Liberty Alliance Having Problems 143
torre writes "This article would suggest that there seems to be some chaos in the Liberty Alliance fight against Passport. Between Sun's Jonathan Schwartz claiming defeat to Microsoft as it has the market tightly controlled with the help of windows to Novell's Justin Taylor who says that Microsoft's Passport has got nothing to offer when it comes to the enterprise. Should be interesting to see how things pan out."
Feel better with Sun (Score:3, Insightful)
Re:Feel better with Sun (Score:4, Insightful)
Perhaps its not about Microsoft vs Sun (Score:4, Informative)
I wrote most of the SAML specs which are the basis of the Liberty design. I really wish that people would stop trying to define the problem as one company bashing another.
I have absolutely no interest in the issue of whether Sun can stop Microsoft or Microsoft can stop Sun. I have been trying to deploy global authentication schemes for ten years now, I believe that the problem is sufficiently hard that it is not going to be solve by any party that makes its primary objective the defeat of another party.
First off lets recognize that companies working together can be a good thing for the consumer and can also be a bad thing. It is good when stuff works together, it is bad when working together effectively means a cartel.
I don't fault Microsoft for using their deployed base to build the user base for passport. After all AOL did the same thing by buying up rival instant messaging services.
What I do not see is how any party can reasonably expect the idea of global authentication to turn into some sort of monopoly. The competative forces involved are just too great.
Consider the problem of getting access to my frequent flyer plan at United. It would be pretty handy if I could simply log on to United transparently through my browser without having the browser store lots of personal data on my machine that could itself be a security vulnerability. On the other hand I don't see United paying anyone $10 per year for the privillege of offering this facility or anything like it.
Now consider what happens if we have 50 single sign on schemes, I don't see any advantage over having separate log ins.
So there has to be a critical mass for any of these schemes to be worthwhile, there has to be a reasonable cost structure and there has to be confidence that the operators of the scheme will not impose new costs or hidden restrictions at a future date.
I think that there is a value here but I think that both Liberty and Passport need to be radically rethunk before either can achieve the stated goals.
Before that happens however I think that there has to be a political realignment. In particular I think we need to get Liberty to stop promoting itself as a 'stop Microsoft' scheme and we need Passport and Liberty to agree to some form of convergence in the same way that Visa and Mastercard converged.
Specifically we should adopt SAML as the underlying architecture for global authentication. The ability to carry kerberos tickets and passport credentials is already designed into the SAML specs.
Once there is agreement on a technology base Liberty and Passport would both evolve into federated authentication brands in the same way that Mastercard and Visa have. There would be a strong assumption that merchants and web sites would support both brands rather than expecting consumers to cope with both sets of credentials.
Finally we need to work out who is going to actually pay for such a system to be established. Charging end users is really hard, charging merchants cuts out sites like slashdot. Where is the compelling value proposition? I believe that there is one to be found but we have not got there yet.
Maybe it's because... (Score:2)
(Or passport? Talk about a solution-in-search-of-a-problem.)
Re:Maybe it's because... (Score:5, Insightful)
Nonetheless, I can clearly see the advantages the industry and private individuals would have from Liberty alliance's efforts. Note that I didn't even mention the B2B features that the Liberty Alliance is working on.
Re:Maybe it's because... (Score:5, Insightful)
Set all of your passwords to be the same.
The only reason that Passport is useful is because it tries to dip its finger into a lot of pies at the same time. The end result is that corporations find out a lot more about your surfing/buying/playing habits than they otherwise would. In other words, it's *not* useful to the end user - it's useful to the service providers.
Re:Maybe it's because... (Score:3, Insightful)
And when it's compromised? I have set all my passwords to be the same for about a year now, and it's the only way I can stay sane with the number of separate accounts/identities I have. My password has been compromised twice now :(
Luckily both times the people who saw it were friends. The first time I had to tell Adam my password so he could setup my new email/shell account for me. The second time a stupid MS connection wizard of all things printed out the password in plaintext at the end, just to helpfully confirm you'd chosen it right.
Not to mention the difficulties I had finding a password that was easy to remember but fitted into all the various rules some sites/systems have about passwords
Good passwords should be changed regularly. To do that, you need 1 password. To do that, you need digital identities.
Re:Maybe it's because... (Score:3, Insightful)
Sure it is. We implemented a passport-like service for all of our corporate systems. This way, you change your password once, and it changes everywhere. It has reduced the "I forgot my password" requests considerably, and allows us to enfoce regular password changes on a global level, instead of having each system deal with passwords differently.
