Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Liberty Alliance Grows Again

Hemos posted more than 10 years ago | from the now-if-they-would-just-do-something dept.

Security 111

sempf writes "The Liberty Alliance, a Sun-backed open-specification alternative to the Microsoft platform's Passport system, has added two very powerful members, Oracle and Intel. Now over 150 members, one wonders at the future of a world where we have two single sign-on systems. With the three big IM platforms joining forces, is the identity standard of the world going to be Microsoft, or Sun? Is this going to be the next Browser War?"

Sorry! There are no comments related to the filter you selected.

No. (4, Insightful)

Morgahastu (522162) | more than 10 years ago | (#9736774)

No. There won't be a war because no one wants it. MSN's passport has been around for a long time now and barely anyone uses it.

Re:No. (5, Interesting)

16K Ram Pack (690082) | more than 10 years ago | (#9736795)

That's for a number of reasons.

- You have to pay to use it for your site.

- Lots of people don't trust Microsoft's security.

- Some people are concerned about single platform/single corporation.

I'd love to have a single ID.

Re:No. (5, Interesting)

blowdart (31458) | more than 10 years ago | (#9736820)

Yes, but is anyone actually using Liberty? It's all very well signing companies on, but what web sites actually use the damned thing?

Reading the testimonials [] it's all fluffy, without implementation (excluding one company which seems to use it for internal enterprise authenication, which is a way different market to Passport)

Re:No. (1)

16K Ram Pack (690082) | more than 10 years ago | (#9736858)

I suppose it's the old "small acorns" thing.

If there's enough big companies, particularly in the mobile area, there's a chance of big advertising.

I have lots of different sign ons, and would like a single sign-on, if only just for information sites rather than credit card sites.

Small site builders could also benefit from having no need to have their own security databases.

Nope, mostly just an industry interest group (1, Interesting)

Ars-Fartsica (166957) | more than 10 years ago | (#9737767)

Liberty Alliance has devolved into an industry interest and lobbying group. I dson't think there are any plans to roll out a united sign-on anytime soon. When Passport died, so did the utility of this body. One has to wonder why it still exists.

Re: or... yes! (2, Interesting)

atomico (162710) | more than 10 years ago | (#9738919)

Liberty-based Single-Sign-On is a very interesting solution, especially for mobile operators: entering usernames and passwords for each service using a phone is such a pain that allowing Single-Sign-On would increase acceptance of mobile subscription services. In addition, you already have a powerful means of authentication, the one allowing you to attach to the network and place calls.

Some vendors already have Liberty-compliant solutions ready for production, with mobile operators running trials. I am not allowed to name such operators, but here is a list of products conforming to Liberty specs [] . It is a very interesting market, where vendors with a telecom background clash against classical IT ones.

Re: or... yes! (1)

blowdart (31458) | more than 10 years ago | (#9740041)

" you already have a powerful means of authentication, the one allowing you to attach to the network and place calls."

In Europe it's already there, it's a SIM card. So again, what's the point? When authenication is implemented in hardware and can be easily passed around by the operator why implement a software solution?

Re:No. (3, Interesting)

zimba-tm (598761) | more than 10 years ago | (#9736827)

That really put the question :
- Why they can't do a protocol without wanting to take it for them ? :p

I mean, have you seen somewhere on the internet that all the emails have to be at hotmail ? :D

^^ This leads to :
Developp a free sign-on protocol
Use user@domain, so everybody can own it's informations (don't know if I expressed myself well enough)

Re:No. (2, Informative)

ClubStew (113954) | more than 10 years ago | (#9736856)

A Microsoft Passport doesn't have to be from or or even Hotmail and MSN email addresses are automatically Microsoft Passports, but you can register any email with [] .

A passport alternative. (1, Informative)

Anonymous Coward | more than 10 years ago | (#9737019)

Here is a research project (here [] ) that is building a replacement for Passport. The main idea, as I understand it, is to use multiple authenticators in different administration domains (unlike Passport controlled by a single entity, namely MS) to authenticate a user, and then use threshold crypto to combine the result into a single authentication token.

Re:No. (0, Flamebait)

sempf (214908) | more than 10 years ago | (#9736971)

I hate to disagree, but everyone who uses MSN Messenger has a passport. That's what, 2 million users? Not an insignificant start. I remember when Netscape had two million users and people said the browser wars were over ...


Re:No. (2, Funny)

Morgahastu (522162) | more than 10 years ago | (#9737025)

Yes, but are they using it as a single sign on service? I am sure there are millions of people register to but if they launched a single sign on service and its existing accounts were automaticly eligible and they claimed success because they had millions registered, I'd be laughing.

I have a MSN Passport. But I use it just for MSN Messenger. So I am not using it for it's single sign on potential.

Re:No. (1)

Zareste (761710) | more than 10 years ago | (#9736998)

Yeah, and beside that, screw all this browser war junk. I don't give a crap which different browsers and methods there are - web languages are the most versatile of all because everyone's free to make their own browser innovations and design pages for whatever they want.

I'm a web designer and even though dealing with multiple browsers complicates the code, it's the entire reason the web has so many options and capabilities today.

And yeah, this isn't on the subject of Passport, but this frickin' 'everything's a war' stuff is way over-dramatised.

