Sun Announces Passport Competitor 189
mjankows writes: "Sun, and other people today announced the Liberty Alliance Project. Definitely an answer to passport/hailstorm. Maybe Mono/DotGNU can benefit/assist/use/help this..." Yay, yet another way to be tracked on the Internet.
That means (Score:1, Offtopic)
Wow, what a choice.
Ellison is Oracle's CEO... (Score:3, Redundant)
Re:Ellison is Oracle's CEO... (Score:1, Redundant)
there, I want my +5 informative as well
Re:That means (Score:5, Insightful)
As for this hailstorm stuff... i really think you guys are overreacting. Right now there are lots of people who have your user information. This is only one more, and hopefully only has one fail point.
Right now, you have all of your information replicated all over the place, meaning that you trust that many people with your data. All you need is one of them not patching an exploit, and bam, your data is gone. Why have multiple points of potential failure when you can just have one?
Since you can control how much info you give them, (MS Passport only requires email address) and now they are saying that there will be many different people who store it, so you don't even have to give it to MS.
Sun is just a poor MS wannabee. They see that MS has got something that will make the AVERAGE (don't forget how important this is) users experience more convienient, and thus pleasurable, and they want in on it.
Captain_Frisk
Single Point of Failure gives you EVERYTHING (Score:4, Insightful)
I agree that the passpord paradigm gives you a single point of failure. But whereas you may have smaller subsets of your personal information spread out on other sites, i.e., user name and password, maybe first name and last name, but maybe not *all* of your information, like personal banking, stocks trading account informations, home address, work address, phone, fax, cell phone addresses.
Say someone breaks into a site on which you only stored basic username/password and first/last name information, it's OK, it's not that a big deal, inconvenient, but not the end of the world.
NOW, say someone DOES break into that *single* point of failure you are mentioning, chances are they'll have access to users' *ENTIRE LIFE*. And looking at microsoft's track record of keeping systems secure with their close-source, I wouldn't trust them the least bit. CodeRed. Nimda.
Now Sun's approach may be slightly more secure, and if the open-source community does get involved, it could mature far faster than microsoft's product.
As far as *I* am concerned, though the idea of only having to maintain your information at a single location seems very appealing, I think I still want to go thru the discomfort of having to enter personal information at every site I shop at.
Re:Single Point of Failure gives you EVERYTHING (Score:2)
"No character, however upright, is a match for constantly reiterated attacks, however false. -- Alexander Hamilton "
It seemed appropriate.
Re:That means (Score:4, Informative)
Because putting your eggs in one basket is a bad idea. Sure, this is convenient for users: all your data is in one place, easy to change and maintain. Now, look at it from the point of view of an identity theif. One stop shopping. Now look at it from the point of view of law enforcement. One place to go to scrutinze every transaction that you make.
Personally, I prefer to have several accounts attached to different usernames, e-mail accounts etc. It doesn't prevent abuse, but it makes you a harder target to hit.
Re:That means (Score:2, Interesting)
Right now, you have all of your information replicated all over the place, meaning that you trust that many people with your data. All you need is one of them not patching an exploit, and bam, your data is gone. Why have multiple points of potential failure when you can just have one?
Nice theory. They can't seem to keep Hotmail accounts secure, and they can't even keep their own IIS installations patched. With a track record like that, do you want Microsoft to be the single point of failure?
It isn't like they would consider using someone else's [apache.org] software even if it had a better security history.
Re:That means (Score:2)
I agree. Microsoft passport is only powered by IIS because it's "in the family". Based on it's track record with passport so far, IIS is clearly not the most logical choice for their system.
If a universal internet indentity system is ever going to work it will have to be (as the 'Liberty Alliance' is) a cooperative effort between many companies. I hope that the variety of interests involved make this project put user's needs in front of corporate interests (since there is no ONE corporate agenda, there are many).
PayPal is a good example of a successfull consumer-friendly corporate joint-venture [paypal.com]. Frankly, I'm surprised PayPal's name isn't on the list of ProjectLiberty charter members [projectliberty.org].