The percieved problem of central systems on a global scale is simply that once the password is compromised, the whole system is compromised. Remember when car makers used to make one key for the door, and the other to the ignition? In the end it was proven that this generally added little to no security because both keys were on the same key ring. The same goes for passwords. I personally use 2 - 3 passwords accross all sites. You get one of my passwords and you can access almost half of the sites that I visit. Furthermore, most people that I talk to already use one password anyway.
My biggest concern for security is not the concept of centralized passwords, rather, it revolves around Microsoft's ability to design a secure protocol, and if that protocol becomes an industry standard so that Microsoft doesn't have Ultimate Power over the system.
Re:Maybe it's because... (Score:5, Insightful)
Re:Maybe it's because... (Score:2, Insightful)
For the average joe the more relevant case involves how he can now log into his phone, computer, laptop, pda, etc, and be able to identify himself such that he can get access to stuff like his contacts in an easy fashion. The example for this can be seen in web ICQ or MSN messenger.
Re:Maybe it's because... (Score:2)
Re:Maybe it's because... (Score:1, Insightful)
Hi. That should be 'lose', not 'loose'.
Thanks,
'Lose', Not 'Loose' Guy
Re:Maybe it's because... (Score:1)
Thanks.
Then you're DOA on another machine (Score:3, Insightful)
Also, if you have your browser store passwords at work, then you're extremely insecure as well.
I used to think different passwords for different services was more secure, but I now use the same password for all sites and then change this password everywhere periodically. It's a minor hassle to change them but it's probably more secure than either Passport or browser storage, and I can access everything no matter where I am.
Re:Then you're DOA on another machine (Score:2, Informative)
what about registration? (Score:3, Insightful)
The obvious disadvantage to this is that a poorly designed system could release personal info to unscrupulous businesses. A well-designed system could show you which fields a particular site wanted and ask for your approval. Better yet you could configure your account to release different levels of info to sites based on their privacy policy.
Re:what about registration? (Score:3, Insightful)
No. I'd much prefer to keep the info in the browser, or in my head. I don't trust the central server as much as I trust my own PC.
Re:what about registration? (Score:3, Interesting)
There is already the ability to negotiate image formats, languages and authentication schemes. Adding in registration shouldn't be a problem.
Re:what about registration? (Score:2)
There is already the ability to negotiate image formats, languages and authentication schemes. Adding in registration shouldn't be a problem.
And then you could call it Passport. Passport is an API. It works on more than one browser on more than one machine. But frankly, until it's tied to a physical token you can put on your keyring, I don't give single-sign on much chance of escaping into the net at large.
Re:what about registration? (Score:2)
Re:Maybe it's because... (Score:3, Insightful)
So basically you've written your passwords down underneath your keyboard, and think you are secure because nobody is going to look there.
Re:Maybe it's because... (Score:3, Insightful)
Where Passport/Alliance etc. is useful is for corporations who can easier track your browsing/shopping habits to profile you and target you with more personalized spam.
Re:Maybe it's because... (Score:2)
I use it all the time... (Score:2)
Re:I use it all the time... (Score:1)
I'm starting to use Yahoo too (Score:1)
Re:I'm starting to use Yahoo too (Score:2)
As far as spam goes, yes, Yahoo is thousands of tiems better than Hotmail. That being said, Yahoo has started to slip a bit recently. I'm now seeing a message or two a day coming in from spam, whereas I saw zero about 6 months ago, and I'm not doing anything differently with my email (especially my personal one). So while it may be the best, it's not perfect, and I sure as shit hope they're not slipping.
"Liberty" Alliance (Score:2, Flamebait)
Insightful (Score:1)
know BiG surprise (Score:1, Interesting)
- Licensing Cost for Server Software
- Openness, i.e. the ability to change software to fit our purpose
- Security & Reliability and (last not least)
- Low hardware requirements.
The fourth reason was very important as I didn't want to buy any new hardware for the servers and instead reuse existing old hardware and extend its lifetime by using Open Source Server software. We decided to Use FreeBSD, Apache, mySQL+PostgreSQL, Perl+PHP
The company I am working with is a pure-Microsoft company, i.e. they only used to use Microsoft software, and they even didn't know anything about Open Source.
It was a painful but successful transition. But this is not the reason I am writing.