Re:No. (2, Interesting)

SpaceLifeForm (228190) | more than 10 years ago | (#9737462)

Well, maybe the 'browser war junk' as you put it still exists because *you* indirectly support it by 'dealing with multiple bwowsers'. Instead, why don't *you* just design your webpages to W3C standards and be done with it?

Re:No. (1)

jc42 (318812) | more than 10 years ago | (#9739596)

Instead, why don't *you* just design your webpages to W3C standards and be done with it?

Uh, which W3C standard(s) should I follow?

Have you seen how many standards they've published? Do you honestly think any merely-human brain could even start to hold all that?

Meanwhile, I'm out here doing' my best. I do feed pages to various online validators quite often. Sometimes I can even make sense of what they tell me, and I fix the problems. Sometimes I'm just baffled at what they want me to do. But in those cases, I just reason that they're obviously talking to someone smarter than I am, so I don't worry about it too much.

Even if you try hard to implement to W3C standards, any sensible web developer would still test against a list of browsers. The actual screen representation can vary widely, even for software implementiing the same standards. Lately I've been testing against a number of PDA browsers to make sure that users of Tungstens and Blackberries can use my stuff. Those devices do have "real" browsers now, but they are severely constrained by their small screen. Just saying that your HTML is standards compliant isn't enough if some of your important clients are using such small display devices.

Now if there were a way to test against all of them without setting up a million-$-per-year testing lab. That's the real problem. You can easily have a page that passes all known HTML validators' tests, but still comes up unreadable (or very confusing) on some clients' screens, even though they are using a standards-compliant browser.

Lots of us really wish the W3C would ban frames ...

Re:No. (1)

Zareste (761710) | more than 10 years ago | (#9740201)

Well it's a good thing I never expect *too* much intelligent life in /. I'd be terribly disappointed. It's your browser war; you wallow in it. Put simply, if you can't handle possibility and innovation in browsing then you can go ahead and fall behind, restricting yourself to limited capabilities just because you think it'll end this 'browser war' you've come up with.

Jc pretty much debunks the W3C stuff, so that makes my life easier. I'm in the middle of a project which uses (gasp!) Javascript, CSS and PHP and is still compatible with everything. Making a page ugly and uninteractive for the sake of one person's ideas of 'standards' is just not my thing.

Single Sign In (4, Insightful)

dochood (614876) | more than 10 years ago | (#9736777)

It's called Mac OS X's Keychain.

Re:Single Sign In (3, Interesting)

TheRaven64 (641858) | more than 10 years ago | (#9737092)

This may not have been an entirely serious suggestion, but it is a much better idea. I would much rather store passwords locally and trust my own security than trust anyone else's (it may not be more secure, but at least it's my fault if it isn't). The only thing I would like to see a specification for is labelling fields in HTML forms so that they can be auto-completed with information from my vCard. Safari does a good job of guessing at the moment, but it's not perfect.

half solution (2, Interesting)

DreadSpoon (653424) | more than 10 years ago | (#9737770)

This is only a half-solution, however. It still requires creating separate accounts on each host, doesn't allow you to use computers other than your already configured Mac to access those sites, and doesn't let sites share authentication data. (i.e., site A authenticates you, site B authenticates you, and those two sites want to make sure they're both talking to the same person.)

There is a big different between actual single sign on and (for lack of a better word) hacks that auto sign on for you.

Re:half solution (2, Interesting)

drinkypoo (153816) | more than 10 years ago | (#9738616)

It's a short hop between having a keychain stored on one computer, and having a keychain stored in a smart card or iButton which you can carry with you and which is itself protected by strong encryption. It does require you to trust the computer the data is passing through but that is always an issue.

Re:Single Sign In (2, Informative)

glesga_kiss (596639) | more than 10 years ago | (#9738414)

The only thing I would like to see a specification for is labelling fields in HTML forms so that they can be auto-completed with information from my vCard.

Been done already, and most big commercial websites support it. It's a tag that goes on text entry fields denoting what they are, say "name", "e-mail", "phone" and so on.

Programs like Roboform, Google Toolbar and Gator (spit) use these to autofill your forms for you.

However, this misses the point; these identification are supposed to securely identify you. This identification may come with a list of addresses, so that when you sign up for a commercial service online, you can identify yourself in a way that they know you are a genuine person not scamming them with a dodgy credit-card number and drop address. Takes the validation responsibility away from the trader, which should reduce their costs and complexity of the initial setup.

Public Key? (1)

j1m+5n0w (749199) | more than 10 years ago | (#9738915)

There's another single sign-in solution called public key cryptography. I'm a little confused as to what problem passport and liberty alliance are trying to solve that wasn't solved 20 years ago by diffie, hellman, rivest, shamir, and addleman. Perhaps someone can enlighten me. With PK, you can authenticate yourself to anyone without revealing your secret key.

Is passport/liberty alliance a solution to the public key distribution problem? Is it a hack to support PK-like authentication without requiring client browser modifications?


who cares? (5, Insightful)

castlec (546341) | more than 10 years ago | (#9736788)

Who cares what company has the new identification standard? I'd rather keep my multiple passwords than rely on one breach of one system to lose my entire online life. I'd assume most geeks are the same and I've met some pretty paranoid non-geeks out there about having any information on the web. So unless we really believe that the information we need to have to exist in our online world won't be available outside of the authentication standards of a few companies, we have nothing to worry about.