Eating your own dog food (Score:2, Insightful)
Many pundits and observers believed that Microsoft would be more profitable split than whole. Why? Because the two (or three) BabySofts would not need to promote each others' products, and they would still not be in competition with each other. Currently the IIS offering hurts the Hailstorm group because they are not free to choose the best, most secure product(s) to run their system. Bad for billg, good for the Hailstorm detractors.
-sting3r
Re:That means (Score:2)
Great! (Score:5, Funny)
I want to use it (Score:2)
I'd rather it was distributed in some way, and my favourite method would be to do it through the governments (my government is more answerable than pretty much any company), but if its a large company offering it to me, I'll take it, and hope that public pressure and oversight will force it to play half-reasonable.
Re: sig o/t (Score:2)
you have no privacy... (Score:1, Flamebait)
Re:If everyone was moral... (Score:2, Interesting)
K. Here's how you're wrong:
We can't assume that these companies are moral.
You assume they are. But you're forgetting that they are in it for the money. That's all. Thats what makes businesses tick.
Bill
Re:If everyone was moral... (Score:3, Interesting)
banking records
medical history
shopping trends, even though they are pretty boring
family information
machine setup/configuration at home
get the point? if not, then why don't you just post the above information...let's start with your salary
Re:If everyone was moral... (Score:2)
Happy to oblige!
I have $24.05 in the bank, suffer from hemorrhoids, have had 2 appendectomies, have Alzheimer's disease since I was 93, shop at Walmart 4 times per week, was the son of George Bush and Elvis Presley, and run Windows 95 on a IBM AT at home! My salary is $19,000 per year and I am a decision maker in charge of IT purchases for a firm of 5000-10000!
I've been supplying this kind of information for years to businesses that want nothing more than to get to know me better and to serve me better!
The question no one is asking: (Score:3, Flamebait)
Re:The question no one is asking: (Score:3, Interesting)
Nice in theory, pants in practice. If it was that simple then there would be no need for *any* civil liberty protections since only the "bad" people would be prosicuted.
SARCASM>
As we know, the authorities have NEVER wrongly prosicuted anyone, they've never made mistakes, they've never abused power. Nah. Not in America.
/SARCASM
Sun is not the "Liberator" (Score:2, Interesting)
They're just another company and I am not sure their interest in this solution is not also leaded by rentability's sake.
Re:Sun is not the "Liberator" (Score:2, Insightful)
"decentralized"
"open standard"
"Liberty" alliance? (Score:2, Funny)
This is not to say that this will be terrible, since I guess any sort of aggregation of information will have problems...but cmon...
Not only Sun... (Score:3, Interesting)
It looks like Microsoft wants to join [yahoo.com] as well, so it might not actually be a Passport "competitor".
From the article: "Microsoft Corp., which said last week it would expand its own Passport Net identification system to other enterprises, is in talks to join the alliance."
Re:Not only Sun... (Score:2)
Charter members include ActivCard, American Airlines, the Apache Software Foundation, Bank of America, Bell Canada Enterprises, Cingular Wireless, Cisco Systems, CollabNet, Dun and Bradstreet, eBay, Entrust, Fidelity Investments, Gemplus, GM, Global Crossing, i2, Intuit, Liberate Technologies, Nokia, NTT DoCoMo, OpenWave, O'Reilly and Associates, RealNetworks, RSA Security, Sabre, Schlumberger, Sony Corporation, Sprint, Sun Microsystems, Travelocity, United Airlines, Verisign, Vodafone and More.
Of course I'm not sure that I would want to mention any association with Microsoft, for as long as I could avoid it. I do like that they say "open standard", "open solution" a lot in their FAQ. Hopefully they really will let people inspect for themselves what is going on.
Nothing to do with Freespeech and beer.. (Score:2, Insightful)
No matter what they tend to make us believe, I am not inclined to agree that this would make net a safer place.
And with MS allowing third parties to provide similar passport services to hook up with theirs, this could only be construed as another effort from Sun to hide the fact that they were late in realising the advantages of passport and webservices, and also to put a veil over the open source community making them blindly believe that we should support these guys instead of M$ because this is more "OPEN".
I am not flaming.. I just dont see the point.
Re:Nothing to do with Freespeech and beer.. (Score:1)
Re:Nothing to do with Freespeech and beer.. (Score:2, Insightful)
Thin clients (the sun ones at least) are vt100 again (well, X-Terms).