The reason is Microsoft itself. When the local Microsoft rep "heard" (someone inside the company tipped them off), they asked to meet my team(!) and discuss the reasons for our Open Source use.
In fact, it was a meeting of 2 1/2 hours with 3 Microsoft sales/consulting reps trying to persuade us not to use Open Source (mainy they talked about "Linux" until we told them that we don't use Linux and that we don't understand what they are talking about
Also, they wanted(!) (actually they "required") us to tell them the reasons why we are using Open Source instead of the already introduced and long-time proven Microsoft Software in this company.
Then I started explaining the four reasons above, and when we came to the point of "Licensing Costs", they offered us TO give the Windows server licences for free.
I am not kidding. When I told them that I'd need at least ten licenses and at $400/each, this would be too much for me for the beginning, they offered to give us the license for free - and not only for now, but also for the future when we kept working on Microsoft.
Of course, they knew that if we implement succesful projects based on Open Source in the New Media Group, this might extend to other areas, too, e.g. data servers (we are in fact planning to create a print archive fully based on Open Source now that the technicians in the company see that Open Source can be successfully implemented).
I just wanted to let you know about this fact. The meeting was very funny as they were trying to explain us that Microsoft software is more reliable, secure and cheaper than Linux and I was trying to explain to them that a) we are not using Linux, and b) that they have wrong numbers about TCO and c) that I could prove that Open Source is cheaper and lastly d) that any survey trying to figure out the TCO is definitely wrong as they try to please the company who ordered the survey, etc. etc."
Re:know BiG surprise (Score:3, Informative)
I think you have mistaken this AC for someone who writes his own comments. [theregister.co.uk]
Re:know BiG surprise (Score:1)
"The main reason for choosing Open Source software was:
- Licensing Cost for Server Software
- Openness, i.e. the ability to change software to fit our purpose
- Security & Reliability and (last not least)
- Low hardware requirements.
What about your time? Are you in charge of a budget? Any customizations (#2 in your list) - are they included in that budget? Maintenance moving down the road - who will be doing it?
Link to the stolen story please (Score:2, Informative)
whatever (Score:1)
I wish.. (Score:4, Insightful)
The article basically says "We can't get into Passport's market share because MS forced people to sign up." That's a fair statement except for one minor detail: Massive numbers of people aren't running around saying "I need a single log-in point across multiple domains!".
If the demand's not there, bleating about MS beating you isn't going to make it better. Frankly, I think the only reason this article made it to Slashdot is that juicy little line about MS "forcing" people to sign up with Passport.
I can't be the only one who'd like to filter these stupid articles.
Re:I wish.. (Score:5, Informative)
Not true. I've got people in my office today who have laptops running Windows XP. They are *not* forced to sign up for Passport. Let me repeat: They are not forced to sign up for Passport.
When you do need (note: I didn't say forced) to sign up for Passport is when you use their IM stuff. That is a choice you can make. It's a choice you make when you sign up for Hotmail. There's no forcing going on.
And no, Paypal doesn't require a Passport to sign up. I have no idea where you conjured up that idea.
Re:I wish.. (Score:5, Informative)
Re:I wish.. (Score:2)
This is pure BS, XP nags to register for an MS-Passport and stops functioning if you do not.
The 'other' choice is to use the XP crack even when you've paid for the OS.
Re:I wish.. (Score:2)
100% untrue. I *maintain* XP machines here, nobody's been nagged to register with Passport.
Re:I wish.. (Score:2)
I didn't, although it's more or less true. When you sign up for Hotmail, you're signing up for Passport. Sign up for Messenger, and you're signing up for Passport.
Re:I wish.. (Score:2)
Really? How odd. I have WindowsXP at work and at home. I have Office 2000 at work. I have MS Flight Simulator 200x at home. Yet, I do not have a Passport account. I've never been forced to get one.
And how many AOL users don't have a ScreenName? Exactly 0. Passport is how MSN authenticates their users. If you don't like it then don't use MSN.
Again, if you don't like the service, go elsewhere. Yahoo! doesn't use Passport, so get an email address there.
No, no you don't.
That should read, "It's getting very difficult to sign-up(sic) for Microsoft services without having to sign-up(sic) for passport(sic)!"
