsoft's "only we know who you are" approach.

It's a shame that everything this alliance has produced up to date is just a pile of PDF specifications. Hope it will change soon.

Re:who cares?

[sim000]

Except it won't be the geeks who have control over this. A single sign-on system is something 99% of the population would welcome. Surprisingly (not?) most people aren't really happy about having to remember dozens of obscure passwords. But a war? Nah. Fight, maybe.

What Standard?

[jackb_guppy]

There a can be no indentity standard, because there can be no indentity.

IPs can be spoofed, mail foraged, add to that proxies and firewall... There is no way of telling who is really on either end of the connection. Now, add single signon security, without forced timeout of passwords and without heavy forced editing preventing reuse and dictonary attacks.

Look to windowsupdate.microsoft.com. Are you connecting to truly to microsoft? No, you are not. So you are taking a SECURITY download from a site, that may have an associtation with MS but not MS itself. Boy are we trusting.

So where does that leave the rest?

Re:No.

[blowdart]

Yes, but is anyone actually using Liberty? It's all very well signing companies on, but what web sites actually use the damned thing?

Reading the testimonials it's all fluffy, without implementation (excluding one company which seems to use it for internal enterprise authenication, which is a way different market to Passport)

Re:No.

[zimba-tm]

That really put the question :
- Why they can't do a protocol without wanting to take it for them ? :p

I mean, have you seen somewhere on the internet that all the emails have to be at hotmail ? :D

^^ This leads to :
Developp a free sign-on protocol
Use user@domain, so everybody can own it's informations (don't know if I expressed myself well enough)

Re:How about this...

[danheskett]

No, Sun's effort is as usless as MS's, since actual sites don't want to use it.. either MS or Sun.

It's all useless.

Re:Single Sign In

[TheRaven64]

This may not have been an entirely serious suggestion, but it is a much better idea. I would much rather store passwords locally and trust my own security than trust anyone else's (it may not be more secure, but at least it's my fault if it isn't). The only thing I would like to see a specification for is labelling fields in HTML forms so that they can be auto-completed with information from my vCard. Safari does a good job of guessing at the moment, but it's not perfect.

Re:No.

[SpaceLifeForm]

Well, maybe the 'browser war junk' as you put it still exists because *you* indirectly support it by 'dealing with multiple bwowsers'. Instead, why don't *you* just design your webpages to W3C standards and be done with it?

Suckers! Just what Big Brother wants!

[Blitzenn]

This article and the replies contained therein clearly demonstrate BIg Brothers ability to polarize the American public on who is the best provider of security while keeping the focus off the real issue at hand, the sytematic destruction of your personal privacy. Who cares which one is better! I don't want either! Who really believes you can catch the bad guys by keeping track of the good guys? We have proven that to be false and flawed, over and over, and that that approach simply doesn't work. The bad guys never abide by the system, but find ways around it. Does gun registration stop people from obtaining illegal guns for use in crimes? Does all the information a bank collects on you stop someone from ripping off your bank account? Meanwhile the rest of us have more and more laws to abide by, more hoops to jump through, more restrictions on our movements and more eyes watching our every move. Maybe if there were camera's in my house watching me, my neighbor wouldn't kill anyone. Wake up, before it's too late!

Nope, mostly just an industry interest group

[Ars-Fartsica]

Liberty Alliance has devolved into an industry interest and lobbying group. I dson't think there are any plans to roll out a united sign-on anytime soon. When Passport died, so did the utility of this body. One has to wonder why it still exists.

half solution

[DreadSpoon]

This is only a half-solution, however. It still requires creating separate accounts on each host, doesn't allow you to use computers other than your already configured Mac to access those sites, and doesn't let sites share authentication data. (i.e., site A authenticates you, site B authenticates you, and those two sites want to make sure they're both talking to the same person.)

There is a big different between actual single sign on and (for lack of a better word) hacks that auto sign on for you.

Re:half solution

[drinkypoo]

It's a short hop between having a keychain stored on one computer, and having a keychain stored in a smart card or iButton which you can carry with you and which is itself protected by strong encryption. It does require you to trust the computer the data is passing through but that is always an issue.

Liberty Alliance is low tech

[Orion+Blastar]

you download a form, fill it out, and send it back to them. No online verification, and no electronic forms. I give it a thumbs down. Join the 21st century, Liberty Alliance!

"Warning slippery when sarcastic!"

Re: or... yes!

[atomico]

Liberty-based Single-Sign-On is a very interesting solution, especially for mobile operators: entering usernames and passwords for each service using a phone is such a pain that allowing Single-Sign-On would increase acceptance of mobile subscription services. In addition, you already have a powerful means of authentication, the one allowing you to attach to the network and place calls.

Some vendors already have Liberty-compliant solutions ready for production, with mobile operators running trials. I am not allowed to name such operators, but here is a list of products conforming to Liberty specs . It is a very interesting market, where vendors with a telecom background clash against classical IT ones.

Cross-site scripting

[ngunton]

It seems like there is a major problem with cross-site scripting that is very hard to fix in all cases. For example, here's one related to Passport. The point is that css is hard to fix because you can't guarantee that another website that uses the same single signon system won't be vulnerable. So if there is a single signon system, then it seems to me that it's all only as secure as the most insecure website in the network.

Is there a difference anymore?

[C3ntaur]

Last I heard, Sun sold their soul to M$ for about $2 billion.