Last time we met sun about its wonderful SunRay thin-client solution, it was a true wonder that would take away from you all administration problems, because everything is in the server.
The only problem is the cost of the solution, and the bandwidth problem. only 10 clients could run at the same time because of the bandwidth demand.
But they recently told us that this limit will actualy be 5 (with the proposed server) because besides the bandwidth problem, the server couldn't handle correctly the load for more than 5 clients at the same time.
Does it work on hotmail ? (Score:1)
Will any other system, which does not have such a mass base, ever be successful ?
The more the merrier (Score:2, Insightful)
This tells me that they've decided that owning the authentication database (and associated user profile information) is not as valuable a proposition as having an open authentication network and getting a micro-cut of every monetary transaction that passes through it.
No doubt if Hailstorm takes hold, every third-party authentication is practically going to need to interoperate with it, and will just become an involuntary revenue generation service for Microsoft.
To this end, look for Microsoft's purchase of PayPal [paypal.com] or some "leading" micropayment shop (perhaps from x.25 land if not
Re:The more the merrier (Score:2)
Yet another way to be tracked... (Score:4, Insightful)
--CTH
job stress (Score:2)
No big deal really. We know how this story ends, with a mark on the head and hand without wich you may buy or sell. Kind of silly to think of paperless currency and universal ID's isn't it? Bill Gates is not the Beast, as the only language he ever mastered besides English was Basic.
Liberty Alliance Project is offensive (Score:5, Funny)
In related news:
Sun has renamed their project 'Enduring Tracking Project'.
The change was made after the initial name -- ``Liberty Alliance Project'' -- last week ran into objections from some Linux scholars on grounds that only Open Source, or GNU, could mete out Liberty in their view.
(this is a joke. And it shows no respect to those of the FreeBSD or other open source licenses
Re:Liberty Alliance Project is offensive (Score:1)
Death to the unbelievers!
(also a joke)
Re:Liberty Alliance Project is offensive (Score:2)
Naïve Question (Score:2)
Re:Naïve Question (Score:1)
(BTW - I'm a 14 yro female into overclocking and free beer)
It's still not the answer (Score:3, Interesting)
Well, I guess I probably would prefer getting screwed by somebody different now and then. Although I think I'd rather have a choice of "none of the above".
Hmmm, which service that I don't want will I choose...
Re:It's still not the answer (Score:1)
But what they miss is that I'd just as soon be screwed by my girlfriend. Who says I have to buy anything on the internet anyhow?
What's with the name? (Score:4, Interesting)
The only freedom that I can see from this is the freedom of having yet another repository of my personal information. I can't imagine websites giving us the choice between "passport", "project liberty" or "anonymous consumer".
I read the FAQ and it doesn't mention anything much about how they are planning on divulging the contents of this "consumer database" to people. I can't imagine that they are all doing this for altruistic reasons, so I guess I'd rather avoid using it.
Z.
Re:What's with the name? (Score:1)
It is likely that you will be able to remain anonymous some times. This will put and end to the process of lying about who you are, which is not really useful in the greater scheme of things.
Think like slashdot. I could be AC now, but I choose to be warnerpr, and I can change settings to display or not display my email address. Hailstorm and project liberty just make it interoperate betweeen sites and devices.
Someone might look at the page before posting (Score:5, Informative)
This, from the Libery Alliance FAQ:
Q: What are the objectives of the Liberty Alliance Project?
A: The Alliance has three main objectives. 1) To enable consumers and businesses to maintain personal information securely. 2) To provide a universal, open standard for single sign-on with decentralized authentication and open authorization from multiple providers. 3) To provide an open standard for network identity spanning all network-connected devices.
Q: Who are the members of the Liberty Alliance Project? A: Charter members include ActivCard, American Airlines, the Apache Software Foundation, Bank of America, Bell Canada Enterprises, Cingular Wireless, Cisco Systems, CollabNet, Dun and Bradstreet, eBay, Entrust, Fidelity Investments, Gemplus, GM, Global Crossing, i2, Intuit, Liberate Technologies, Nokia, NTT DoCoMo, OpenWave, O'Reilly and Associates, RealNetworks, RSA Security, Sabre, Schlumberger, Sony Corporation, Sprint, Sun Microsystems, Travelocity, United Airlines, Verisign, Vodafone and More.
