Liberty Alliance Plans Passport Interoperability 81
EvanDelay writes "The Liberty Alliance Project, which is developing Web technology to facilitate single sign-on authentication, plans to support interoperability between its system and Microsoft Corp.'s rival Passport system.
Computerworld has the story."
DO we want that? (Score:1, Interesting)
It would be best if it gave me an option.
But personally, i agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.
Re:DO we want that? (Score:1)
Re:DO we want that? (Score:1)
Re:DO we want that? (Score:5, Interesting)
No, it's extremely smart security wise. Now, for all I know you may be the paragon of good security practice, but most people are not. In fact, most people, faced with a morass of passwords for various different services do something that is extremely bad and set all their passwords to the same thing. I've done this, for instance, because it's either that or write down all my passwords (which of course some people do) and keep them on my computer, which means I cannot access any services when I don't have that list.
There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true! There's a reason most of us have 1 (perhaps 2) personal email accounts. We don't have 100 email accounts with different user names and passwords because the truly minor increase in security that would bring is nowhere near worth the major increase in hassle.
Single sign on is coming people, and when it arrives not only will 95% of the computer using population be more secure because of it, but computers will be dramatically easier to use as well.
I've read the liberty specs in more detail than most of the people here on slashdot I'd bet, as I'm working on a server that contains an (open source) implementation of them. No, it's not released yet, perhaps in a few months. But believe me, the LA specs are not scary, they will not force you to tell the government what your favourite colour is, they will not take your first born child. They will make your life easier.
Re:DO we want that? (Score:1)
I totally agree with you--the Liberty Alliance from what I gathered is basing it's platform on being free and open for everyone. I haven't read the specs as you have, but I've read more from the page than perhaps most here.
There's way too much FUD being spread around here for my tastes. ;)
Re:DO we want that? (Score:2)
OK, this could happen already because I have an amazon cookie on my system which means I don't need to log in each time. But, I can always remove the cookie and force a sign on the next time I go there. With single sign on you won't have that option, you will always be logged in.
Re:DO we want that? (Score:1)
Re:DO we want that? (Score:1)
Technically, anytime you click on any order button for the first time (even if you have that cookie on your system) amazon will force you to log in again. I believe after that, it essentially generates a session for you and you do not have to login again until you close your browser (or reach their timeout level of inactivity)...
Re:DO we want that? (Score:2)
Re:DO we want that? (Score:2)
Funny Story:
A few years ago (1996 or so), a guy at work and I got into a practical joke war.. He got up to get himself cofee, and (as was his habit,) left his email client open.
I went to an online personals site (new at the time
Using 'his' new account, I posted an ad in the Gay Encounter section, saying that he was just discovered his sexuality, and asking for someone who would be gentle with him..
The look on his face when he started recieving photos was priceless.
Now, he learned a lesson that he never forgot, and it's one that you should know as well - if you have sensitive windows open, close them or lock your workstation when it's unattended.
Even before single sign-on's were thought of, the scenario you envision is still possible.
Re:DO we want that? (Score:1)
Mikey's bang on on this one. Better late than never 'Universal (Single) Sign-on' is finally becoming a reality
The simple truth is, when confronted by more than two or three set of authentication information, people will either use the same password, or simple variations, everywhere or they will write them down
Natty
Re:DO we want that? (Score:1)
No, in fact, I have not. I have about twelve different passwords, one for every service I want to keep secure and then two blanket passwords for lower security things. I do not forget them. They are never variations of another password. Five of those are e-mail adresses that I keep, and it is not a hassle to keep them. I do not see what the great challenge is. Use something you know. Everything is a refererence to personal life that I use for a password. Witty phrases are always good, as are things in other languages. You are less likely to forget them. People tell me it's a hassle, but I have no problem with it. An extra thirty seconds is worth my security. It is not like having five different mailboxes in different locations of New York.
So, yeah, I don't do that. It's not hard, and it is in fact safer.
Re:DO we want that? (Score:1)
Re:DO we want that? (Score:1)
There is this fantastically common misconception that centralising your various digital identities will somehow decrease security. Not true!