If you use The Zone, MSN Messenger, MSN, Hotmail, or any other Microsoft service then, yes, you will probably have to get a Passport account. Microsoft invented a user authentication system and they are using it on their services. That's their business choice. That doesn't mean that every computer user is being herded into Passport.
perhaps a politically correct MS Passport? (Score:2)
It might be more politically correct if my PayPal account gave me the option to create a PayPal account or a Passport account, but the truth is it's a lot easier to maintain if there is a single source for the user database. In this case, it just happens that MS has the proper Internet real estate to ensure that their SSO becomes the most popular.
Unfortunately, I'm not convinced a web-based infrastructure is the right solution (ala: Passport). For that matter a distributed network identity authority (ala: Liberty Alliance) isn't all that much better.
I think the time has come for *real* identity management, biometric authorization by means of a physical connection to a computer. Let's get rid username/password management before it gets the better of us.
Who uses passport anyway (Score:4, Interesting)
I can't believe they think that Microsoft has the market 'tied down'. How hard would it be to develop a new client authentication scheme and convince the millions of websites out there NOT using passport to use your new scheme? Sure it may be hard in some cases, but there is a hell of a lot of room for getting a huge chunk of the market.
Re:Who uses passport anyway (Score:4, Insightful)
I seem to remember microsoft trying this with microsoft wallet for storing all of your credit card information. That never flew, and I doubt that passport will really be such a big thing. Personally I like having everything seperate, so in case somehow it gets broken into/cracked, I'll only be vulnerable at one website/domain. I try to keep seperate passwords for security, and keep things divided for more protection.
Re:Who uses passport anyway (Score:1)
Re:Who uses passport anyway (Score:2)
Re:Who uses passport anyway (Score:1)
Re:Who uses passport anyway (Score:1, Troll)
The fact is there are websites using Passport.
Re:Who uses passport anyway (Score:1)
Re:Who uses passport anyway (Score:1)
Except for a few select Microsoft sites which use it, (You really have the same thing for AOL), no site I have visited in the past 2 years has used Microsoft Passport (tm).
HmmCouldn't this be as simple creating passport ... (Score:4, Insightful)
Re:Couldn't this be as simple creating passport .. (Score:2, Insightful)
Re:Couldn't this be as simple creating passport .. (Score:2)
Anyway, if IBM can give away stuff like that (he got it at the end of a DB2 course), surely they could make some kind of simple USB smartcard ? I mean Big Blue already work with Mozilla to make the OS/2 browser, and with various Linux companies.
So what's holding them back ?
Re:Couldn't this be as simple creating passport .. (Score:2)
That alone may be reasons for NOT using it. They would prolly need something that has a file system that is ISO 9660 compliant so that it could read/loaded on the majority of systems.
Re:Couldn't this be as simple creating passport .. (Score:2)
Rainbow have been making a smartcard in a USB form factor for several years. Thats why the SAML spec on which Liberty is based mentions 'hardware tokens' rather than smart cards.
Re:Couldn't this be as simple creating passport .. (Score:1)
Re:Couldn't this be as simple creating passport .. (Score:2)
No way shoulod you do that unless you are running trusted hardware. I don't care what encryption is used for the file, the keys are still vulnerable, as is the data itself when it is decrypted.
So yes that is a great design if you are using a Palladium class machine, but there are not many of those arround at present.
It would eliminate the need for a hugemungous server (run by an evil corporation) and this way it would be pretty simple to access the information (with some authentication of course) and not need to pay an arm and a left testicle to an Evil Corporation..
I find it difficult to take this type of approach seriously. I am much more worried about John Piondexter than I am about corporations at this point. I can't think off hand of any corporation who illegally sold arms to terrorists in Iran to fund more terorrists in Latin America.
That aside, what you call 'authentication' is no more and no less than what Passport and Liberty both do. You are thinking about the problem from one angle alone, confidentiality. That is a bad mistake when talking about an authentication scheme.
Re:Couldn't this be as simple creating passport .. (Score:2)
AOL Screen Name Service (Score:3, Informative)
AOL Pulls Rug From Under 'Magic Carpet' [betanews.com]
Re:AOL Screen Name Service (Score:2)
AOL's ending its Magic Carpet service, which allowed non-AOL sites to accept AOL ScreenNames as a logon, in much the way that Microsoft is offering up its
However, this doesn't mean ScreenName Service is going away completely. That is, your AIM screenname will still let you log into every site AOL/TW controls, and that's quite a few of them. That's still a lot of personal info for AOL/TW to possess.
Very misleading article (Score:5, Informative)
One of the thing the Sun guy says is "I don't think it will be very long before we have a pervasive non-Microsoft client". That doesn't sound like conceding defeat to me.
