Our geekland propensity for dismissing users as stupid because they can't navigate cryptic interfaces just makes me laugh.
I would be interested to see what would happen in the experiment if users were given an application that used pop-ups to request that users make understandable choices, with understandable consequences.
This is a case of cumulative disaster, frankly. These guys have done a whole bunch of not-so-smart things that together combine into real stupidity -- they are advocating both password sharing and they are allowing a help desk person to INTERPRET a plaintext password. Not to mention instantiating password polices requiring a single dictionary word with a limit of 6 characters!
This means that punctuation probably doesn't count. Capitalization doesn't count. Spelling probably doesn't count. If an attacker can come up with a reasonably approximate phonetic representation of the password, then chances are, the help desk will assume the caller is the right person. After all -- if there was a requirement for an exact match, then the help desk person could just type in exactly what the user tells them and get a yes/no answer back without ever seeing the password, and the plaintext requirement wouldn't exist.
Once you have the password for account viewing, how much money do you want to bet that a significant proportion of customers use the SAME password for all their other activities with the bank? But don't worry -- that second, possibly identical password is protected with "full security procedures"...
Sounds like a sys-admin's nightmare. I think I'll stick with my Macbook for a bit, thanks.
As a consultant who travels with a laptop, I would say I use wireless at client sites no more than 15% of the time. The chance of me showing up with a wireless-only laptop, and being able to get onto the network on the first day.... 0%.
I'm sure we'll get there. But until then, I still need to get work done.
Given that this is the same guy who thinks Paris Hilton is one of the top 10 girl geeks of all time, I'm not sure that he's qualified to operate complex machinery. As such I suspect this current article is PEBKAC fueled.
At least now, there is no plausible deniability on the part of the search vendors. It is now painfully obvious that sharing of this kind of data, even randomized, will make people very, very angry. The "oops we didn't know" defense is now well put to rest.
Of course, I have to imagine that every law enforcement agency around is wondering whether their worst subjects happen to be AOL users, and whether those records can be subpoenaed.
It contains one discussion group for all of the Identity Management. Which is lumped in under "Application Server" for some unfathomable reason. Which means you have to parse through all of the products to figure out which threads are for the product you yourself are using.
Here is the summary of the single discussion group:
This forum is for discussion of Oracle Identity Management components, including Oracle Internet Directory, OracleAS Single Sign-On, OracleAS Certificate Authority, Oracle COREid Access and Identity, Oracle COREid Federation, Oracle Xellerate Identity Provisioning, Oracle Virtual Directory, and Oracle Web Service Manager.
How easy is it to find applicable threads in that?
... before Oracle heads down yet another purchasing road, I'd like to see something done with their marketing and sales group - something consistent with the fact that this company is no longer only a database company. My suggestion would be to fire them all and bring in people who are willing to learn and be flexible, instead of the entrenched backbiters they have now.
I'd like to see the user communities that formed around COREid, Xcellerate, and other identity-related software get some support corporately.
I'd like to see the corporate blogging policy reversed, so that the people who are passionate about the software they write can communicate to the people who want to learn about it.
I'd like to see products who previously had 50 discussion forum groups and their own conferences, user groups, and mailing lists be brought back from post-purchase back alleys, where they are lucky if they share a discussion group with 6 other products, and where they are lost in the expanse of generic sugary topics at OpenWorld, on oracle.com, and inside metalink.
If Larry really wants his all-encompassing stack to dominate, he's going to have to learn to communicate, not only through his sales and marketing force, but through the bright minds at his own company.
Get with it Larry, or Oracle will inherit CA's title - the place where good software goes to die.
As well, I have at least 20 different girlgeeks friended, and I have yet to encounter a single one of them who are offended or even a little miffed, other than the complaints about their eyes bleeding. If you dont believe me go find them and look.
I don't think anyone's angry. Really, I don't. I'm pretty sure we're all too busy laughing. Sure, you can interpret it as a slur, if you try reeeeally hard. But why on earth would you?
I think you need to take life a little less seriously.
If you think that somebody turning a site pink and writing "OMG Ponies" makes anyone out there assume that all women are stupid, then you aren't as smart as you think you are.