The problem with centralizing one's data is that once it's broken into (see links below on MS's haphazard security) you've lost the whole lot, rather than just part of it. Your only argument against this is that keeping separate identities is a "major ... hassle" which will induce you to make all your passwords the same. Well, if you make all your passwords the same, then you have poor security, but for the same reason - break one, break all. The smart alternative is to keep them separate and different and under your own control.
At least, this is true if you trust your own security. I don't even trust those browser utilities - I keep a paper list, not of passwords and logons, but of something that reminds me of each one but which would be meaningless to anyone else. This is easy and secure. I might also trust a compiled-by-me, open-source password manager..
And second, you're not even considering the privacy implications, which are the main reason many people dislike the whole Passport-type service idea. Maybe online merchants, etc. that I deal with are going to share info anyway, but if they have to figure out that one user on Amazon is the same as one at Altex, by comparing name, address and credit card number (you know that "privacy policies" are worthless, right?), then it will be a little harder for them, and hopefully more incomplete, if I'm not participating in something like Passport.
The only important question here, as far as I'm concerned, is whether, in the long run people are going to be able to opt out of this sort of thing. If Passport attains a certain "critical mass" then many merchants will no longer allow a non-Passport logon. And MS is probably already planning to tie Passport to Palladium.
Re:DO we want that? (Score:3, Insightful)
Absolutely true. The annals of computer crime are full of cases where crackers have accessed systems B, C, D and E by harvesting passwords from system A and users re-used the same password on those other systems. Now true, if those other systems had some other gaping hole that would let them be compromised without a password, then in some theoretical absolute sense the security isn't any less because of the shared password (since there was no real security to start with), but such holes are bugs and fixable by the sysadmin, whereas shared passwords are not.
Single sign-on, whether Passport or Liberty Alliance, seems like a disaster waiting to happen, although if properly designed and correctly implemented (bloody big "if"), it'd be safer than multiple sign-ons all using the same password (because the latter gives multiple points of attack). But it's also painting a huge target and sign on itself that says "crack me!". And it's still less-safe than multiple sign-on with different passwords. (Think about it -- if you're a big-time crook (or terrorist, etc), do you go for the high-stakes bank job, or just stick up a string of 7-11s? It all comes down to effort vs payoff.)
Re:DO we want that? (Score:3, Interesting)
Possibly, but bear in mind if you break into somebodies email account you can usually compromise most of their web passwords anyway, as almost all sites have an "email me my password feature". In effect, your email account is your digital identity, as it holds the keys to all your other passwords too. So that's also a pretty big target in a way, yet email breakins are fairly rare - possibly because people recognise its importance and choose good passwords?
Do we want PingID? (Score:1)
a big matrix of all SSI proposals, both open
and closed? Since I came up with my own, TJAIS
or DGAIS (since AIS is completely useless as
a searchable term due to noise from AI), about
a year ago, I can't stop myself from mentioning
it as if it has any hope at all of getting mindshare
(what? David Nicol [davidnicol.com]? That crank? Isn't he a DJB
sock puppet or something?) in the free SSI protocol
space.
Seriously, looking at theoretic.com gives links to
PingID. Way to hold back, IamTheRealMike! I lack
your fortitude. AIS description, such as it is,
hangs off of
http://pay2send.com/cgi/ais/about
AIS is a protocol for exporting a SSI domain (any kind) to remote web services, passing messages
via both the user, by Location headers, and a
back-channel between the remote service and the
AIS service.
There are a few defined primitives, and room to
expand.
It is offered as a standards-track proposal.
david nicol (hurried and working on other things)
Embrace and extend, The Open Way (Score:1)
Depending on how this is done, it can be a good thing. The point is to have the greatest possible interoperability, without compromising the security of your personal information. The real critical issue in all of this is who (or more to the point, whose code) controls my private information. Even if the data is stored on a server, that's ok if it is encrypted and the private key is safely protected on my local machine under security protocols that I can control (choose). The private data can be held on any number of servers, and sent back to my local machine for parcelling out as required. Authentication shouldn't require sending out private data, but rather challenge/response that can only be correct if I possess the proper keys.
