Open-Source ID Project Awaits Microsoft's Blessing

An anonymous reader writes to mention that an open-source alternative to Microsoft's CardSpace tool has been on hold for months while they await patent blessing from the Redmond software giant. "While CardSpace is available on Windows, one goal of the Higgins project is to cover other operating systems. Higgins wants to offer an open-source alternative that works on Windows and on alternatives such as Linux and Mac OS X. The application would work similarly to CardSpace."

i too

[legallyillegal]

i too await microsoft's blessings... wait, those aren't blessings!

Re:i too

[Gerzel]

The Pope blesses with Holy Water.

The Balmer with Holy Office Chairs.

stop waiting, just do it

[jacquesm]

and reap the PR bonanza if you should get sued.

Never mind waiting for an ok on a patent license, I waited for over a year for
Fraunhofer/Thomson to get of their asses but unless you are hitachi or so they
will simply ignore you.

Re:stop waiting, just do it

[truthsearch]

I agree. They're only promoting the use of software patents by waiting for a license. They're validating Microsoft's stance. Implement it anyway and contact the EFF and others when the lawsuit notification arrives.

Of course I'm glad I'm not them. It's easy to tell others to stand up to a wall of lawyers than to do it myself.

Re:stop waiting, just do it

[JackMeyhoff]

Open source developers cannot do this because of EGO they have to have their name in NEON LIGHTS, and thus they get sued, and the concept of open source fails in this scenario. What we need is not only OPEN source but also ANONYMOUS source, but that wont happen with the ego development model.

Re:stop waiting, just do it

[jacquesm]

that's actually a really good point.

The 'coin' in open source very often is the recognition, similar to the recognition
academics get for their work.

There was a movement called 'ego-less' programming about two decades ago that tried
to get people to not be so defensive about their mistakes, quite possibly you've hit
the nail quite accurately about *2* things that may be fundamental problems with OSS.

the first is the inability of certain developers to change tack because they become
so attached to 'their' solution that they'll make it live way past its usefulness
(the Linus / Tanenbaum microkernel discussion comes to mind), the second that by being
very visible OSS developers can become lightning rods for corporations that feel
threatened by the products of those developers.

Anonymous source, bring it on !

Re:stop waiting, just do it

[JackMeyhoff]

When they mod it as Flaimbait that is just backing up my point about EGO being a huge factor in the model.

Re:stop waiting, just do it

[Tony+Hoyle]

It's not just OSS - ego is a big problem in the commercial realm too.

If takes a lot to work on something for years then hand it over and watch someone do something *completely different* with it.

Some are never able to do that - I've worked at a place where the boss wrote the first version of the software and absolutely everything - right down to bug fixes - had to be approved by him. Then he'd go away at the weekend and rewrite half of it... badly...

Re:stop waiting, just do it

[Cozminsky]

Your software is only useful if poeple can legally use it. Businesses won't touch it if there is a threat that some powerful multinational is going to squash them because they don't have a patent license. Does anonymity really help in this instance?

Good luck with that

[eln]

And people in Hell are waiting for ice water.

Seriously, I know Microsoft loves to talk a lot about interoperability with OSS projects, but most of it seems to be PR-driven rather than reality-driven.

Re:Good luck with that

[TheMeuge]

Seriously... I hope they're not holding their breath.

Re:Good luck with that

[mgiuca]

Of course it is. Microsoft as a business survives on the single fact that there is no interop with OSS. If there was, their market share would erode and there would be a slippery slope down to OSS.

They are a bit backed in however, because they have to make it look like they're interested in interop, because everyone wants interop.

The prime example is the Novell deal, which is apparently made out of interop. But if they were actually interested in interop, they might actually start publishing some specifications (such as SMB) instead of just talking about it.

Re:Good luck with that

[plague3106]

No, MS wants interop, and they seem to realize they need to play with standards.