The were looking for the opposite of "news for nerds", they got "OMG!!! Ponies". It wasn't a patriarchal plot to put all women in their place, it was an attempt to be lighthearted. I happen to agree - if ever there was an anti-nerd (and I mean that term in the most unisex of ways), it is a teenage girl. That's the best part -- it grossed out just as many geekgirls as geekboys, making it pretty damn successful as a joke, I think.
Personally, I think a lot of people are going to miss PinkDot, come tomorrow...
My experience while getting my degree was that first and second year girls were descended upon by third & fourth year geeks looking for dates and willing to do assignments for a girl would would go out with them. None of those girls graduated from the program I was in - they all flunked out on the tests because they didn't understand the material.
I see equal opportunity blame in that situation -- a lack of intellectual pride both on the part of the girls and the guys.
I have also had to endure the insanity of having a really smart guy ask if you want to be his partner for the year in a class, only to have him show up at the first meeting with a finished assignment and a picnic basket containing a romantic dinner. It is a really difficult situation to deal with. On the one hand, the guy has made a nice and very sincere effort to please you. Unfortunately, that doesn't measure much against the facts that (a) he never actually asked you out, so you didn't get a chance to understand what kind of 'partnership' he was really hoping for, (b) he obviously didn't then and never did think you were capable of doing the assignment, (c) he assumed that you were the type of person who would gladly get out of work, and (d) he didn't mind that fact, as long as you went out with him. And he wondered why I wasn't bursting with admiration at his display of programming prowess.
Did you really see a lot of girls brazenly manipulating their way through a computer degree? It's hard for me to imagine. The women I graduated with knew their stuff, and would gladly prove it when challenged.
I'm guessing you are imagining that after installing Lightning, Thunderbird will suddenly devote a small amount of window real estate to a miniature calendar and a daytimer, a la OutLook.
Nuh uh. Right now, all that Lightning does when installed, is to pop up a second window from Thunderbird that looks *exactly* like Sunbird in every possible way. All the functionality is identical to Sunbird. Right now, Lightning *is* Sunbird, but running from the Thunderbird directory. That's it. Nothing more, nothing less. Once Email-Task integration is implemented, Lightning will become useful - but I can't imagine anyone is expecting an integration that is in any way similar to OutLook's interface.
You would think so. But it doesn't seem to work that way.
I installed the plugin not long ago, with the expectation that at MINIMUM, you would be able to drag & drop.ics calendar attachments into the calendar. Automatic detection of scheduling requests would be even better.
It doesn't appear to do even that. As far as I could see, the only way to get scheduling requests into the calendar (regardless of whether you use Sunbird or the Thunderbird plugin) is to save the.ics file to your hard drive and then use the "import" command to import the event.
Therefore, as far as I can tell, the only advantage to using the Thunderbird plugin at this time, is that it sits in the Thunderbird directory instead of its own directory. And that you open it as a switch to the thunderbird command, instead of as a separate command. Whoop-dee-doo. Not to say that I don't understand that this is a work-in-progress, I am aware of that. I'm sure that.ics detection or drag/drop is high on the to-do list. I still find Sunbird useful, and I'm using it now. I just don't see that there is any level of actual email/calendar integration yet.
I would love to be wrong about this by the way. Maybe somebody will reply to this and tell me that the plugin has lots of very useful bits - but as long as I have to manage my.ics attachments myself, I can't think of the plugin as getting me much.
This just in, some talking head has decided that the fork has clearly WON over the spoon...
What did the spoon do wrong? Why didn't the spoon evolve to match this new threat?! If only the spoon had all the same characteristics as the fork, it could have stayed at the top...
Why are we so dedicated, as an industry, to trying to make every product do every thing? Each type of system is better for a certain purpose, for available skill sets, for available budgets. If all of them grow and flourish, it benefits everybody.
If all we had was Microsoft, the industry would suffer. If all we had was UNIX and/or Linux, the same thing applies. It is useful to know the benefits of each of these. It is also beneficial to understand the flaws. But all of them have uses, and none of them are going away.
I think you are missing more than a few options there.
IBM has directory services.
Sun has directory services.
Novell has directory services.
My thoughts:
- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.
- the Sun/Netscape/iPlanet/SJSDS-whatever-they-call-it-t his-second tends to run well directly out-of-the-box without the need for much in the way of expertise, in smaller environments. I would call this directory the defacto standard (although this statement may now be obsoleted by the advance of AD - hard to say). If you are using other SUN infrastructure, or if you are using the Sun Calendaring/Messaging product (which I would recommend as a very solid alternative to MS exchange), this DS is an excellent choice.
- Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.
- OSS - I would consider this an advanced option. My suggestion is, if you know nothing about directory services, that you would be better off with something a little more... packaged. I'm sure many here will rabidly disagree with me, but I certainly would consider that choice as risky. A second issue is that many LDAP-enabled products that you may wish to run on top of your directory layer (provisioning, WSSO, etc) only support commercial directory servers.
- Microsoft - well, you're probably going to have to install this one anyways, in order to get a LAN. Although I'm a unix chick at heart, I must admit that I have seen many well-run AD directories. If you aren't already in the UNIX world for any good reason, AD is probably a logical direction. Many many companies have cut their directory services teeth this way. The disadvantage is that your Enterprise Directory is also your NOS, which can be a pain from a licensing perspective, if you want to store authentication-only users as well.
Heh, you must not work with middleware much. Packages work really well for things that can never occur on a machine more than once.
Now that the DS is a package, it means that I can only have a single o=NetscapeRoot tree. So, I can create a test instance and a pre-prod instance and a bunch of other instances, but every instance writes configuration data to the same o=NetscapeRoot. So if something goes terribly wrong, firstly there is the possibility of a single instance rendering all LDAP instances unusable, and secondly, it is next-to-impossible to manually remove every trace of a single instance, because you have to hack the configuration tree as well.
Before this, you could simply install two separate stand-alone versions of the directory server, running on different ports, and know that the two were completely uninvolved with each other. There is a huge value to that.
Of course, Solaris 10 is going to improve things considerably. Instead of multiple standalone directory servers running on the same box, I'll be able to run multiple virtual servers on the same box, each running their own single DS package...
I feel that this may be karmic retribution for Sun railroading us into having to use ^$@#%$&ing pkgadd, instead of those lovely tarball installs of yore, where it all installed into a single directory that I could tar up, or simply blow away if it screwed up... ah, the days of control...
But then, in the short term, the only way that I can see Netscape Directory Server making it into the enterprises that I deal with daily are if it comes bundled or as a dependency for some very well-trusted and established open source app, like maybe a CMS or something such as Bugzilla, or SVN. As an "Enterprise Directory" (ooh aah) it will be a long time before this version could compete, if ever -- everybody wants a stack, these days.
Still, it could be interesting leverage for the big Sun clients who are actually paying for the SJS Directory Server. I think this is the final stage of the commoditization of the animal that is a directory server... damn, I owe a certain Burton Group analyst a beer now...
Yeah, it should be interesting. I think that the Liberty guys are messing their pants right now, with all the stuff that MS just released at Digital ID World. And as much as MS is crowing about how 'open' they are, I wonder what will happen when oasis finally gets their hands of some of the 'to-be-released' WS-* standards, and then ratifies a change in the next version that MS doesn't like?
It is definitely a messy, squabbling soap opera. And maybe it will all go down the tube. But I guess that I think the point of the press conference was to illustrate that the vision is shared, and supported from the top down.
Although the press con was specifically about WebSSO, the rest of the framework forms the architecture that will one day support web authentication of all kinds, at an operating system level. Whether you happen to use the back-end to do fancy inter-site federation, or you use it to simply get a Kerberos ticket from your internal AD database for the purposes of accessing a locally protected website via integrated windows authentication, the mechanisms will eventually be the same.
The whole point is that the lines between internal and external are blurring. The same concepts of ID providers and relying parties are being used to describe every kind of web authentication, and it will become a matter of policy and configuration as to whether trust relationships are created outside an intranet, not a matter of installing new software. You are right - I imagine that many, many sites will choose to never configure a site for WebSSO with any other site. But they will still be using the same architecture.
At least that is the current direction of the industry. The whole point is finding the technology that people *will* trust. Whether it works or not is another issue altogether, and nobody can speak to that yet.
If you read this, you will see that certain of the digerati are working very hard, even within Microsoft itself, to ensure that future identity systems are exactly the opposite of 'distrusted and irrelevant'....
Slashdot Mirror
Our geekland propensity for dismissing users as stupid because they can't navigate cryptic interfaces just makes me laugh.
I would be interested to see what would happen in the experiment if users were given an application that used pop-ups to request that users make understandable choices, with understandable consequences.