Re:who cares? (3, Interesting)

sim000 (721371) | more than 10 years ago | (#9736816)

Except it won't be the geeks who have control over this. A single sign-on system is something 99% of the population would welcome. Surprisingly (not?) most people aren't really happy about having to remember dozens of obscure passwords. But a war? Nah. Fight, maybe.

Re:who cares? (3, Insightful)

sigaar (733777) | more than 10 years ago | (#9736984)

Well I certainly don't want one password for everything, much less a very server which has the names of all the services that I use in. Right now I *can* have the same password for everything I use, and who would know. If someone breaks into my hotmail account, then that's about it, they broke into my hotmail account. They still don't know squat about any other services I might use.

Let users choose for themselves. But having one password and links to all the services I log into, stored by the company who almost only ever make news when another of their security vulnerabilites is discoverd, or they get sued over improper business practises, or they're trying to lie themselves out of loosing more market share, that's not for me.

RTFA (2, Informative)

mindfucker (778407) | more than 10 years ago | (#9737652)

This is in not simply a single sign-on system like MS Passport, where only they manager/control your identity. This is just an API for identity and authentication, and the "identity provider" can be anybody such as the company you work for, the government, or a third party identification service like Thawte.

Re:RTFA (1)

sigaar (733777) | more than 10 years ago | (#9737847)

I was talking about Passport. But the same applies, just on a different scale. Having only one password to different services, and having the password stored in or changed from one place is a security hazard as far as I'm concerned.

To use a simple anology, I have two bank accounts and a credit card. I have different pin numbers for each card. If I lose my wallet, and say I don't realise this for a couple of hours, someone might somehow figure out my pin and access one account. But he'll have to figure out the other pin numbers too before he can access the others. Now if I used the same number for all my cards, a person who figured out my one pin, will have access to all my accounts.

I couln't care less about who's hosting/providing it. With companies not even trusting their employees to bring in USB storage devices, why the hell should I trust my employer with anything?

Then again, I just reset a user's password. She couldn't remember her password (even after choosing it herself and using it the whole of yesterday). Guess what it was? Her maiden name.

Some people need this sort of system.

Re:who cares? (1)

pandrijeczko (588093) | more than 10 years ago | (#9736904)

Yes, but if somebody gets hold of your passwords, you can only litigate against yourself!

Unfortunately, the world of today is filled with too many sheep who are far too willing to hand over their personal responsibilities over to a corporation or government entity to control.

Still, I guess Internet-law lawyers are rubbing their hands with anticipation...

Re:who cares? (5, Informative)

cmj (34859) | more than 10 years ago | (#9736920)

One of the points of the Liberty Alliance is that you, the end user choose whether to Federate your accounts or not, and you get to choose to break that Federation. Take a spin through the backgrounder paper [] on Liberty - there's a lot of tech, but there's also quite a bit of thinking about privacy and security there.

Re:who cares? (1)

Broadcatch (100226) | more than 10 years ago | (#9737910)

Yes, Liberty has done some great thinking about privacy and security, but it's still a hub-and-spoke system in which they (the 150 rich and powerful members) own your identity and (in their parlance) "provide" you with access to it through an "Identity-Provider".

Still, it's a lot better than Microsoft, where the only good thing to say about Passport is you know that the database won't get bought by Microsoft.

There are other personal identity platforms coming in the open source/grassroots arena. One promising entry is being put forward by the Identity Commons [] [disclaimer: I'm the CTO ;-)] where each person owns and controls their own identity. We're launching a fund raiser in a few weeks in which people will be able to buy a 50 year duration i-name for somewhere under $50 U.S. There's a bit more on i-names on our technology [] page, but we're still working hard on the code (and the site!).

Bottom line: don't put all your eggs (or identity) in one basket - unless you own and control that basket!

Sign-on War (5, Insightful)

bheer (633842) | more than 10 years ago | (#9736798)

I'll believe there's a "sign-on war" the day Ebay locks people out for not having a passport/liberty alliance account. (Currently they support Passport+their own system.)

Honestly, site-specific sign-on systems are easy to develop and most e-tailers have a powerful motive to offer their customers as many choices as possible. This is stark contrast to the one-or-the-other image a "war" connotes.

Re:Sign-on War (1)

Andy_R (114137) | more than 10 years ago | (#9736823)

What's the incentive for ebay (or anyone else) to do that?

Re:Sign-on War (3, Insightful)

iMMersE (226214) | more than 10 years ago | (#9736911)

To get as many people using their system? I, for one, am often put off when having to fill in a form to gain access to some area of a site. If I just just sign in using some shared system, I would use more of these sites.

Re:Sign-on War (1)

Andy_R (114137) | more than 10 years ago | (#9737149)

That's an incentive to offer one or both of these as *options*. I'm asking where the incentive is to make one or both of these *compulsory*. Big difference!

Re:Sign-on War (1)

iMMersE (226214) | more than 10 years ago | (#9737389)

Yes, sorry, I misunderstood you. You are right, there are no incentives for any site to limit their users to using one single sign-in system.

Also, if you did, your site wouldn't be much good if the third party was down for whatever reason.