...
So it seems it's more than just a Sun effort, and they claim it's not about another company holding onto everyone's personal info. The goal appears to be a method for single sign-on where each individual company maintains customer data relevant to its own business. They describe it as a decentralized, federated system built on an open standard.
Re:Someone might look at the page before posting (Score:1)
Re:Someone might look at the page before posting (Score:2, Interesting)
Its yet another classic case of Sun 'rescuing' folks from microsoft's grip
Re:Someone might look at the page before posting (Score:4, Interesting)
Yay... So, sintead of Microsoft having my information... Sun, a bunch of media companies, a bunch of companies that want to sell me crap, and a few financial institutions can all pour over my info. Yippe.
Does anyone but me see the danger of allowing such a wide range on companies with many, many goal to all be involved in a project that is basically used to track people and collect personal information?
Seems like yet another excuse to have ads, "targeted marketing", and undue pressure put on my by big business. At least Microsoft is singular, and they aren't in the position to sell me a car, book plane tickets, give me a loan, or offer me a long-distance plan.
But what's the license? (Score:2)
2) Monopolies are evil, so the question becomes: what license do these multiple entities plan to offer the software under? I couldn't find the answer to this when I went to the listed site, though there were links that I didn't follow. I'm not sure what "becoming a member" entails. Perhaps you have rights to the code. Perhaps you don't. Perhaps you have only the right to join the network, and no rights to the code. My feelings towards them would be substantially different depending on who had the code under what license. But no matter what, better them than MS extending it's monopoly into a new area.
Still, both Apache and O'Reilly are on the list of members. Both names give cause for hope, though neither name is any guarantee. Perhaps the code will be BSD license? (I don't notice any real GPL names, so that doesn't seem probably. Not even GPL Lite.)
P.S.: An interesting possible line of books for O'Reilly: Special order bound code listings. These would be expensive, as they would all be printed to order, but they could be printed from the original source code without editing, so the costs shouldn't be excessive. And O'Reilly already has the needed equipment, so there wouldn't be any investment there. You, too, could order you own complete listing of gcc-2.95.1 (or whatever).
These would certainly be small order jobs. But the difficult part is not the printing, but rather the binding.
Re:Someone might look at the page before posting (Score:2, Insightful)
We have refused the microsoft hailstorm/passport project from day one due to the one company dominates all issues. Yet we are open to the idea of a unified identity system.
It is still too early to say whether the Liberty Alliance project will be a viable solution. Our most important concerns are:
The unified identity system must be 'open', not controlled by one entity that one way or the other can be concidered a competitor to our products. (Microsoft is - they are so dominant that they are in one way or the other a competitor to nearly every IT organisation I can think of, and that is the same reason why passport/hailstorm can not evolve).
The unified identity system must be developed according to users needs and not beyond. It must not be abused for mass marketing. So a major task is to develop the system avoiding any of the participating or non-participating interests to be able to abuse it. How to do that? I do not have the solution, but I don't want the system without one. What I can conclude is that the system must be developed in open. Where everyone can assist in the 'code' review in assuring nothing is being overlooked in the best possible way. An 'opensource' perhaps applicant to the rules of FSF if suitable. Here the extreme rules of FSF are indeed very suitable as this must be a public interest project.
The unified identity system must be implementable/joinable by all interests accross platforms. It must me implementable/joinable by all developers and users in spite of financial status. And for that reason again, unexploitable. Thats a major system development task - but is required. Security bust be built into the system. A socalled social solution will not be adequate, as it is possible that not everyone are playing straight.
I have signed up for the mailing list at http://projectliberty.org/interest.html and I am looking forward to the see how it evolves. Maybe even try to contribute. But if the openness in the solution does not apply and the concerns/issues above are not resolved and perhaps others as well, I can not approve, and I can't imagine anyone who can without having a special agenda that is not favouring the public interest.
best regards
Vspirit - Casper Andersen
Administrative Manager - Sophistic Systems
Re:Concerns over single logon systems (Score:2)
Digital Rights Management (DRM). And for once, we would mean that literally.