Talk about rolling over (Score:5, Funny)
Huh? (Score:1)
What's with all these question marks replacing apostrophes?
Re:Huh? (Score:5, Informative)
Microsoft added a fake left curling single-quote to most of it's fonts about ten years ago. Toy 'desktop' systems like Word, MS Publisher, BOB use these quotes in order to look 'cool'.
Standards-based browsers: Netscape, Mozilla, Konqueror, Opera don't nesesarily display this non-standard 'quote' the way IE does. They default to showing a question mark when confronted with theis non-standard quote.
Re:Huh? (Score:1)
Re:Huh? (Score:3, Funny)
Re:Huh? (Score:2)
Whee!
ISO latin-1 characters (Score:2, Interesting)
U+2018 ‘ left single quotation mark
U+2019 ’ right single quotation mark
But when it's posted without a character-encoding MIME type, the processor just sees a strange character, and replaces it with a default character, in this case a question mark.
Endrun around MS (Score:3, Informative)
However, it is a valid point that Passport has been a major failure up until now (tens of millions of forced signups and nothing substantive to show for it) and even with monopolistic momentum, a few new major Passport security failures could make a serious, well supported competitor that much more attractive.
Re:Endrun around MS (Score:1)
pr0n (Score:3, Funny)
It's good to know that Bill still surfs for pr0n every now and then.
Advantage Microsoft (Score:3, Insightful)
The causes for this are interesting, but far to many, complicated, and inter-related to get into during a 5 minute work break. Too bad.
Re:Advantage Microsoft (Score:2)
That and they simply don't have the vision that Microsoft has to get it done, either. Basically Microsoft announces something, then the usual suspects scramble around and announce something of their own just so they can be against Microsoft, not because they have any idea of their own about how they envision the given service. It's funny really, and actually reminds me of Canada's knee-jerk reaction to basically oppose any of them there *gasp!* Americanized ideas. Just like the anti-Microsoft crew, they're getting left in the dust.
What a vague article (Score:4, Insightful)
Sun: Windows is better at whatever Liberty/Passport does
Novell: Maybe in the home market, but we do whatever Liberty/Passport does much better in the Enterprise!
Netegrity: Maybe Microsoft does whatever Liberty/Passport does better on Windows, but the true value is doing that cross-platform and cross-domain!
I still don't see how any of this is more than a niche market. Yes, there is a need in large enterprises for single sign-on, but that's largely a Fortune 100 issue, so no huge market there. For smaller companies, it's far cheaper to staff a helpdesk than it is to do an enterprise single-sign-on implementation. Yes, home-users have to manage a lot of userids and passwords too, but integrated browser password functions cover the 90% of people who don't move from their base computer. So for the home as well it's a niche function.
The only value I see is the value of Microsoft or AOL with extending their MSN or AOL login to new functions and thereby making it more "sticky", giving users an effective barrier to leaving their service. To me, that's really all this posturing is about.
Also, I fail to see why my cell-phone and my SSH session need to share a password.
P.S. Justin Taylor is a big geek. 8-)
Lack of will not ability (Score:4, Insightful)
If they wanted to AOL, Netscape, Mastercard, Visa and American Express could deliver a *staggering* amount of particpants. This would dwarf the several million Microsoft passport holders overnight.
I think that the main problem here with Sun's technical leadership is that it's too busy trying to work out what it does for a business to worry about taking on Microsoft in yet another arena.
Another reason is that the when you're a holding a hammer, everything looks like a nail.
Sun sees Liberty as a battle with Microsoft, Novell sees it as glorified LDAP server, while the credit card and mobile phone companies see it as a targeted advertsing and aggregation tool.
The conflict is being caused by each charter member having a different vision of what Liberty actually *is*.
Both are DOA (Score:3, Informative)
It will be a while before anyone picks up this hot potato again. Until then, single sign-on is dead.
The single-logons nobody ever talks about... (Score:3, Insightful)
The first is AOL's. AOL Time Warner has gone around and tied the login systems of almost all of their properties from CNN to Netscape to use the same logon system as AOL/AIM ScreenNames. AOL has direct competitors to almost everything MSN has and then some, and can collect just as much personal info to send to a media empire.