As an aside though, thinking about the children for once, it would give the script kiddies a really good target for their DDOS of the month.

Patent (2, Interesting)

millahtime (710421) | more than 10 years ago | (#9736800)

Does Microsoft have a patent on this kind of single signon? It sure wouldn't suprise me if they have one or one in the works.

How universal can it be? (4, Insightful)

frostman (302143) | more than 10 years ago | (#9736802)

How universal can any kind of "identity system" be before it gets scary and/or illegal? (Illegal in countries with data protection laws anyway.)

Nokia is on board [] with this, and as more and more of my personal information gets concentrated on my phone I'll probably end up using it.

Eventually we'll probably all have a digital "passport" of some kind - and much better this way than the Microsoft way - but it's still a bit creepy.

Re:How universal can it be? (1)

glesga_kiss (596639) | more than 10 years ago | (#9738448)

How universal can any kind of "identity system" be before it gets scary and/or illegal? (Illegal in countries with data protection laws anyway.)

The Data Protection issue (I'm in the UK, we have these laws) can easilly be worked around. All they need is your consent to share the data, all it would take is some text stating that by logging in to a new companies site, you consent to sharing your details. Which is why you are logging-in in the first place.

The Data Protection stuff is going to be a big failure anyway soon, the internet does not respect borders. Once the data's out of your country, you have no control over it. Shame, because they are good laws.

Re:How universal can it be? (2, Informative)

atomico (162710) | more than 10 years ago | (#9739099)

How universal can any kind of "identity system" be before it gets scary and/or illegal? (Illegal in countries with data protection laws anyway.)

In theory at least, it is the end user who chooses to 'federate' her different accounts so she has to log just into one of them.

Now that you mention Nokia, this issue is really hot in the mobile world, where the mobile network operator would play the role of Identity Provider, allowing Single-Sign-On to a number of mobile websites or even subscription data services. Authentication could be performed at a lower level in the network, when the mobile terminal is switched on, and the User ID can be linked to the mobile number.

Microsoft or Sun? No... (5, Insightful)

Glock27 (446276) | more than 10 years ago | (#9736804)

is the identity standard of the world going to be Microsoft, or Sun?

With, as you point out, over 150 member companies the Liberty Alliance is scarcely just "Sun".

Re:Microsoft or Sun? No... (1)

sempf (214908) | more than 10 years ago | (#9736992)

Point taken. It is Sun people doing much of the work, though, and is largely built around the Java language, which is Sun controlled. But you are right, it is The Man versus The People, I suppose.


Re:Microsoft or Sun? No... (2, Informative)

raul (829) | more than 10 years ago | (#9737499)

The Liberty Specification does not dicatate any Language implementation. It is just a extension of SAML [] that is just a XML schema above SOAP with some XML-SEC message security. Nothing more fancy. I think that PingID has a .NET implementation.

Any one can download the specs and do a client/server implementation just using apache projects. (Xerces, XML-SEC) and some DOM/servlets knowled to implement their

Any how you can do it in c++/java/.NET or whatever languege you like.

They're all terrified of MS' power (5, Interesting)

Anonymous Coward | more than 10 years ago | (#9736806)

So they're all finally joining forces.

Intel is terrified that Longhorn's .NET hardware independent toolset will allow MS to move away from x86 at will and set up their own chip division. MS can't grow their software division much more in a saturated market, but if they use their own chipset (or licence it to a couple of 3rd party suppliers) they can take over all of Intel's current profit.

Oracle is of course competing against SQL Server.

All these large IT companies have known for years that MS is going to eat their lunch, but they couldn't work out what to do about it.

The penny has finally dropped - the only way to combat MS is for them all to work together using common standards : hence, their support for Linux, the Liberty Alliance, J2EE and so on.

Re:They're all terrified of MS' power (3, Informative)

Ari_Haviv (796424) | more than 10 years ago | (#9737038)

Intel isn't just paranoid. Rumors have it that the Xbox2 will usee powerpc cpu's instead of intel or even AMD

Re:They're all terrified of MS' power (0)

Anonymous Coward | more than 10 years ago | (#9737094)

So it all ties together... MS uses XBox2 to grow the market for alternative chipsets. This justifies the losses the XBox division is making.

Then, when the manufacturing is in place, out comes Longhorn+, which only runs on the new chips.

Re:They're all terrified of MS' power (4, Interesting)

TheRaven64 (641858) | more than 10 years ago | (#9737117)

Actually, I think Intel is more keen to ditch x86 than MS. They tried to with the i860. They are trying with the IA64. I recall a few months ago an Intel representative stating that they thought x86 only had a couple of generations left. Unfortunately, they can't jump ship if AMD doesn't. Hopefully Longhorn will ship for several CPU architectures (as NT did), and will include something based on VirtualPC for running legacy x86 code.

Note that the only non-x86 architecture properly supported by Windows at the moment is IA64.

Re:They're all terrified of MS' power (3, Interesting)

mikrorechner (621077) | more than 10 years ago | (#9737345)

MS can't grow their software division much more in a saturated market, but if they use their own chipset (or licence it to a couple of 3rd party suppliers) they can take over all of Intel's current profit.
Mind you, it's not so easy to design a new chip with a performance comparable to Intels' recent x86 processors (or AMDs', for that matter). It would take a few years at least, and that is with buying some technology from others.
No, I think the only thing that might happen is a MS system based on PowerPC chips, as is happening with the next Xbox, AFAIK.