The CardSpace cards idea is backed by others, including Sun. All the technology it uses is standard WS-* specifications. The only proprietary part is the Card Selector interface, which each OS needs to develop for themselves. I was even shown the Html tags that Firefox would need to interperate to know it needed to deal with the CardSpace.

As another example, by default, VS 2005 Asp.net projects target strict Xhtml 1.1; all the controls emit strict Xhtml 1.1 unless told not to. An odd choice for a company that supposedly hates standards.

The reason MS isn't going anywhere anytime soon is the same reason they are still here; they actually DO learn from their mistakes. MS's first attempt at something like this was Passport.. and they know why passport failed.

Re:Good luck with that

[mgiuca]

No, MS wants interop, and they seem to realize they need to play with standards.

Play with standards is right.

When MS does interop, it is under their terms. For example, they won't help the Samba project one shred, and go out of their way to make their SMB protocol more confusing to hinder (or "fuck with", as one MS engineer was apparently quoted as saying) Samba.

They refuse to work with the ODF format. It doesn't play by their rules.

But if MS is dictating the terms, sure we'll interop then. That's why they released OOXML to compete with ODF - sure it's "interop" (it's an open format), but it's under MS's terms. It's a format they have control of, their software is 100% compatible with, and they can change at any point.

You won't see MS get interested in interoperability using other people's standards (and when they do, they're trying to Embrace/Extend/Extinguish, a la HTML).

Binding?

[starseeker]

One thing that is not clear to me is whether these "promises" not to sue on various patents have any legal standing. IANAL so perhaps there is some principle of "public statement of intent" that would contrain their actions, but with no signed contract or agreement in place not to sue couldn't a management change bring about a new policy on those patents?

I think the MAD principle is still what's holding back a patent war in the US (plus a hot and heavy patent fight harmful to the industry might spur software patent reform) and I can't see why Microsoft, as a corporate entity, should be trusted in the least.

Plus, the principle of legal intimidation is still all that is really needed here, not actual victory in a patent case - most open source projects don't have the resources to defend themselves from even a non-valid challenge. That's why MAD is effective where even legal safety might not be - sort of a "don't beat up on the weak kid or you'll start a brawl" effect.

The problem with open source in a legal sense (at least in the US) is that open source volunteer projects need some condition where they CAN'T be sued, and as I understand it that simply isn't possible under the US legal system where anyone can sue anyone else for anything. The suit may not be valid but until that's decided it can go ahead in any case and the accused MUST respond or risk a default judgement against them. Patents make being on unshakable ground impossible in general for anything nontrivial, and once a project is deprived of the ability to assume an absolutly invulnerable position (except not doing the project) the waters get murky fast.

Actually, the alternative is Microsoft

[postbigbang]

It's a neo-condescending sort of way to describe it, but fresh meat is fresh meat. Perhaps Microsoft has an XML open document format that they'd like to try in return ;)

sure...

[Grinin]

Yeah I'm sure they'll give their blessing......... and the Pope's Muslim.

Re:sure...

Wait, what's wrong with their OWN Muslim? Why are they taking away the Pope's Muslim and give HIM to 'em?

Re:sure...

[MattPat]

Shhh! Keep it down, you'll offend the Catholics, you insensitive clod!

Here's how you get MS's blessing...

[BalkanBoy]

1) liquidate all your capital assets
3) put proceeds in a bank account, offshore, anonymously if possible, or hide it real well somewhere (bury the gold bullion somewhere)
4) violate the patent by promoting your project
5) sleep every night in a different location. Do not repeat a location unless you've been to at least 364 other locations previously (or better yet, 364*2+1)
6) be prepared to move to a warm location like San Diego, Mexico, Hawaii, where you can bum on the street while your project takes off, becomes so big and gains eventual acceptance like anti-DRM-ed media is about to.

Somewhere along the way, if you are married, divorce your wife, pay her alimony till she gets a job, and leave some cash for the children. Only in this 'revolutionary' manner will you get a blessing from MS. Of course, whether you should do this, is entirely up to your imagination.

