Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Sun Releases Open Source Tool for Project Liberty

Comments Filter:
  • Security (Score:1, Troll)

    by I_am_Rambi (536614)
    The Liberty Alliance Project is an effort to establish a universal online authentication system that serves as an alternative to Microsoft's proprietary Passport online ID system. Both efforts have the same goal: let people surf the Web without having to constantly re-enter passwords, names and other data at different sites.

    The question is will Liberty Alliance Project be more secure than passport. Wait, who am I asking? Of course it will be better in security than M$. Who isn't?
  • Huh? (Score:4, Interesting)

    by Ctrl-Z (28806) <tim@timcole[ ].com ['man' in gap]> on Friday September 20, 2002 @12:03AM (#4295018) Homepage Journal

    I don't get it. Is Sun ONE the same as the Liberty Alliance? The article that is referenced doesn't mention Sun ONE that I could see, just the Liberty Alliance.

    I didn't even know that the Liberty Alliance was still around since Hailstorm kinda fell through.

    I wonder if they're having much luck selling the idea to anyone. Microsoft sure didn't.
    • Re:Huh? (Score:5, Informative)

      by arberya (176464) on Friday September 20, 2002 @12:22AM (#4295107)
      The Liberty Alliance is a group of companies helping to define the specification. Sun propsed Project Liberty as an alternative to Passport. Sun have implemented the specification in their Sun ONE range of products. You will probably see Novell implement the specification within eDirectory as they are members of the alliance as well. As for selling the idea to anyone, it is not a matter of selling it, if you look at the specs it sells itself. Devolved identity management, no single company holding identity information, like Microsoft does with Passport.
      • Devolved identity management, no single company holding identity information

        That's even BETTER than Passport. Lots of organizations out there passing around my private information.
    • Re:Huh? (Score:3, Informative)

      by JediTrainer (314273)
      I don't get it. Is Sun ONE the same as the Liberty Alliance?

      Not quite. Sun ONE is the competitor to the Microsoft .Net framework (meaning, it's a suite of server and development applications, including the Forte suite of IDEs, compilers and your application/web servers and whatnot). Liberty Alliance seems to be competing against Microsoft Passport and all that 'secure' global user profile shtuff.
    • Sun ONE is a particular combination of service software that sun has, and is principally a marketting thing. So, things like the Iplanet stuff, various ecommerce bits, etc, all fall under SunONE. It incorporates a bunch of stuff that's all largely based around open standards. The Liberty Alliance is a group, of which Sun is a founding member, which is producing a standard for a particular service. So, at some point the SunONE offering, if they've haven't moved on from that name, will likely implement the Liberty Alliance authentication standard as one of the features in the appropriate products, and might include the softare to manage the server side of it as a SunONE product.
    • Re:Huh? (Score:3, Informative)

      Well, there is definetly a market for this kind of thing, it is just about the implementation. Basically, MS said: "give us all your data, you can trust us with it". Everybody fell over laughing, of course. That is why Hailstorm fell through.

      The Liberty Alliance is saying: "We don't want your data, we just want to give you the tools".That there is a need for the concept of identity management stands beyond any doubt. How many website logins do *you* have? Exactly. However, how the respective organisation plan to hndle all the data, and plan to implement the concept is what really matters here. That is why the Liberty Alliance has a much better change of actually being used.

      Of course, it is an extra kick in the face to MS that the first tool to come out is Open Source.....
  • after a few years swinging in and out of the open source community with hidden agendas, maybe Sun is serious this time?
  • Open source... (Score:2, Interesting)

    by XTerm89D (609102)
    Yes, this is open source software, but can anyone explain me the difference between a no-go commercial application and this, except that you have the 'source' ?

    As I read in the license it's still 'Intellectual Property bla bla', 5 lines thereafter they define 'Commercial Use'...

    What we need is Free Software, not crappy I-wanna-be-cool-but-am-GPL-scared software.

    To me this is no better than (oh-the-horror) Microsoft Word
  • Uh (Score:3, Insightful)

    by yem (170316) on Friday September 20, 2002 @12:19AM (#4295087) Homepage
    Why not just tell your browser to remember the login? Frankly I trust my computer a lot more than some corporation - Microsoft or otherwise.
    • by Utopia (149375)
      That doesn't work across sites.
      You will have to register in every site.
      Browsers only remember username/password information per site.

      This is like Microsoft Passport.
      You register just once and use your the same username/password across sites.
    • Re:Uh (Score:4, Insightful)

      by Diabolical (2110) on Friday September 20, 2002 @02:38AM (#4295492) Homepage
      Yes... if that is the only computer you work with. But i have my personal systems at home, a system at work, when i'm visiting relatives i use their computer same when i visit friends. When i am on vacation i use a system in a cybercafe etc. etc. etc.