Passport must be made open to third party scrutiny if they want to play with everyone else. Industry standards are that they must publish their design and code for open third party review and analysis. I personally would not accept less, and would be shirking my professional responsibilities not to advise this to anyone I do work for. I assume they have not done so, nor do they plan to. I would also expect the Liberty Alliance to have a similar standard to mine, and if not I wouldn't advise anyone to use that either.
The logic of symetric and asymetric key systems isn't that deep, although their can be a lot of hazards in the implementation. The only good solution to this is lots of eyes, and all responsible professionals should insist on it.
But personally, I agree with what another Slashdot reader said: its the browser's job to look after a user's password. a single username and password for all your site's is absolutly retarded security-wise.
Well, not the browser itself, but an independant security module that can be accessed by the browser and any other program that needs to. Having one or many user names isn't really the issue, and the only password needed should be to open up your locally stored private key chain.
That puts all the load on protecting that private key chain, and anything you can do to secure that information is a good thing. Single point of failure isn't the issue that people make it out to be. The issue is keeping the most sensitive data, the private keys that can open up everything, private. Opening them up in the memory of your PC is better than trusting that function to a third party, but better is to never expose the private keys.
One cool job I had was for a company trying to market a secure messaging system. They went belly up before the dotcom crash, but the technology was very cool. It was a message hub system with key escrow and the works. The actual message processing was done by a purpose built box that had no disks or permanent storage, just a network connection. The keys were stored in PC/MCIA cards that had processors and non-volatile storage, and only half of the key was stored on each card. The only place you would ever have private or session keys in clear text was on the closed box or half of one inside the PC/MCIA cards.
The point is that it might be good to have a sub-processor that can do things with the private keys, but never have them in clear text outside of that. This could be done with the kind of physical tokens that some people have suggested when single sign on came up before. Although some will find this excessive, I think it is a good idea.
Re:DO we want that? (Score:2)
services I care about (like my bank, credit
card, and other stuff); but I would happily
have a single account for nytimes, slashdot,
various online fora, and other sites that
require membership - who really cares?
On a related note (Score:2)
Re:On a related note (Score:1)
T--
Dangerous Waters (Score:1)
So long as I can control it (Score:2)
Interoperability is great if it increases choice - although I hope that we'll also have the choice not to interoperate.
Nice for us. (Score:4, Interesting)
Re:Nice for us. (Score:1)
I really hope it doesn't myself, I understand why others might have the need. Well, I went over to the Liberty Alliance [projectliberty.org], and though the website looks rather 'corporate' and polished, it says in big bold on the front (my bolding):
Since it's all open, a linux client would be easily implemented, and if us OSS users would choose LA's solution, it could put a small dent in Microsoft's network identity marketshare.
The federated network identity is simply corporate jargon for the obvious (from their website's FAQ):
Re:Nice for us. (Score:2)
I don't understand. Passport is browser neutral, you can access it with Mozilla on Linux for instance.
Re:Nice for us. (Score:2)
Re:Going to have the same problem Mono has (Score:1)
Sorry to say but everything about your statement is wrong.
Mono is an open source project, limited in resources and developers. Its goal, to recreate the .NET platform on Linux, is an overly ambitious one. Not to mention the technical difficulties involved in porting .NET's runtime (and all the Win32 API calls it replies on) to Linux. It's an issue of resources and engineering, not a marketing one.
To say either Mono or Liberty hasn't caught on also means that the race must have begun in the first place. However, neither Mono nor Liberty are production ready, while the .NET framework and the MS Passport service have been available for a year.
As far as marketing budget goes, I'd quote Liberty's FAQ:
Sounds like plenty of marketing muscles to me.
Last nail indeed... (Score:2)
Sure, it's probably the last nail, but for which service? As much as the majority of the userbase hates MS, it doesn't really change these two simple facts:
1) They have a single platform they can use to push their services from
2) They have a Scrooge MacDuck style bank-vault to dip into whenever they start to feel the sting of competition. Interoperability with Passport is only going to force Liberty into anonymity, not give it the huge marketshare we're all hoping for.