Re:Here's how you get MS's blessing...

[gardyloo]

I'm sorry, but you've broken one of the central tenets of slashdot, having to do with numbered lists. I actually didn't recognize your list for what it is, because it had no steps of the form "... Profit!"
      This is just a warning.

Re:Here's how you get MS's blessing...

[Nermal6693]

Or a step 2 for that matter.

Good luck with that.

[Rob+T+Firefly]

I'm sure the blessing of this open-source ID thing is right on Microsoft's to-do list, just after they bless ODF, Linux, OpenOffice, FreeDos, Media Player Classic, Minesweeper 3D, and everything else out there that is an open, free, viable alternative to core proprietary Microsoft products.

Why do you need blessing?

[guruevi]

I would just put it out, worry about legalities later. And why didn't you choose for open software in the first place? There is OpenID which has far more support and possibilities and you won't have to worry about blessings by anyone.

Could probably research this myself, but I'm lazy

[Rinisari]

What's the difference between the Higgins project and OpenID?

Ask the EC for help

[RiffRafff]

Maybe the committee could bring it up during their next round interoperability talks with MS.

So does this mean Microsoft is Inventive?

[DelawareBoy]

If OSS is trying (and succeeding from what I understand) to mimic CardSpaces within Windows and other OSS's, does this mean that Microsoft is actually being innovative? Or is this technology the "same old crap" that has already been written better and freely available? And, if it's the same old crap, why waste good OSS dev cycles trying to re-invent whats already out there, instead of pointing end users to that?

Re:So does this mean Microsoft is Inventive?

Despite what many in the OSS community would like to believe MS does come up with a lot of good ideas, doesn't always implement them particularly well but the innovation is there. Cardspace is trying to give a consistent user experience regardless for identity, something that has been long needed, attempted by many and failed misserably by all so far. Cardspace "could" be a winner here.

Just release it to other contries!

Please release it to countries without insane copyright laws!
Germany for example has no software patents, so you are free to release any open source software there.
There is no reason, why US innovation-hindering patent-laws should hinder other countries too!

Re:Could probably research this myself, but I'm la

Gates would rather give Microsoft's own Hailstorm/Passport preference over the other digital ID stuff.

http://yro.slashdot.org/yro/07/02/06/2152214.shtml

WTH?

OpenID are having to await MS's blessing???

Given that I've known about OpenID for over a year, and I've never heard of MS "CardSpace" until reading this, suggests that the blessing should be the other way around.

Re:WTH?

Given that I've known about OpenID for over a year, and I've never heard of MS "CardSpace" until reading this, suggests that the blessing should be the other way around. That's 'cos it used to be called InfoCard. If you haven't heard of that, you aren't reading all the right blogs :-p.

Microsofts Blessing

[nurb432]

Why do i get a feeling they wont ever get it, and this is just the beginning.

Microsoft's agenda

Why is he awaiting Microsoft's blessing in this?

Is this really the agenda behind Microsoft's seeming acceptance of open source? If everyone has to queue up to get Microsoft's blessing, then I strongly suspect that only the ones that Microsoft deems unworthy/unprofitable will be acted upon! All others will be stalled until Microsoft has either (a) their own product ready to release or (b) enough IP to drive it into oblivion.

Release it anyway! Remember, it is always easier to beg forgiveness than ask permission.

As usual, clulessness abounds

[notaprguy]