At the Seybold Seminar in San Francisco this week I saw a couple of demos of how DRM software works to protect things like MP3s, movies, etc. The licensing server can offer various forms of contracts with the user -- you can rent information, sell it outright, offer it for a limited time or perpetually, offer a free preview of part of the content, expire it at will, offer incentives to users for passing it along, etc. etc.
Seems to me the only single logon system that would be acceptable to most of us here would be one that offered all these possibilities to EVERY USER -- applied to ANY AND ALL personal data associated with his/her profile.
Re:Someone might look at the page before posting (Score:1)
This is a good thing (Score:3, Interesting)
Goes well with the server (Score:1)
Is it just me... (Score:4, Troll)
You're taking McNealy out of context (Score:4, Insightful)
Currently most people recieve the bulk of their information in little paper wrappers that are then placed in unlocked tin boxes that sit in front of the place they live waiting to be picked up when said people come home from work...or by somebody else before they come home...
Currently most people make purchases over the phone, using the 16 digits on the front of their credit card and 4 more digits for the expiration date...and nothing else...these numbers are then processed by another person, a person who doesn't earn alot of money most likely, and who even more likely doesn't like their job or care anything about the person giving them 20 digits and an order to place...
The idea that your information and transactions are currently secure and computers will only make them insecure is a false notion. It's only a matter of time before somebody get's the idea of breaking laws that for the most part are unenforcable, or deciding their job isn't worth keeping to do something that jeopordizes your privacy. Wouldn't you at least like their to be some hurdles and tracking in the way to protect you? You currently have zero privacy anyway, get over it. This is progress, and wouldn't you like your progress open and not controlled by just one entity?
MS == Power (Score:3, Insightful)
Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.
Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.
But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.
Re:MS == Power (Score:1)
Re:MS == Power (Score:2)
An answer? (Score:2)
A competitor maybe... I don't like the idea of having a single entity keep track of my usage online (even if it has chivalrous reasons for doing so like making my life easier). Just because this is not Microsoft doing this doesn't necessarily mean that I should like the idea/technology any better.
Centralized Authentication: What Do You Want? (Score:2, Insightful)
Well, as I read this article there is yet another person who can complain but doesn't contribute. So in the Open Source philosophy, I have a question for everyone:
What do you want to see in a centralized authentication system that you would use and trust?
For example, would you like it to be overseen by the government, a company, a board of individuals or someone or something else? Should it be Open Source to allow for improvements, or closed source to deter cracking?
I feel rather that simply complain about how terrible this and Hailstorm are, we should discuss what should be in a centralized authentication system we would use and trust.
cracking, closed source, open source (Score:2)
if you mean security through obscurity, that is more an invitation for black hat cracking by far than an open source security system. i think we've all seen how well security through obscurity works, and i for one do not want my identity published^H^H^H^H^H^H^H protected by such means.
-samRe:Centralized Authentication: What Do You Want? (Score:1)
Decentralization!
Re:Centralized Authentication: What Do You Want? (Score:1, Insightful)
My hotmail/passport account has little information tying it directly to me, so I'm not too concerned about it anyhoo. I don't use any other MS Services, like Expedia, that would take that information.
Much better then .net (Score:1)
Re:Much better then .net (Score:1)
Re:Much better then .net (Score:1)
Answer? (Score:1)
And that answer is: "Me too!!!!"
It's called a spreadsheet (Score:1)
we put the ___ in ____. (Score:1, Offtopic)
sun, err, uh, puts the bert in liberty alliance?
Re:we put the ___ in ____. (Score:1)
Re:we put the ___ in ____. (Score:1)
What about XNS? (Score:2, Informative)
Anyone know enough to compare the two?
Re:What about XNS? (Score:2, Interesting)
There seems to be a feeling that big movements at XNS could occur in the many weeks/few months time frame which is not that long, but since we have just passed the one year anniversary of OneName's and XNSorg's rollout of the XNS implementation of the single-signon/universal name/self-updating ecards, and there has been little further movement visible from outside - people are starting to get frustrated.