      It would be nice if i could use the info on a centralized system. Mind you, i'm just talking about the info. Not about data accumulated from online buying etc.

      This is where this system comes in, it allows to store information about a person on a central place while allowing online shops to hold on to their own info. MS Passport tries to gather all the info in one place, prefferably on their own servers.
      • Re:Uh-Smart Card. (Score:1, Interesting)

        by Anonymous Coward
        "It would be nice if i could use the info on a centralized system."

        It's called a smart card. You go, it goes with you.
        If you want something more there. Try a USB keychain device, with smart card features.

        • Uhm. yes.. a smart-card might do it or USB keychain. Assuming the computers you work with have a way of reading those things... In most cybercafe's your not allowed to attach a device to their systems. Nor has everyone a smartcard reader. Not everyone is tech savy..
      • by msimm (580077)
        What about smart cards or removable memory.

        Why would my information need to be stored anywhere else?

        Plug:
        I LOVE Mozilla.
    • Re:Uh (Score:3, Insightful)

      by awol (98751)
      It's not just about allowing you to login, but one of the fundamental problems of the "internet" is the proof of identity. As more and more important services become online, it becomes more and more important to be confident that Jo Public is actually a) Jo Public and not Mary Citizen and b) The Jo Public of 23 Main Street Bigtown.

      In meatspace, you prove identity by a "collection" of evidence from relatively trusted sources, a bank account, a gas bill and something with a photo. In the on line world being able to go to an online vendor and do a similar thing where you can prove that BANK A, utility co B and Company X all know about a Jo Public of 23 Main Street obviates the need for a "central" repository of identity, which, if you ask me, is a good thing (TM) (ie not having one is a good thing :-)

      So in addition to the peoples points about using multiple machines (an excellent point by the way), proof if identity is the killer app INM(NS)HO.
    • Re:Uh (Score:3, Insightful)

      by Sunnan (466558)
      With this, you can do a lot of stuff you can't do with just browser remembrance. You're at a travel page booking a flight, and it can book the bus trip for you as well without you having to log in to the bus company.

      But I agree that there are trust issues.

      The other day, me and my friend Kreiger was thumbing through some dumb "technical" magazines while we were in a waiting room, and I saw the news that some phone company had joined the liberty alliance. "Cool," said I and began talking about how this could make sites easier to use, how it was more trustworthy and less evil than Hailstorm. He was saying kinda the same things you are, and I said "It's good for users".

      Just minutes after that, we came upon an article about Intels new DRM-iniative. It was totally slanted! "Intel builds in protection against virii and hackers." What the...? I'm totally against DRM and the slant pissed me off! I began complaining loudly about it. Kreiger just looked at me, and said sarcastically:

      "It's good for users."

      What an eye opener. Paranoia against corporations is my philosophy from now on.
    • This isn't just about browsers, its about mobile phones, PDAs, servers, TVs, Set-top boxes, smart cards etc etc.

      And its not just about Web content, its about authorisation systems as a whole.

      A browser is just one very very small part of what Liberty could be used for. And while a browser remembers a password, it doesn't know who you are and cannot prove that you are that person.
  • Was there any other prior releases ?
    What is point of jumping directly to 6.0
    • IPL, the source code release that is linked to, is at version 0.1, not version 6.0. The original posting is not very clear. Note that IPL is not the same thing as Sun ONE Identity Server.
    • Re:Version 6.0? (Score:2, Informative)

      by chrisbw (609350)

      SunONE Identity Server 6.0 is the Netscape/iPlanet/SunONE Directory Server (LDAP directory) renamed. It's becoming more than just a directory server, since it becomes an identity and policy management server.

      Chris

  • Direct Link (Score:3, Informative)

    by dica (27151) on Friday September 20, 2002 @12:37AM (#4295175)
  • Recent article on Linuxworld Apache & Plan9 [linuxworld.com] which describes another solution to identity management.
  • You should not be using the same password for all your sites, even if the authentication mechanism never lets the site server have the actual password. If this one password is exposed by your own accident or something, you've basically given whoever has it access to everything. You might as well hand them your wallet, too.

    To track spamming leaks, I also give each place which gets my email address a different one. So there's another piece of information that needs to be different. Not everyone yet has the ability to do this, and not everyone will want to. But a lot of people will unless the spam problem gets solved (unlikely).

    Anyway, I see major privacy risks in both Liberty Alliance as well as Passport, particularly in not letting people (easily?) control who gets what information.

    • On the other hand, when the machine you enter your passwords on is compromised, you only need to change one password...
    • There are two excellent tools that I use pretty regularly to keep track of passwords on websites and other services.

      Password Safe [sourceforge.net] was origionally developed by Bruce Schneier of . It is open source now. [counterpane.com]

      Gpasman [linux.org] is another alternative. I use it on my linux boxes.