Re:Last nail indeed... (Score:2, Interesting)
1) They have a single platform they can use to push their services from
Correct me if I'm wrong, but isn't the important part of this platform on the server, not the client? MS is still losing on the server, so if the LA supports passport clients in their server implementations, the game is up. MS clients such as IE are not likely to support LA client protocols, but so what? They will still be able to connect to all servers. More open clients can support both, but are only likely to do this if they can trust the passport implementations.
So MS has three choices:
1) Don't play (no non-MS client or server implementations of Passport allowed, I take no MS implementation of LA to be a given).
2) Allow other clients (no non-MS servers).
3) Allow other servers (no non-MS clients).
In 1), if you use MS clients, you will only function with MS servers (.NET platform). This is a lose for them since they don't have much market penetration in the server side.
With 2), only MS clients would be disadvantaged, unless they added LA support to their clients (won't happen).
Case 3) would be interesting because all clients would be able to play with open servers, but only clients that adopt passport will be able to access .NET servers (I'm assuming MS server == .NET server until they abandon that for something new). This situation could persist for a while since non-MS clients and MS servers are likely to be the minorities for some time. It can't be helpful in selling .NET to a wider audience.
I almost forgot that there is a forth case, but MS is not going to play nice, so that won't happen anyway.
Timing and Priorities (Score:4, Insightful)
The priority must be to compete with
1. Ease of use (both user-wise and coder-wise).
2. Security and user control of information
3. User base (on both sides again).
The first point is the reason of the project from the start and must be maintained.
The second point is the advantage, no-one can reach me, and on-one can reach the customer-records of a competing company without authorization. Not only geek users should be afraid of giving too much info away, also the companies utilizing these platforms must be aware and protect their customer bases.
The third point is probably the pass/fail issue of the entire project. It must get adopted, from the average user and by the service providing companies.
Re:Timing and Priorities (Score:3, Insightful)
Wrong, amigo. Ever sign up for a Hotmail account? You were automatically signed up for Passport as well.
In other words, for the Liberty Alliance, the fight was pretty much over before it began.
Re:Timing and Priorities (Score:2)
In other words, for the Liberty Alliance, the fight was pretty much over before it began.
But does this really give Passport a huge advantage? The only advantage I can see is that they have got someone to fill in a form, once, and probably with junk.
The most important thing is surely the websites that sign-up to use Passport/Liberty i.e. Amazon, eBay, the banks etc. To say the fight is over is somewhat defeatist at this early stage. There's still everything to play for.
Re:Hotmail / AOL screename (Score:1)
AOL is part of the Liberty Alliance.
Good for MS's bank balance (Score:2, Interesting)
Hotmail will still tell you to get a Passport logon, no-one will tell you to get a liberty alliance logon. So MS still gets the majority of the customers.
Added to this, MS gets your information free from liberty alliance, so the obsessive geeks who just had to go with the minority service are still giving all their information to MS, so they get marketing info for even more people, basically at no cost to them.
Whereas liberty alliance gets.. nothing really. Maybe some people who wouldn't otherwise sign up will now that their logon works with Hotmail. But not many. Out of the 1% of the population that knows Liberty Alliance exists, 50% won't be signing up for either system if they can avoid it, because they understand the stupidity of the idea security-wise, and 90% of the people who do are signing up just because they don't like MS, so the added ability to use Hotmail is not going to make any difference.
who's going to watch the "standards"? (Score:1)
kinda sounds like a w3c statement about a new standard protocol or language. amazing how ballmer & co. said [zdnet.com] this would "have little chance of mattering". gee, looks like it matters now. big banks, all the major credit companies, several of the web's biggest commerce fronts - i'd call that a strong base of interest and support for Liberty.
maybe they need a 3rd party [com.com] to mediate so everyone plays nice for a while
Re:Good News (Score:1)
"Passport was never for profit" - perhaps not directly but it's part of a wider buisness strategy which is exploitative and dependent on MS 'owning' lots of information about users, so really it *is* for profit, just indirectly
"the American way..." well, being from Scotland I can't say about that, but since MS aren't just 'trashed' in the states I think you're off base there...
back on-topic this seems like another great reason *not* to use one of these dumbass centralised passwords.