I think that there is a real worry that while XNS was one of the first boats to leave the dock, one of the less-open boats could well make it out of the harbour before them.
I am hoping that it will turn out that one of these industry groups like the "Liberty Alliance Project" will be using XNS technology as their underlying foundation and that the open specs and open source implementations will win the day, but it is frustrating to not hear much new information from XNSorg.
Sun vs Microsoft (Score:2)
what ever happened to XNS? (Score:2, Interesting)
a distributed lookup service which could hold information defined by schemas written in XML. The first application was/is personal info. It's been around for a couple years, and has a public trust organization defining the community, hopefully alleviating people's worries of one company taking over. So what's happened to it? I guess it doesn't have the backing of sun or ms :)
the underlying software will be open source, although I don't think most of it is written yet. The only current implementation of the server is done by the closed source company who's idea this all was, onename [onename.com].
And for those of you mac old-timers, the head of the public trust organization is Adam Engst [xns.org]!
Re:what ever happened to XNS? (Score:2)
XNS is a combination of five major components--a naming/addressing/identity service, an XML vocabulary and metavocabulary, an XML protocol and metaprotocol, a legal and operational infrastructure, and a development platform--that together provide a foundation set of services for the next layer of Internet infrastructure, the "web services" layer.
Plus, it's fully buzzword compliant! It's got "web services," "metavocabulary," "metaprotocol," and the ever-popular XML. The buzzword content of that site is 3 times the nominal level. Then they throw a couple of incomprehensible analogies into the mix just to make sure you're fully confused.
Why is Passport bad? (Score:1, Interesting)
Their registration is optional. Their activation system was designed with privacy explicitly in mind.
Seems to me that Microsoft has done a great deal to ensure their customer's privacy. I haven't heard a single example of them not doing so.
As far as I can tell, there is no good reason to not trust Microsoft other than the classic big-brother "they COULD do something bad" argument, or that stupid slippery sloap crap people always talk about.
The fact is, it should be up to consumers as to whether or not Passport is a good thing. Are they willing to take the "risk" of storing their information in a central location for the benefits of My
So get over it people. If you don't trust Microsoft, ask yourself these question: Do you trust your bank? Do you trust your HMO? Do you trust your insurance company? Do you trust your credit card company?
The answers to all of these is probably, at the very least, partial trust. You are willing to give up some information and some privacy for services or goods. The same will be true of these services.
Can you own your own data under either system? (Score:2)
You would have the benefit of it being accessible from anywhere, could interoperate with Passport or Liberty Alliance, give neither Sun nor Microsoft direct access to your data, keep you in control of your own data, etc.
The "system" on your end could be as simple as a servlet or jsp accessible only via SSL, keeping your private data securely encrypted until needed. As an extra precaution, the data sent back could be encrypted using the Public key of the system requesting it (for the paranoid). Perhaps one-use passwords for access, so keeping the password given to a particular company doesn't gain them anything?
The only way I see any way to preserve privacy is to keep the data off of central servers. Can something like that be implemented under either Passport or LA now?
What does it do? (Score:2)
-cpd
Smells like vaporware to me (Score:1)
More than just "being tracked" (Score:5, Interesting)
Yay, yet another way to be tracked on the Internet
Well, a tool such as Passport or LAP can be used to track users, that's true. No one said tools cannot be misused. But remember: Programs don't track people, marketdroids do.
The keyword here is convenience. The only way of protecting our information on the Internet is through encryption. Which implies passwords and key management. Something that 99% of users are not willing to do.
Unfortunately, this unwillingness to use the Net securely affects all of us. Cool products and services that could be available today are not offered because of lack of good security models. If they are offered at all, they are either too cumbersome to use, or rely on such simplistic security that they cannot be trusted (Hotmail anyone?)
This is an old problem. An analog is the credit card industry. Even if you carefully protect your credit card info, you're still paying for all the people who get their CC number and expiry date stolen. CC companies past the cost to all of us clients.
So we need ease of use for security products, or they won't get used. If LAP can spread the use of a safe, easy-to-use, one-time Internet-wide authentication, then it's welcome.