      I've found them invaluable for keeping track of passwords. Password Safe runs quite happily under wine, and has a tool built in to automatically generate excellent (i.e., almost unrememberable) passwords.

  • by Anonymous Coward on Friday September 20, 2002 @01:21AM (#4295299)
    As an assistant member of the security team of a large fortune 500 company, I have discovered a new form of terrorism stemming from the deepest underground of the Internet. A site catering to hackers, communists and anti-Americans called Slashdot.org has created a new type of denial-of-service attack known as 'the Slashdot effect'. This attack has been used against what are seen as the enemies of the 'Open source movement' which include many large American companies such as Microsoft as well as many American media companies such as Time-Warner-AOL. The Slashdot Effect could have a potentially crippling effect on the American computer industry and I feel it is justified to offer my own advice on this problem.

    What is the Slashdot Effect?

    The Slashdot Effect (also known as Slashdotting) is a new form of denial-of-service attack stemming from the site Slashdot.org. Once they find a 'target' (whether it be a large media company or small personal homepage) the URL of the site is posted on the front page of Slashdot.org. Members of this site attempt as quickly as they can to follow these links and overload the target server. This causes the 'target' website to slow to a grinding halt before going offline. It can sometimes take days or even weeks for the site to recover from such a surge of traffic, and often the servers can be damaged beyond repair (that is, they cannot be fixed with a simple defrag!).

    Who is normally the target of the Slashdot Effect and how is it done?

    Many American companies have already been attacked by the Slashdot Effect. Targets often include news sites such as the New York Times as well as well as large American companies such as Intel. Sites that criticize the open-source movement are a prime target. For example, lets say an American media website such as the London Times does a review of a little known operating system known as Linux. Linux is an operating system developed by a hacker from communist Finland, which is based on code stolen from an American operating system known as Unix. It was created in cooperation with a communist group known as g.n.u. (Which stands for Glorified Novelty Unix) and is generally unusable by non-hackers. Obviously since it is such an archaic and unstable operating system compared to those made by American companies such as Microsoft it would get a bad review on the London Times. Once a Slashdot member discovers this honest review the URL would be posted on the front page of Slashdot.org. A flood of users would follow the link to the site and bring the server to a grinding halt. Since most of these users are terrorists they would probably have ads disabled using European hacking software. This would mean a potential loss of thousands of dollars worth of ad revenue. To top it off, members of Slashdot.org often plagiarize the articles and post it on illegal mirrors, furthering the loss of ad revenue. Members of Slashdot are rewarded for plagiarizing in the form of 'Karma', a form of hacker currency, on Slashdot.org.

    What can I do to avoid the Slashdot Effect and how would I deal with it if it happened?

    The easiest way to avoid the Slashdot effect is to refrain from posting anything about any open-source software, especially Linux. Focus your website on fine American companies such as Microsoft. You can also set up your server to reject any links from Slashdot.org, something many people have done. If you think your site is being attacked by the Slashdot Effect, contact the authorities immediately and report this act of terrorism. The penalties against hacker/terrorists are stiff and you can feel confident that the perpetrators of this terror will be punished in the harshest possible means.

    by Anonymous Pancake
  • by goingware (85213) on Friday September 20, 2002 @01:25AM (#4295309) Homepage
    So would this mean I can run the server on my home linux box, and store all my private information only on my own machine, in my own house, so that websites would query the server I am operating when I want to log in?



    If so, then I might have some enthusiasm for it, and I imagine lots of others would as well.



    If my identity data is to be stored by some commercial service, even a Liberty Alliance member, I'm afraid I have no plans to participate.



    I won't use any website that requires me to sign up for Passport. I've done a lot of Windows development the last couple years, and I can well imagine it would be to my benefit to pay for M$' developer program, but my understanding is that it requires Passport to participate, so I won't have any part of it.



    Even if I had my own personal server storing my identity, you can bet I will configure my firewall so it will only accept queries from sites I consciously want to have the information.

    • One more thing... would I need a static IP to operate the server? I can get a domain name from dynodns.

      My net connection is kinda primitive out here in the Maine sticks.

      I can pay $70 a month for static IP dedicated dialup, which I think is excessive, but at some point I might have to do that. But I imagine most people who might want to run personal servers wouldn't want to pay to have static IP's.

    • Liberty version 1 is contingent on trust relationships negotiated out of band between identity provider and service provider.

      Liberty version 1 doesn't make provisions for sharing personal information -- it only defines protocols for federation, single sign-on, federation termination, and logout.

      See the Liberty architecture overview [projectliberty.org] (in the specs section on the Liberty web site) for more information.