The second is Yahoo's. Now, I know the Yahoo logon is only valid at the Yahoo.com domain, but Yahoo has within its domain content that MSN spreads out into dozens of domains. Everything including a Hotmail-like e-mail site, an Expedia-like travel site, a CNBC-like financial site, and an MSNBC-like news site all accept the same Yahoo logon. Yahoo wants your credit card numbers in your Yahoo Wallet let's not forget...
Yeah, Microsoft is the most annoying in getting you to sign up for a
There are really three web empires... yet only one is getting all the heat. What's up with that?
Re:The single-logons nobody ever talks about... (Score:1)
Re:The single-logons nobody ever talks about... (Score:1)
security versus convenience (Score:3, Insightful)
With a single sign-on, you really have some security problems is return for the convenience. One shoulder-surfer can completely steal your online identity. And is anyone under the illusion that people will pick strong passwords for their Passport accounts? Nope, they'll pick their pets' names, kids' birthdays, favorite sports teams, etc.
MS may be insulated from competition with Passport, because the good guys wouldn't dream of implementing it insecurely, and that means their implemenbtations will be less convenient than MS's.
At this point, security is the one single strongest reason for people to switch away from MS and start using open-source software and open protocols. The problem is that very few people really care very much about security, and they don't really understand security well enough to know what they're missing.
Re:security versus convenience (Score:2)
What a bunch of twaddle. Your examples of Passport insecurity are people stealing info from over other peoples' shoulders, and people picking poor passwords. Then you say this supposed insecurity is why people should switch away from MS, completely ignoring the fact that these things would be problems under any other system, too. Unskilled users are the only people who would leave themselves open to such holes, so why suggest that they switch and have to learn a whole new system only to find out that the exact same holes are there?
Re:security versus convenience (Score:1)
Re:security versus convenience (Score:1)
Slashdot poll idea: (Score:2, Interesting)
- Yes
- No
- I'm Afraid to
- Cowboyneal is my Passport
Zero knowledge (Score:3, Interesting)
The way it works is that the password is never sent to the remote host, ever. Instead, it only proves that you know the password beyond a statistical reasonable doubt. The advantage to this, is that I can use the same password "verifier" many places without having to trust them.
Just for the heck of it, I decided to provide a way to use a 1024 bit random integer as the basis for a roaming profile. You can use a human memorizable passphrase to login one place (such as your PC), and then pick up the large random number that will be used to prove yourself to all of the sites where you have an account. Assuming you use the 1024 bit number for verification, there's virtually no chance that someone will be able to forge your identity.
This is no different than using a private key in conjunction with a public key, but it's nice because it also works with human passwords, with a nice migration path to using more secure authentication means. Furthermore, since you in theory don't know if a verifier was created using a human password or a big integer, it makes it highly improbable to try to brute force guess using either an offline or online dictionary attack.
Also, I just came across this IBE solution, also from Stanford that works for regular email, which suprasphere doesn't support yet. (see Stanford IBE Crypto [stanford.edu]) My email is david@suprasphere.com if you want to contact me.
Re:Zero knowledge (Score:2)
It all sounds very nice and all, but I can't for the life of me figure out what you sell. Perhaps get a marketing-droid to put a more sensible spin on it, or if youve got one, get a different droid.
A friendly suggestion
Grrrrrrrr (Score:5, Interesting)
Full disclosure time, I work for Andre Durand [andredurand.com] who setup Jabber Inc and whos latest venture is PingID [pingid.com]. We got together, along with Adam Theo [theoretic.com] (who got our server slashdotted with the ransom thingy a few weeks back) because we'd been working on open source digital identity for about a year. Andre knows the balance between commercial and open source well in our opinions, and he's been sponsoring the effort.
I've been to DIDW 2002 [digitalidworld.com], met the guys designing the protocols and met Justin Taylor from Novell. All those links were to say, I've been following this scene since before people were talking about "identity" and I want to shout my thoughts loud and clear.
Firstly, the idea that Microsoft have authentication tied down is laughable. Passport is in its current incarnation a piece of crap. By version 3.1 I'm sure it'll be peachy, but right now it stinks. The extent of their "integration" with Windows is having IE6 use some native dialog boxes instead of web forms and being able to automatically sign on when you login (does anybody actually use that?). It is most definately possible to do something better than this in a seamless enough way that users would go for it. In fact when I was in Denver me and Adam sketched out an idea for how to do it.