Did anyone notice that French company Gemplus is among the LAP supporters? This company provides smart cards. Several projects touting smart cards for web authentication have already been proposed. Maybe we'll see a new, more successful approach this time. It's certainly easier to carry a smart card and enter a 4-digit PIN than to remember and type 20 different passwords.
I am not saying that this new LAP initiative is going to solve all authentication and privacy problems. But these problems are real and need to be addressed. It doesn't boil down just to marketdroid tracking us.
Re:More than just "being tracked" (Score:1)
Well, actually it is the merchants who take on the burden of fraudulently used credit cards, not the consumer. This happens in two ways:
First, the merchant pays a discount fee on the purchase. A portion of this discount fee is really a markup on the portion of the inherent risks that are born by the card association and the member banks. Over the last 30 years average discount fees have dropped from 7% to 2% largely due to reduced amount of fraud.
Second, if a card is used fraudulently, the Card Holder notifies his/her Issuing Bank which issues a charge back on the transaction. The merchant ends up eating the entire cost of the purchase in addition to a substantial chargeback fee. If a merchant has too many chargebacks over several months, then the card association will begin levying very large fines on the merchant.
Re:More than just "being tracked" (Score:2)
You are right about the CC mechanism (and the dumb typo). However, the resulting cost-passing is the same. Its effects are diluted among countless merchants instead of a few hundred credit card emitters, but we consumers end up paying for it.
The current lack of wide-spread Internet authentication/encryption mechanism acts to deter service providers and deprive us all, in the same way as fraud acts to raise costs and allow thieves to pick a penny from each pocket.
Its all about rights management (Score:2)
By grouping together enough content partners into one system, it will be impossible for consumers to avoid becoming enrolled. At that point, rights management will be effectively tracked through one authorization hierarchy.
Here are some articles (Score:2, Informative)
Don't mind me, just doing a little karma whoring.
Where are the details? (Score:3, Insightful)
If done correctly, this has the potential to be a very good thing for all involved. But, there are some key criteria that it needs to meet before I would use it. A few that come to mind are:
- The user must have 100% control of their personal data & what can be redistributed?
- Any changes of policy, or distribution of data must require user approval (opt-in), nothing should be done without the user's consent.
- In the "distributed authentication" model, I would want my data stored by an entity I trust. Such as, a non-profit consumer advocacy group.
- The security around storage of my information must be rock solid.
- The protocols used for passing authentication to applications must be secure. The services using the authentication must not have access to my password.
I'll reserve judgement until I can read the implementation details.
"Yet another way to be tracked..." (Score:2)
- A.P.
but how does single sign-on actually work? (Score:2, Insightful)
Given that microsoft conrols most of the browser marketshare, how does *anyone* have a legitimate shot at controlling single sign-on, other than MS?
Why not just work with MS (Score:1)
Vapor Ware (Score:2)
But then..... sort of like their stock price. What will happen to Java if they go bust?
Just another excuse for a lawsuit (Score:1)
- Sun makes this passport-knock off
- It's a dismal failure because Passport is much better and has more functionality
- Sun gets burned
- Sun gets angry and takes their competitive problems to the court and sues MS for being a big bad meany monopoly.
It's unfortunate that Sun can't innovate and make their own products, or make Java better and compete with
Passport Competitor huh? (Score:1)
Well, you've just bought me a workstation. Guess what? You've transfer $10,000 to my account. Thanks! I'll login as you more often next time
Do we prefer the governent to do this? (Score:2, Interesting)
What's wrong with a commercial venture that manages identities? You approach this company, and ask them to create you an identity, possibly based on some real-world data like your credit card number. When you interact with a third party you can say "I have personal ID number 57798 issued by that company", together with some documentations (e.g. using public-key certificates). If this third party trusts the company, they will agree that you are who you say you are. This way you can create binding contracts with people you've only met on-line.
Of course, if you couple such a system with a monopoly in some market (e.g. operating systems, mainframes, or insurance) you get in trouble. This is the general problem with monopolies. Also, I'm not sure if I'd use an identity offered by my credit card company since they know enough about me already. If I think some company won't keep my info secret, I won't deal with them, etc. In any case, it's then a matter of consumer choice.
The "let people have IDs on your site" approach doesn't work for sites who who do major business with those people -- you need some third party who'll vouch that these people are genuine.