Where is the free IM presence provider? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9736807)

Jabber? Why arent there free IM presence providers. Similar to the IRC networks ..cant IM be latched onto EFnet or something?

I guess once AOL and M$FT starts charging it will happen.

M$FT is really unethical and dirty in their banning of free third party IM clients from their network when back in 2000 they deliberately tried to "hack" and integrate with AOL .. even going so far as to modify the client when AOL tried to ban the MSN Messenger.

Has everyone forgotten this??

Trillian etc. are illegal according to the M$FT terms of service. One day M$FT may try to sue Trillian and get them thrown in jail for simply doing what Microsoft themselves tried to do 4 years ago. It's a gross injustice and very evil unethical behavior on Microsoft's part.

Why hasn't microsoft been called up on this?
I think it's pretty damn ugly of them. Honestly it pisses me off more than the whole operating system monopoly thing. Because we are talking blatant double standards and hypocrisy.


A pretty good standard (5, Interesting)

Cyberax (705495) | more than 10 years ago | (#9736808)

Liberty is a pretty good standard, it allows federated and distributed authoring instead of Microsoft's "only we know who you are" approach.

It's a shame that everything this alliance has produced up to date is just a pile of PDF specifications. Hope it will change soon.

Re:A pretty good standard (1)

allenw (33234) | more than 10 years ago | (#9737531)

You mean like these [] ?

[Ironically, the page has "last week's name" for Sun's product, Access Manager [] . Even groups that Sun founds can't keep up with the continual name changes!]

My big beef with it is the lack of perl and PHP defined APIs. Given the amount of LAMP (along with perl) being used on the web these days, it seems extremely short-sighted not have them defined. Just think, /. and the rest of the OSDN sites could be using Liberty to cross-authenticate rather than requiring each site to do their own auth systems.

Single Sign-On (5, Informative)

storem (117912) | more than 10 years ago | (#9736812)

Be sure that this will be the next big war. But it will most certainly not be fought in the open field. My guess is that this will mostly influence companies as they move more and more to single sign-on solutions.

Article from Internet News []

June 30, 2004
Single Sign-On Gains Liberty Support
By Clint Boulton

Although a lack of interoperability has threatened to hold Web services adoption back, Liberty Alliance, a group dedicated to forging an open identity standard, cracked that barrier by certifying nine single sign-in products this week.

The group awarded Ericsson, Hewlett-Packard, IBM, Netegrity, Novell, Oracle, Ping Identity, Sun, and Trustgenix its "Liberty Alliance Interoperable" mark in a conformance test.

The certification, which covers Liberty Alliance Identity Federation Framework (ID-FF) version 1.1 and 1.2 for single sign-on services, involves a rigorous testing process that gauges identity federation, authentication, session management and privacy protection. Vendors must demonstrate interoperability with two other randomly selected participants.

Secure single sign-on services are a key ingredient for Web services, a high-flying concept for distributed computing that allows applications to talk to one another to perform tasks. But customers are afraid to "sign-on" without a secure brand, because crackers can swipe their personal information if the site is not safeguarded properly.

According to a Liberty statement, the products are interoperable out-of-the-box, which pares deployment schedules and saves costs. This is key, as customers are loathe to license technology if it isn't supported by a validated standard, according to Gartner analyst Ray Wagner.

Customers who are thinking about federation projects need some reassurance that there won't be a huge amount of manual integration necessary between partners with different infrastructures," Wagner told "Requiring compliance with Liberty, SAML, WS-Federation, and WS-I Basic Security Profile, or a subset of the above, will provide some assurance that systems have the capability to work together."

Wagner said he believes most vendors who make identity management products will provide compatibility with specs or standards in the short term, noting that Federation protocols in particular (SAML, Liberty, WS-Federation) will likely converge in the medium term.

With Liberty's certification, companies can say that their products are compliant with the Liberty identity standard, making their identity management software more appealing to customers looking to shore up their Web services platforms with authentication via single sign-on services.

Forrester analyst Randy Heffner said using Identity Web Services Framework (ID-WSF) requires Liberty's ID-FF and offers an interoperable path to Web services as long as users start with Liberty's ID-FF.

"There is a test suite to ensure broad testing coverage of the technical interfaces," Heffner told "But successful operation of the tests is sort of on the honor system -- except that a vendor who wants the Liberty logo must participate in an interoperability event and successfully connect with a couple of other randomly chosen products."

"This is better than a simple, pre-planned interoperability event, which only proves that there is 'at least one' configuration by which products can work together -- but not that this is the configuration that any given user might need," Heffner concluded.

Web services have been slow to take off over the last few years, due to obstacles such as interoperability, security and manageability. But this is changing, owing in part to the steady work companies have been putting into the matter and the increasing acceptance of the more broad service-oriented architecture approach to software services.

The following products are now Liberty compliant: the Ericsson User Session & Identity Server 1; HP OpenView Select Access 6; IBM Tivoli Access Manager software family; Netegrity SiteMinder Federation Solution Module 6; Oracle Identity Management 10g; Ping Identity SourceID Liberty 2.1; Sun Java System Access Manager; and Trustgenix IdentityBridge 2.1.