Secondly, the Alliance is a rather mixed organisation. It's made up of lots of big corps who are not in fact enormous big baddies who want to steal your privacy just for the hell of it, but they do want to enable better business relationships. The example Esther Dyson gave was that the airline company should remember whether she likes window seats or not. I'm sure some Slashdotters would find this freaky/scary but she is a smart lady and she knew that she wanted that kind of information to make her life easier.
BUT - the LA is attempting to tackle a slightly different problem to the one that interests me and Adam. What we want to do is simple: we want to be able to run a server on theoretic.com that lets me sign in to Slashdot with my network address, lets me sign up for mailman mailing lists without inventing passwords each time, links my Jabber account with my email account with my personal profiles so people can locate me based on interest, so I can sign in to Linux GDM with my network address and get my roaming desktop and so on. We have LOTS of ideas! :)
What the LA are doing is linking currently existing identities together. They gave a demo of the technology in Denver. In fact, it was Justin Taylor who did this demo. It was entirely corporate focussed, they started from an intranet and were automatically signed in to some flight reservation service. That sort of tech has its place, and they're being realistic in that linking identities is a good way to start until people start getting their own identities hosted for them like email addresses.
The LA has some good points to it, don't mindlessly bash it. However, it also has some bad points. One is the stupid requirements for membership, which they admitted to me privately are basically to keep the little guys out. Another is the hideous complexity of their protocols. The ones we've developed sacrifice a small amount of flexibility for a huge increase (imho) in implementability and understandability.
Well having plugged it now (i seem to be plugging a lot of my projects today), I guess I'd better point out that what we're doing actually consists of two parts. The first is the protocol. This is (currently) called the Genio Protocol, and will be getting its own website soon (look for an announcement here when it does). It's simple, open and as far as we know free of IP claims. The second is the SourceID reference server, which is under a pseudo open source license.
We have user profiles working, and I was coding up basic tickets functionality (authentication/authorization tokens) last weekend. Hopefully genioprotocol.org will be up soon and then it'll make more sense.
Believe me, this is totally scratching an itch on my part (though I do get paid for it now too [grin]) because I think a good set of solid open digital identity protocols will make my life easier, and totally kick ass into the bargain.
I just want my global telephone number (Score:1)
Why is Sun always this pessimistic? (Score:3, Insightful)
Pardon me for being a bit cranky and harsh, but why does Sun always seem to pull this line? They are declaring defeat before the battle really begins. If they want to pull out and quit then let them, but they have no need to declare the whole project a failure.
Besides, isn't a bit early for them to start their standard "we can't do this because of Microsoft" whine.
The Liberty Alliance isn't really an alternative. (Score:2, Insightful)
The Liberty Alliance could offer a true alternative to Passport by creating a system in which users, not large, faceless, and untrustworthy corporations, were in control of their identities. But it hasn't, and that's why it's floundering.
Re:The Liberty Alliance isn't really an alternativ (Score:1)
http://www.gnu.org/projects/dotgnu/web-services
Sheesh.... (Score:2)
I wouldn't want to be coerced by either system. (Score:1)
Re:I wouldn't want to be coerced by either system. (Score:1)
If enough people refuse to visit their Web site because of their obnoxious insistence upon dropping Passport cookies on visitors, it'll hurt Starbucks; pocketbook sufficiently that the company will start to care.
Never let the facts stand in the way of an article (Score:1, Informative)
As someone "close to the Alliance", I should mention that the basic premise of the article is simply incorrect. The Liberty Alliance is about defining open standards (there's that open word - means it ought to run on any platform, including Windows); whereas Passport is a service operated by MS. Chalk & Cheese.
Every site has a unique password, easy to remember (Score:1)
Storing passwords within Mozilla or some such is just waiting for trouble too (IMHO). What will you do when it breaks and you can't remember your password to anything? Sure, most sites have ways to deal with lusers who forget their password, but that is just a pain and time consuming.
My wife asked me this exact question (how to remember) recently. It's easy: come up with something you WILL remember and use the same IDEA across many, many platforms.
For example:
I drive a subaru. All passwords will start with SUB.
My birthday may be 03/31/1968 (impossible
I'm on SlAsHdot, so SAH
Guess THAT. What would the password be for Yahoo? Easy: sub8630yho
Unfortunately
Re:Every site has a unique password, easy to remem (Score:1)
"claiming defeat"? (Score:2)
Last Post! (Score:1)
designers in the thin disguise of good, clean fun.
-- P.J. Plauger, "Computer Language", 1988, April
Fool's column.
- this post brought to you by the Automated Last Post Generator...