Shouldn't that be what we are aiming for?
This is a case of cumulative disaster, frankly. These guys have done a whole bunch of not-so-smart things that together combine into real stupidity -- they are advocating both password sharing and they are allowing a help desk person to INTERPRET a plaintext password. Not to mention instantiating password polices requiring a single dictionary word with a limit of 6 characters!
This means that punctuation probably doesn't count. Capitalization doesn't count. Spelling probably doesn't count. If an attacker can come up with a reasonably approximate phonetic representation of the password, then chances are, the help desk will assume the caller is the right person. After all -- if there was a requirement for an exact match, then the help desk person could just type in exactly what the user tells them and get a yes/no answer back without ever seeing the password, and the plaintext requirement wouldn't exist.
Once you have the password for account viewing, how much money do you want to bet that a significant proportion of customers use the SAME password for all their other activities with the bank? But don't worry -- that second, possibly identical password is protected with "full security procedures"...
Sounds like a sys-admin's nightmare. I think I'll stick with my Macbook for a bit, thanks.
As a consultant who travels with a laptop, I would say I use wireless at client sites no more than 15% of the time. The chance of me showing up with a wireless-only laptop, and being able to get onto the network on the first day.... 0%.
I'm sure we'll get there. But until then, I still need to get work done.
Given that this is the same guy who thinks Paris Hilton is one of the top 10 girl geeks of all time, I'm not sure that he's qualified to operate complex machinery. As such I suspect this current article is PEBKAC fueled.
Yes, exactly.
At least now, there is no plausible deniability on the part of the search vendors. It is now painfully obvious that sharing of this kind of data, even randomized, will make people very, very angry. The "oops we didn't know" defense is now well put to rest.
Of course, I have to imagine that every law enforcement agency around is wondering whether their worst subjects happen to be AOL users, and whether those records can be subpoenaed.
Here is the summary of the single discussion group:
How easy is it to find applicable threads in that?
Pix
... before Oracle heads down yet another purchasing road, I'd like to see something done with their marketing and sales group - something consistent with the fact that this company is no longer only a database company. My suggestion would be to fire them all and bring in people who are willing to learn and be flexible, instead of the entrenched backbiters they have now.
I'd like to see the user communities that formed around COREid, Xcellerate, and other identity-related software get some support corporately.
I'd like to see the corporate blogging policy reversed, so that the people who are passionate about the software they write can communicate to the people who want to learn about it.
I'd like to see products who previously had 50 discussion forum groups and their own conferences, user groups, and mailing lists be brought back from post-purchase back alleys, where they are lucky if they share a discussion group with 6 other products, and where they are lost in the expanse of generic sugary topics at OpenWorld, on oracle.com, and inside metalink.
If Larry really wants his all-encompassing stack to dominate, he's going to have to learn to communicate, not only through his sales and marketing force, but through the bright minds at his own company.
Get with it Larry, or Oracle will inherit CA's title - the place where good software goes to die.
Pixie
I too would love to have a /. "OMG!!! Ponies!!!" tshirt...
Pix
Well, NCalGal and I thought it was hilarious.
As well, I have at least 20 different girlgeeks friended, and I have yet to encounter a single one of them who are offended or even a little miffed, other than the complaints about their eyes bleeding. If you dont believe me go find them and look.
I don't think anyone's angry. Really, I don't. I'm pretty sure we're all too busy laughing. Sure, you can interpret it as a slur, if you try reeeeally hard. But why on earth would you?
Pix
I think you need to take life a little less seriously.
If you think that somebody turning a site pink and writing "OMG Ponies" makes anyone out there assume that all women are stupid, then you aren't as smart as you think you are.
The were looking for the opposite of "news for nerds", they got "OMG!!! Ponies". It wasn't a patriarchal plot to put all women in their place, it was an attempt to be lighthearted. I happen to agree - if ever there was an anti-nerd (and I mean that term in the most unisex of ways), it is a teenage girl. That's the best part -- it grossed out just as many geekgirls as geekboys, making it pretty damn successful as a joke, I think.
Personally, I think a lot of people are going to miss PinkDot, come tomorrow...
*grin*
Pixie
I vote for pink too! And I want all the bullets to be little pink hearts. And I want a pony too...