Remember, the only way to have complete privacy is not to interact with anyone else.
Just my rants.
Man... (Score:1)
Absolutely (Score:2)
Or is thsi not what you had in mind? This IS in fact what the "Inetrnet was intended for" not to mention origanlly funed for-- academic research.
Be careful what you wish for.
An existing service doing the same thing (Score:2)
From their online propaganda:
Aside from the icky overheated writing style (and pathetically bad Gen-X look of the website) the idea seems to be the same as all of the others: We'll escrow your information and dole it out. The question is of course always how and to whom and with or without my permission. They've also got a dynamic address-book function and a web form-filler - woohoo.When this thing launched I seem to recall Novell positioning it as a universal login to websites through online authentication. Now that seems to be dropped and a simple keychain function used instead. Whatever the case it's all built on Novell's awesome NDS [novell.com] (called "eDirectory" this week) technology which gives it some street-cred. NDS is the most mature directory service out there and scales awesomely, very flexible and at this point pretty mature. MS's projects are, well lets just say "quality is a journey" at MS and with Sun, well Jini [sun.com] sure is nifty!
Anyway, an interesting third example of this increasingly debated service.
But this IS a good thing! (Score:2, Insightful)
A federated identity model will enable every business or user to manage their own data, and ensure that the use of critical personal information is managed and distributed by the appropriate parties, rather than a central authority.
seems pretty clear to me - you manage your own data, and it is authenticated in a distributed way, not maintained and authenticated in a centralised Microsoft database. Further:
In a federated view of the world, a person's online identity, their personal profile, personalized online configurations, buying habits and history, and shopping preferences are administered by users, yet securely shared with the organizations of their choosing.
Emphasis mine. You maintain your own data, and decide who you will alow it to be shared to.
Can someone please tell me how this is not (at this vague stage) the sort of thing that we've been wanting? A decentralised, distributed information management system...
Jedidiah
Re: One big corp fighting another (Score:3, Interesting)
I've seen a number of times people have said this is just a big corporation which is maybe trustworthy (Sun) competing with one which is most likely not trustworthy (Microsoft). The Liberty folks, while led by Sun, are not exclusively Sun. On their site, they list the charter members which include big nasty corporations and some players who are more likely to be loved than hated on Slashdot. For instance, the Apache Software Foundation and O'Reilly & Associates.
Sun probably orchestrated this. Why? Not because they want your data, but because they passionately hate Microsoft and don't want to risk letting Microsoft take over a large chunk of the web. They are trying to Liberate a web that has yet to be enslaved by Microsoft, but one which they are scared will be. Other comments regarding the charter members:
Microsoft enemy AOL-TimeWarner is not there
Microsoft enemy RealNetworks is
eBay is a charter member - which is interesting since they were one of the first to sign up for passport. Second thoughts perhaps?
What I'm trying to say is that this is not Sun vs Microsoft round 6000, there are a number of companies here who will hopefully keep one another honest.
Re: One big corp fighting another (Score:2)
Am I the only one that conceives of the notion that they could use both? Or perhaps implement both then roll out out as official if the other tanks? When you develop something, do you download the first toolkit you find and swear by it forever, or do you evaluate different solutions?
Re: One big corp fighting another (Score:2)
"Am I the only one that conceives of the notion that they could use both? Or perhaps implement both then roll out out as official if the other tanks? When you develop something, do you download the first toolkit you find and swear by it forever, or do you evaluate different solutions?"
Yah, fair enough. But it does show that the iron grip Microsoft was shooting for in authentication left even their first passport customers nervous.
I think you might be missing the issue... (Score:2, Insightful)
That being said...
The real issue here is that this authentication 'standard' needs to be truly 'standardized'. Its ownership and control should be governed by a globally acknowledged standards body i.e. ISO.
That is the issue. When people see Sun headlining an initiative, they instantly think of the nightmare that is the JCP (Java Community Process) -- a process which is neither truly open, nor independent. Rather, the JCP is one which profits only Sun in the end.
What we DON'T want is for the global authentication standard to be 'Sun owned'. This needs to be something that is solely owned by something of the likes of the ISO.
That is what the issue is, I think.