Meanwhile, Novell is developing a Web authentication/authorization product that enables the secure federation of identity data through both the Liberty Alliance specifications and the SAML (define) protocol. It is scheduled to ship in the first half of 2005.

Relevance ? (0)

vi (editor) (791442) | more than 10 years ago | (#9736813)

MS passport system is a big failure.
Why should we care about alternatives for something which won't work anyway ?
These centralized identification systems have all the same fundamental security and privacy issues.

What Standard? (3, Interesting)

jackb_guppy (204733) | more than 10 years ago | (#9736819)

There a can be no indentity standard, because there can be no indentity.

IPs can be spoofed, mail foraged, add to that proxies and firewall... There is no way of telling who is really on either end of the connection. Now, add single signon security, without forced timeout of passwords and without heavy forced editing preventing reuse and dictonary attacks.

Look to Are you connecting to truly to microsoft? No, you are not. So you are taking a SECURITY download from a site, that may have an associtation with MS but not MS itself. Boy are we trusting.

So where does that leave the rest?

Re:What Standard? (3, Funny)

Tim C (15259) | more than 10 years ago | (#9736843)

mail foraged

Yeah, I hate it when people forage through my email - it's bad enough that my girlfriend goes through my phone sometimes, but my email? No way!

Re:What Standard? (0)

Anonymous Coward | more than 10 years ago | (#9737016)

You are absolutely right, there is no "indentity" standard, because there is no such word as "indentity".

Re:What Standard? (1)

DMUTPeregrine (612791) | more than 10 years ago | (#9738089)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a GNUPG key. Now, that only means that all messages signed by that key are from the same person, but if combined with a credit check, or some other such thing (SSN for example) it can be quite secure. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1 iD8DBQFA++UyB31qu1vt9NcRAthUAJ922zl1pfQFnXTqBLpjJY EwyK/SYwCfdI17 MQYZ+U8aU6/9BJr9bnG+qU8= =J0tc -----END PGP SIGNATURE-----

Re:What Standard? (1)

glorf (94990) | more than 10 years ago | (#9739138)

There a can be no indentity standard, because there can be no indentity.

Maybe you are trolling or maybe you are just pandering to the tin-foil hat crowd who would love to believe that they can be without identity.

You seem to be forgetting public key cryptogrpahy. And the forced timeout is not an issue. A SAML assertion says when the user was authenticated and when the assertion itself was created. True it may not be forced timeout, but every site that I visit that has important personal info of mine has a timeout.

I think claiming (4, Funny)

Anonymous Coward | more than 10 years ago | (#9736824)

that something is the 'new browser war' is the new black.

Re:I think claiming (2, Funny)

Rovaani (20023) | more than 10 years ago | (#9737269)

I think this new browser war is the new browser war!

How about this... (4, Insightful)

danheskett (178529) | more than 10 years ago | (#9736828)

...Single sign-on outside the corporate network (aka, the Internet at large) is a problem that doesn't need much solving..

..and both MS and Sun will fail at solving a problem that doesn't really need solving.

A better approach would be for either MS or Sun to develop multi-langauge, multi-platform products that will help web developers implement standard password requirements, username/password schemes, etc.

Forcing a lame implementation of bad technology isn't going to work.

Re:How about this... (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9736900)

So what would your "better approach" actually do?

So I get a multiplatform tool that helps me make people choose certain usernames/passwords on my website.

How does that fix the problem of said people having dozens of usernames/passwords on multiple websites?

Re:How about this... (1)

danheskett (178529) | more than 10 years ago | (#9737584)

How does that fix the problem of said people having dozens of usernames/passwords on multiple websites?
Who said that's a problem again? Is there some popular outburst of anger about having multiple usernames/passwords that I am unaware of?

Re:How about this... (2, Insightful)

AmaDaden (794446) | more than 10 years ago | (#9736931)

Yeah, but if Sun and everybody else just left this alone and it DID turn in to something we would all be stuck using MS for something else. So despite how worthless it seems I'm glad there opposing it. After all, better safe then sorry.

Re:How about this... (2, Interesting)

danheskett (178529) | more than 10 years ago | (#9737067)

No, Sun's effort is as usless as MS's, since actual sites don't want to use it.. either MS or Sun.

It's all useless.

Re:How about this... (1)

tolan-b (230077) | more than 10 years ago | (#9737309)

Seeing as there's no actual running code yet, don't you think that's a bit hasty?

Re:How about this... (1)

danheskett (178529) | more than 10 years ago | (#9737454)

It is especially useless, since there is no code. No implementations. It's nothing. It's trying to solve a problem that doesn't exisit, and certainly doesn't warrant a 150-company comission.

My bet is on... (2, Insightful)

vashathastampedo (627544) | more than 10 years ago | (#9736863)

Both Microsoft and Sun to make equally useless products that nobody really wants to use... for now.

I don't want a single sign-on (0, Redundant)

Anonymous Coward | more than 10 years ago | (#9736870)

To everyone here doing their favorite pasttime, bashing Microsoft, do you really think your information will be so much safer with Sun or Apple? Don't be so naive. Eggs in one basket, especially as it pertains to computers and networking (both with terrible records on security) is a bad thing.