And if I could have anything in the world, it would be: world peace (-:
I'm downloading this CSS and using it forevermore -- and nobody can stop me, muwahahahahahaha.....
Pix
I guess that it is also possible that there were more "favors" done than I knew. I was pretty damn naive back then (-:
My experience while getting my degree was that first and second year girls were descended upon by third & fourth year geeks looking for dates and willing to do assignments for a girl would would go out with them. None of those girls graduated from the program I was in - they all flunked out on the tests because they didn't understand the material.
I see equal opportunity blame in that situation -- a lack of intellectual pride both on the part of the girls and the guys.
I have also had to endure the insanity of having a really smart guy ask if you want to be his partner for the year in a class, only to have him show up at the first meeting with a finished assignment and a picnic basket containing a romantic dinner. It is a really difficult situation to deal with. On the one hand, the guy has made a nice and very sincere effort to please you. Unfortunately, that doesn't measure much against the facts that (a) he never actually asked you out, so you didn't get a chance to understand what kind of 'partnership' he was really hoping for, (b) he obviously didn't then and never did think you were capable of doing the assignment, (c) he assumed that you were the type of person who would gladly get out of work, and (d) he didn't mind that fact, as long as you went out with him. And he wondered why I wasn't bursting with admiration at his display of programming prowess.
Did you really see a lot of girls brazenly manipulating their way through a computer degree? It's hard for me to imagine. The women I graduated with knew their stuff, and would gladly prove it when challenged.
Pix
Well, I'll be damned!
I went to the roadmap site, and saw no screenshots or notes about single-window integration.
I guess that makes *me* the pessimist...
Thanks for correcting me gently.
Pix
You, my friend, are an incurable optimist.
I'm guessing you are imagining that after installing Lightning, Thunderbird will suddenly devote a small amount of window real estate to a miniature calendar and a daytimer, a la OutLook.
Nuh uh. Right now, all that Lightning does when installed, is to pop up a second window from Thunderbird that looks *exactly* like Sunbird in every possible way. All the functionality is identical to Sunbird. Right now, Lightning *is* Sunbird, but running from the Thunderbird directory. That's it. Nothing more, nothing less. Once Email-Task integration is implemented, Lightning will become useful - but I can't imagine anyone is expecting an integration that is in any way similar to OutLook's interface.
Pix
You would think so. But it doesn't seem to work that way.
.ics calendar attachments into the calendar. Automatic detection of scheduling requests would be even better.
.ics file to your hard drive and then use the "import" command to import the event.
.ics detection or drag/drop is high on the to-do list. I still find Sunbird useful, and I'm using it now. I just don't see that there is any level of actual email/calendar integration yet.
.ics attachments myself, I can't think of the plugin as getting me much.
I installed the plugin not long ago, with the expectation that at MINIMUM, you would be able to drag & drop
It doesn't appear to do even that. As far as I could see, the only way to get scheduling requests into the calendar (regardless of whether you use Sunbird or the Thunderbird plugin) is to save the
Therefore, as far as I can tell, the only advantage to using the Thunderbird plugin at this time, is that it sits in the Thunderbird directory instead of its own directory. And that you open it as a switch to the thunderbird command, instead of as a separate command. Whoop-dee-doo. Not to say that I don't understand that this is a work-in-progress, I am aware of that. I'm sure that
I would love to be wrong about this by the way. Maybe somebody will reply to this and tell me that the plugin has lots of very useful bits - but as long as I have to manage my
Pix
I think you are missing more than a few options there.
t his-second tends to run well directly out-of-the-box without the need for much in the way of expertise, in smaller environments. I would call this directory the defacto standard (although this statement may now be obsoleted by the advance of AD - hard to say). If you are using other SUN infrastructure, or if you are using the Sun Calendaring/Messaging product (which I would recommend as a very solid alternative to MS exchange), this DS is an excellent choice.
IBM has directory services.
Sun has directory services.
Novell has directory services.
My thoughts:
- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.
- the Sun/Netscape/iPlanet/SJSDS-whatever-they-call-it-
- Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.
- OSS - I would consider this an advanced option. My suggestion is, if you know nothing about directory services, that you would be better off with something a little more... packaged. I'm sure many here will rabidly disagree with me, but I certainly would consider that choice as risky. A second issue is that many LDAP-enabled products that you may wish to run on top of your directory layer (provisioning, WSSO, etc) only support commercial directory servers.