Folks, the whole intent of "InfoCards" is to provide an easy way for users to authenticate regardless of platform/OS. There is nothing proprietary about InfoCards."CardSpace" is a feature of Windows that will help Windows users manage their "InfoCards." MSFT hopes and expects that a variety of organizations (commercial, govt, non-profits etc.) will issue and accept InfoCards and that software developers will build tools/UI's/apps for managing InfoCards on a variety of platforms. The whole premise of InfoCards is to make it easier for users to manage their credentials in a secure way so they don't end up using low-security passwords (mymomsbirthday). It's fairly cool the way it works. The user doesn't actually send any personally identifiable information across teh wire. Here's an example of how it might work: 1. User goes to www.amazon.com. 2. User creates an Amazon account, creating a user name and a password. 3. Amazon asks user if they'd like to get an "InfoCard" which would make it easy and more securely log-on to Amazon next time. 4. User says yes. 5. Amazon sends (via Web standards, nothing proprietary to MSFT or Windows) the user an encrypted token. The token might come with an Amazon-branded digital "card" that visually represents the Amazon account and token. 6. The next time the user goes to Amazon he/she can log-on to Amazon using the InfoCard instead of user name and password. When this happens they send the token issued to them by Amazon where Amazon checks to see if it matches their records.If it does they can access their Amazon account. The advantage of this appraoch are several. Users no longer have to create/remember numerous passwords which is a big convenience. The Amazon's of the world like it because with encrypted tokens it is much harder to password guess to access accounts. No more simple/easy to guess passwords. Ultimately this reduces online fraud and saves us all money. No system is 100% secure but this would help. My understanding is that OpenID and others might create systems that interoperate with/support "InfoCards" which would be a great thing.

Re:As usual, clulessness abounds

[jZnat]

So, uh, what's wrong with Smart Cards then? NIH syndrome?

Re:As usual, clulessness abounds

[plague3106]

Thanks for providing the only sane post I've read so far.

I actually attended an MSDN event last week, and CardSpace as one of the topics. Its goal is similar to Passport, which the presenter admitted failed. They also know why they failed; because no one wanted to give MS all their personal information when MS wasn't involved in the transaction in any way.

MS WANTS others to implement this, and the whole thing is built on web service standards. CardSpace is just the card manager / selector on Windows; they fully expect Apple, Linux and other OSes to implement their own UI. Also, there's a blog of Html that ANY browser can be made to recognize that will cause the user to be prompted for their card.

There's only one thing wrong with the above post; the user does NOT create a card for Amazon; instead Amazon would issue a managed card. Actually in all likely hood your bank would issue a card with your CC information in it. Users CANNOT create a card with account information in it.

Re:As usual, clulessness abounds

[plague3106]

Its a physical device. It may not always be attached to the computer, so its not as convenient when someone wants to buy something from the web. Manufacturing costs are much higher for Identity Providers than sending out an electronic file.

Re:As usual, clulessness abounds

[notaprguy]

Thanks for the clarification.

Re:Could probably research this myself, but I'm la

[Anonymous+Cowhead]

Higgins claims to be a trust framework. OpenID claims to not be a trust framework.

What happens if uses loses control over a token?

[jetxee]

5. Amazon sends (via Web standards, nothing proprietary to MSFT or Windows) the user an encrypted token. The token might come with an Amazon-branded digital "card" that visually represents the Amazon account and token. 6. The next time the user goes to Amazon he/she can log-on to Amazon using the InfoCard instead of user name and password.

What happens if user downloads and installs.. hm.. a shareware program, which, pretending doing its internet updates, sends the tokens found on a PC to someone else? What happens if user looses his laptop? To my mind, the whole password thing may be much more secure. At least I may keep all my passwords in mine. Not on the computer... Unless those are some trash logins to numerous internet forums.

Re:What happens if uses loses control over a token

[plague3106]

You're safe!

The cards are stored on an encrypted portion of the disk which can ONLY be accessed by the CardSpace user account. If you install .Net 3, you'll have a CardSpace control panel item. When you run it, your entire desktop is disabled until you are done working with it.

That's because that control panel item ONLY runs under an account specifically designed to manage the cards, and ONLY that account has the encryption keys needed to unlock the disks.

They want to CTA because...

[H0ek]

Well, the reason why they want to wait for approval is because some big names are participating such as IBM and Novell. I really don't think they're too interested in a patent battle with Microsoft when Microsoft seems to have the upper hand. IBM, for one, does not like to lose in court.