Re:I don't want a single sign-on (0)

Anonymous Coward | more than 10 years ago | (#9739779)

You sir, are a complete moron. Have you understood the first thing about Liberty? I think not. Moron. Moron. Moron.

This would be like fighting over... (3, Funny)

Anonymous Coward | more than 10 years ago | (#9736876)

...who gets to give you herpes.

Summary is misleading (3, Insightful)

CdBee (742846) | more than 10 years ago | (#9736880)

The big IM providers are NOT joining forces, they're just making a tidy sum providing Microsoft with a way of routing messages between networks. IM convergence would mean being able to send a message to a user on another network directly, that still is not on the cards.

I'm just waiting for Google to offer a Messenger service, using a gMail account as a login. I think they could bring great things to the IM market, especially if the based an offering on an OSS project like Jabber, for which other IM software providers could then incorporate support.

Passport is already tied closely to Messenger and Windows XP in particular, I don't see the opposition gaining ground without going the same way.

Re:Summary is misleading (4, Insightful)

sempf (214908) | more than 10 years ago | (#9737065)

... IM providers are NOT joining forces ... IM convergence would mean ...

Note that I did NOT say IM convergence. I DID say they are joining forces. They are. Despite all of the vitrol, reality has forced them to hold hands and play nice. I'm sure the ability to send a message from one platform to another using a common P2P platform is not far off, despite your claims.

How exactly is Google making a gMail messenger any different from MSN mesenger, or Yahoo messenger? All great brands, all good technology. Will it be better because you like Google more? Don't get me wrong, I like Google too, but how will a fourth standard make it any better?

Re:Summary is misleading (1)

DMUTPeregrine (612791) | more than 10 years ago | (#9738153)

How about an IM proxy service? Something where you type "NETWORK:ID" and it starts a conversation into that network, through the proxy server. The proxy is connected to all networks, and would display your username after it's. So, as an example conversation:

MSN:Fred Hi Fred!
>IMProxy George: Hi Fred!
AIM:George Hi George.
>IMProxy Fred: Hi George.

Basically so that you don't have to sign up for everything, someone else does the work. Sort of like BugMeNot. GAIM does this well for a single user, I'm thinking a public service.

Liberty Alliance is not the same as Passport (5, Informative)

Anonymous Coward | more than 10 years ago | (#9736893)

The Liberty Alliance is not a single signon like Passport. It doesn't put all your data in the hands on one organisation. It basically allows you to link logins and share data between them.

It's a tricky concept to grasp but I've found these two introductions helpful:

Re:Liberty Alliance is not the same as Passport (1)

sempf (214908) | more than 10 years ago | (#9737008)

From our (the developer's) perspective, it is different. From the User's perspective, it is the same. That's what I was going for. But your point is taken.

Neither? (3, Insightful)

blanks (108019) | more than 10 years ago | (#9736923)

How about I just keep my identity and NOT have any single company owning my personal data? Yes convince is what America is all about, but there are still many steps needed to be taken in the real world to prove your identity, why do we need one system that everything will be required to use (think about the future). With something like this, I can see something bad happening. The US government (world government too) has been trying to remove the ability to be anonymous on the internet, with a system like this INFORCED at many different levels, the ability to be anonymous would no longer exist, the moment you connect your pc to the internet (LAN?) you would be authenticated.

Re:Neither? (2, Insightful)

iso (87585) | more than 10 years ago | (#9737220)

How about I just keep my identity and NOT have any single company owning my personal data?

That's what the Liberty Alliance is. It's a way to share authentication info without one company controlling it all. RTFA.

What? (1)

meadowsp (54223) | more than 10 years ago | (#9738466)

convince is what America is all about?

What the hell are you on about.

And it's Enforced, not inforced.

And if you've got an IP address, then you're not exactly anonymous anyway.

Re:Neither? (1)

/dev/trash (182850) | more than 10 years ago | (#9739995)

You should have started this fight back in say the 60's. It's a little too late now.

What about dotGNU? (1)

jlar (584848) | more than 10 years ago | (#9737028)

Does anyone know what dotGNU proposes to do?

From their website it seems that they are making some kind of decentralized "passport". Is The Liberty Alliance also pushing a decentralized solution?

Why stop at just two (1)

bhmit1 (2270) | more than 10 years ago | (#9737052)

Microsoft or Sun, we need more choices, like a different single sign on system for everything we log into. Oh, wait, we already have that. Now what where we trying to fix again?

Re:Why stop at just two (3, Informative)

Samari711 (521187) | more than 10 years ago | (#9737881)

actually despite what the person who posted this article implies, LA is not a monolithic sign on like Passport. LA basically provides a protocol for a person's identity to be authenticated via a third party and the token from that third party server passed to different sites that trust the third party. The standard does not however stipulate that there can be only one company capable of identity verification, but rather lets sites choose who they trust the information from.

Re:Why stop at just two (1)

bhmit1 (2270) | more than 10 years ago | (#9738396)

actually despite what the person who posted this article implies, LA is not a monolithic sign on like Passport

Actually it was just a bad attempt to be funny before the morning sugar rush hits my head. But the implication that we can be authenticated via a whole long list of places proves my point a little more rather than less. Mainly that we are simply going to have a long list of places to authenticate to just like we already have, so what did we fix? Or to put it another way, my dad has 6 different universal remotes to work his TV/VCR/DVD/Receiver/etc. While each one could work everything, he claims there are advantages to each one for working a specific device.