    • Would you trust, say, the Free Software Foundation, if they set up a server? I think I would, and I think I would be willing to pay some money to make sure they have the hardware and personel to maintain a damned safe version of such a server.

      Mats
    • Great idea, and just one more reason ISPs ought not prevent you from running your own server.
  • what's wrong with Web Initial Signon (webiso nee` pubcookie)? it certainly works well in a University setting, and it might work well in other contexts.
    • what's wrong with Web Initial Signon (webiso nee` pubcookie)?

      When I first saw the name "WebISO", I got the impression "download ISOz [i.e. ISO 9660 CD-ROM images that probably infringe a copyright] over the Web". I bet more than one suit will pick up a software copyright infringement connotation [google.com] from that name.

    • it doesn't (unless I missed the thing to which
      you are referring) work outside of one controlled
      domain. There is not a standard way to send
      a query (well there is, it is identd, but nobody
      does it and it does not work beyond the single
      machine level) and find out who you are. AIS is
      such a proposal, for web services, as are all the
      others.
  • Because Sun has a lot to share with the Open Source Software community, especially those that travel around in airtight plastic balls.

    Magical spell is ai-ai-poo!

  • Whatever else you want to say about Bill Gates; he certainly is a visionary. He saw through the hype and while the rest of the world watched a pedjulum swing to favor OSS then commercial software, then OSS once again, he saw how OSS would mature to threaten Microsoft software dominence.

    It's great to see that vision coming true as major corporate players are actually finding ways to leverage OSS as a competitive advantage, rather than simply sponsoring projects for PR value.

    Bill may see threats around every corner, but he isn't often wrong about this stuff. It's great to see these threats actually manifesting themselves. Life is good!

    --CTH
  • by goingware (85213) on Friday September 20, 2002 @01:53AM (#4295384) Homepage
    I try to have different passwords at each website, but of course that is unmanageable. I have no trust in Microsoft Passport, and while I think Sun is more honorable in what they are doing here, I think such information as my online identity is too important to trust even to them.

    I think the best solution is to store one's passwords under hard encryption, and keep the physical storage medium in a safe - a physical metal box with a combination lock - when not in use.

    I'm not using it yet, but at some point I'd like to get a Palm or Handspring Visor just so I can use Keyring for PalmOS [sourceforge.net] (formerly GNU Keyring).

    An alternative would be to put compact flash readers on all my machines and use a compact flash card.

    Finally, there is WiebeTech's [wiebetech.com] FireWire KeyChain [wiebetech.com], which stores up to 1 GB of data in a tiny package convienent to hold your metal keys and keep in your pocket.

    The advantage of the PalmOS keychain is that it requires no software or hardware support on the computers it is used with, and it can be quickly moved from computer to computer. The advantage of compact flash and WiebeTech's product is that software support can pop the password onto the clipboard for you for convenient pasting into your browser.

    • I'm not using it yet, but at some point I'd like to get a Palm or Handspring Visor just so I can use Keyring for PalmOS
      ...and I'm already using it, and I can say that while it's not as "convinient" as Passport or something, it's convinient enough. Highly recommended for all Palm users!

      Formerly, I used gpasman, but since I used multiple computers and OSes, it was not fun. Then, I found keyring, and this is a perfect example of why I like my Palm =)

  • /. wins first place. for running a microsoft visual studio .net ad w/ this story

    seriously, this actually has a chance, look at the list of members/sponsors at : their website [projectliberty.org]

    and the concept of a contiguous online identity is coming anyways, so someone has to offer an alternative to the crap microsoft has been plugging . i'm really looking forward to offering my family members who are just in love w/ what ms already offers something else, running on a secure(r) platform

  • Misconceptions (Score:4, Insightful)

    by finkployd (12902) on Friday September 20, 2002 @09:36AM (#4296627) Homepage
    There seems to be alot of misconceptions about Liberty. As I understand it, the framework allows you to "assert" your identity to a remote location by a trusted third party. Perhaps your trusted third party is your bank, or your University, or your ISP. You authenticate with them, then a packet of data asserting who you are is digitally signed by this trusted third party and sent to where ever. If the remote location trusts the third party to assert identities, then you are in.

    This does not seem to be about having the same password on every site, or even having ANY password on a site. It is federated authentication (and possibly authorization, but I don't know how they would do that, possibly with SAML assertions).

    Finkployd
  • how long until someone writes an
    [cpan.org]
    AIS server
    to sit on top of Sun's server?

    http://www.pay2send.com/ais/ for more info,
    including a working AIS server (although there
    is much work to be done on all of it)
  • A new supply of round tuits has arrived and are available from Mary.
    Anyone who has been putting off work until they got a round tuit now
    has no excuse for further procrastination.

    - this post brought to you by the Automated Last Post Generator...

Real Users never know what they want, but they always know when your program doesn't deliver it.

Working...