- Microsoft - well, you're probably going to have to install this one anyways, in order to get a LAN. Although I'm a unix chick at heart, I must admit that I have seen many well-run AD directories. If you aren't already in the UNIX world for any good reason, AD is probably a logical direction. Many many companies have cut their directory services teeth this way. The disadvantage is that your Enterprise Directory is also your NOS, which can be a pain from a licensing perspective, if you want to store authentication-only users as well.
FWIW, hope that helps...
Sigh,
You are right. It can be done, which basically means that I'm whining about *how* it gets done...
I guess I'm just a fan of keeping it simple. Which gives me the bias that you mentioned.
Thanks for keeping me honest (-:
Pixie
Heh, you must not work with middleware much. Packages work really well for things that can never occur on a machine more than once.
Now that the DS is a package, it means that I can only have a single o=NetscapeRoot tree. So, I can create a test instance and a pre-prod instance and a bunch of other instances, but every instance writes configuration data to the same o=NetscapeRoot. So if something goes terribly wrong, firstly there is the possibility of a single instance rendering all LDAP instances unusable, and secondly, it is next-to-impossible to manually remove every trace of a single instance, because you have to hack the configuration tree as well.
Before this, you could simply install two separate stand-alone versions of the directory server, running on different ports, and know that the two were completely uninvolved with each other. There is a huge value to that.
Of course, Solaris 10 is going to improve things considerably. Instead of multiple standalone directory servers running on the same box, I'll be able to run multiple virtual servers on the same box, each running their own single DS package...
I feel happy about this.
I feel that this may be karmic retribution for Sun railroading us into having to use ^$@#%$&ing pkgadd, instead of those lovely tarball installs of yore, where it all installed into a single directory that I could tar up, or simply blow away if it screwed up... ah, the days of control...
But then, in the short term, the only way that I can see Netscape Directory Server making it into the enterprises that I deal with daily are if it comes bundled or as a dependency for some very well-trusted and established open source app, like maybe a CMS or something such as Bugzilla, or SVN. As an "Enterprise Directory" (ooh aah) it will be a long time before this version could compete, if ever -- everybody wants a stack, these days.
Still, it could be interesting leverage for the big Sun clients who are actually paying for the SJS Directory Server. I think this is the final stage of the commoditization of the animal that is a directory server... damn, I owe a certain Burton Group analyst a beer now...
(-:
Pixie
No problem! As an alternative, may I suggest you check out the open-source alternative: Shibboleth.
Pixie
Yeah, it should be interesting. I think that the Liberty guys are messing their pants right now, with all the stuff that MS just released at Digital ID World. And as much as MS is crowing about how 'open' they are, I wonder what will happen when oasis finally gets their hands of some of the 'to-be-released' WS-* standards, and then ratifies a change in the next version that MS doesn't like?
It is definitely a messy, squabbling soap opera. And maybe it will all go down the tube. But I guess that I think the point of the press conference was to illustrate that the vision is shared, and supported from the top down.
Pixie
Although the press con was specifically about WebSSO, the rest of the framework forms the architecture that will one day support web authentication of all kinds, at an operating system level. Whether you happen to use the back-end to do fancy inter-site federation, or you use it to simply get a Kerberos ticket from your internal AD database for the purposes of accessing a locally protected website via integrated windows authentication, the mechanisms will eventually be the same.
The whole point is that the lines between internal and external are blurring. The same concepts of ID providers and relying parties are being used to describe every kind of web authentication, and it will become a matter of policy and configuration as to whether trust relationships are created outside an intranet, not a matter of installing new software. You are right - I imagine that many, many sites will choose to never configure a site for WebSSO with any other site. But they will still be using the same architecture.
At least that is the current direction of the industry. The whole point is finding the technology that people *will* trust. Whether it works or not is another issue altogether, and nobody can speak to that yet.
It is exactly *not* like passport. In fact, the whole passport disaster is often referred to as a lesson learned.
Here is the latest philosophical trend in Identity, and the founding principles for the SSO and IdM movement of the moment:
The Laws of Identity
If you read this, you will see that certain of the digerati are working very hard, even within Microsoft itself, to ensure that future identity systems are exactly the opposite of 'distrusted and irrelevant'....
Pixie