Personally, I kinda like the current "everyone does their own thing" system since I can pick who I give the real information to vs who gets the fake information, and give each one email and street addresses (the street address is done by adding an ATTN line) that I can map back to who I gave that data to. It means I see who sells my identifying information to who and can pick and chose who to cut off or throw away without opening. Now I'll have to manage a separate LA account for each company I want to have only a portion of my identifying data, so we're back to the same problem, which I don't see needing a fix.

Re:Why stop at just two (2, Informative)

Samari711 (521187) | more than 10 years ago | (#9738989)

part of the standard allows you to pick and choose what information you share with whom. granted you'll still be giving all your information to one identification provider but you get to say what of that information is available to any company you want to link the login to. I'm not sure how to go about giving phony information other than having a bogus account though.

That logo looks familiar... (1)

Singletoned (619322) | more than 10 years ago | (#9737057)

I found the logo (and even the name) to be vaguely reminiscent of the Alliance and Leicester bank [] . I wonder if it's just a coincidence?

Where does AOL really stand? (1)

lcsjk (143581) | more than 10 years ago | (#9737125)

The first link says MS, AOL and Yahoo have joined forces.
The Liberty Alliance page shows AOL as one of the 15 "Management Board Members".
Seems AOL is positioning themselves to be a win/win member.

Liberty Alliance? (1)

Wordsmith (183749) | more than 10 years ago | (#9737222)

I prefer "Coalition of the Willing (TM)."

Re:Liberty Alliance? (1)

thinkfat (789883) | more than 10 years ago | (#9737315)

unless it becomes a "Coalition of the Doing" it's not going anywhere...

Suckers! Just what Big Brother wants! (1, Interesting)

Blitzenn (554788) | more than 10 years ago | (#9737545)

This article and the replies contained therein clearly demonstrate BIg Brothers ability to polarize the American public on who is the best provider of security while keeping the focus off the real issue at hand, the sytematic destruction of your personal privacy. Who cares which one is better! I don't want either! Who really believes you can catch the bad guys by keeping track of the good guys? We have proven that to be false and flawed, over and over, and that that approach simply doesn't work. The bad guys never abide by the system, but find ways around it. Does gun registration stop people from obtaining illegal guns for use in crimes? Does all the information a bank collects on you stop someone from ripping off your bank account? Meanwhile the rest of us have more and more laws to abide by, more hoops to jump through, more restrictions on our movements and more eyes watching our every move. Maybe if there were camera's in my house watching me, my neighbor wouldn't kill anyone. Wake up, before it's too late!

"Jennifer Government" (1)

Webs 101 (798265) | more than 10 years ago | (#9737751)

What will the Microsoft-led coalition be called? Team Advantage? (In a perfect world, Liberty Alliance would be US Alliance. I know.)

Re:"Jennifer Government" (0)

Anonymous Coward | more than 10 years ago | (#9739499)

Even for slashdot, that was a very obscure reference!

should have called it the Rebel Alliance.. (2, Funny)

aurelian (551052) | more than 10 years ago | (#9737890)

..then we could back it unreservedly

Liberty Alliance is low tech (2, Interesting)

Orion Blastar (457579) | more than 10 years ago | (#9737933)

you download a form, fill it out, and send it back to them. No online verification, and no electronic forms. I give it a thumbs down. Join the 21st century, Liberty Alliance!

"Warning slippery when sarcastic!"

The Liberty Alliance (2, Funny)

FraggedSquid (737869) | more than 10 years ago | (#9738282)

Coming to a Marvel comic book near you soon

client peace (1)

Doc Ruby (173196) | more than 10 years ago | (#9738486)

I want multiple signons, so a single server crack doesn't jeopardize all my info, along with everyone else's. I want a single client that manages all those signons. That security architecture also makes any one crack less profitable - getting all my info isn't nearly as attractive as getting every customer of a big web merchant. The distributed security will reduce the damage, and increase the trust of the infrastructure.

Re:client peace (1)

Excelsior (164338) | more than 10 years ago | (#9740431)

That sounds great in theory. Unfortunately the facts are that most of us provide the same information to all the websites and vendors we deal with. Gaining access to any one usually means the theif has access to all your information.

In the end, I'd rather trust all my information to one of the largest security systems in the world rather than Joe Bob's Tackle Supply.

Cross-site scripting (2, Interesting)

ngunton (460215) | more than 10 years ago | (#9738972)

It seems like there is a major problem with cross-site scripting that is very hard to fix in all cases. For example, here's one [] related to Passport. The point is that css is hard to fix because you can't guarantee that another website that uses the same single signon system won't be vulnerable. So if there is a single signon system, then it seems to me that it's all only as secure as the most insecure website in the network.

Is there a difference anymore? (2, Interesting)

C3ntaur (642283) | more than 10 years ago | (#9739077)

Last I heard, Sun sold their soul to M$ for about $2 billion.

Identity Commons (2, Informative)

spot (3593) | more than 10 years ago | (#9739968)

The Identity Commons [] is also working on the same problem, but they have taken a more useful approach than the Liberty Alliance.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?