If you *really* can't manage holding all those bits of information in your own head (which is after all the only really secure approach) at least have the sense to keep control of where they're kept and use something like Mac OS's 'keychain'. As with anything else if you *must* store information all in one place, do it in your own home/buisness and on your own system, it's not like that's difficult...
Re:Good News (Score:1)
(Or you forgot that slash would eat them if unescaped.)
I thought Passport was dead. (Score:5, Informative)
In the past, Passport has been shown to have zero security. See the Wired News article, Stealing MS Passport's Wallet [wired.com].
On August 8, 2002, the U.S. Government's Federal Trade Commission (FTC) ordered Microsoft to stop lying about its Passport service. The FTC's order is titled Microsoft Settles FTC Charges Alleging False Security and Privacy Promises [ftc.gov].
From: Windows XP Shows the Direction Microsoft is Going. [hevanet.com]
A few things for people who didn't read it (Score:5, Informative)
2) Even if they did decide to co-operate, it'd largely be meaningless. There are so few websites using Passport the list can fit into less than a screenful.
3) Even if this wasn't a problem, making Passport interoperate with anything would be a major technical headache. It simply wasn't designed for that at all. It's centralised so badly it'd need to be ripped apart and rebuilt to allow for "federation". Notice how that using Kerberos to open it up idea seems to have faded away? That's because Kerby was never meant for that anyway, and because it's extremely hard to open up Passport.
4) Passport is growing at a snails pace, with good reason. The gain you get from it is small (often the user needs to give a password anyway, regardless of whether they use passport or not) and the cost is huge, both in developer time and various costs involved in working with Microsoft.
maybe i'm paranoid or just too cautious (Score:1)
I would hate to wake one morning and get an email from microsoft saying "sorry some one hacked passport and stole 100K user accounts including everyone's credit card info."
I don't know but I've been told... (Score:2)
Why is anybody excited about Liberty or Passport? (Score:1)
In addition, there's no way I trust what a corporation is going to do with my data, given the ease with which privacy statements are altered. Maybe if I lived in the European Union, I might feel better about it -- those guys seem to take privacy seriously, even if their networks aren't as built-up as those in the US -- but I simply don't trust American Big Business at all these days.
Novell 4 NDS? (Score:1)
Here's an idea (Score:2, Insightful)
From PingID [pingid.org]
SunNetwork demo of Liberty was Orwellian (Score:1, Informative)
I was at SunNetwork last week. They had a demo of Liberty in one of the Keynotes. As the demo went on, my stomach turned and I blanched.
Instead of Microsoft holding your balls, Sony will.
Feel better now?
Clearly there's a whole whack of MANAGERS and BUSINESS TYPES at Sun and in the Alliance who are simply putting together their own version of Passport, which allows the corporation who sets up the given "circle of trust" between inter-acting corporations to hold the bag. Guess whose likely to be holding the bag? Whoever has the most clout. In the demo, it was Sony.
It's *not* a bunch of techies doing the right thing. Somehow we've all been conned into "oh it's not Microsoft and so it's less evil".
Bullshit.
Great news! (Score:1)
-
Huh? (Score:2)
Trust is the bottom line (Score:3, Insightful)
While I may trust Liberty Alliance more than Microsoft, I still would prefer to manage my passwords myself. Single sign on just provides a single point of attack.
Mozilla already has a base to work from. (Score:1, Insightful)
Would you give just any Microsoft employee your bank card PIN?
Good lord.
Now, Mozilla has a file where you can keep form data, including passwords. When you hit the page, the fields are filled for you.
That does the job for anyone sitting at "their" PC.
If you move about, then all they have to provide is some serverish sort of thing whereby Mozilla can query/update that file on your PC , or a server of your choice, from wherever you are working. All kept fairly secret using PKI/gpg.
Now all you have to do is worry about the level of trust you have in the owner of the version of Mozilla you're using. They may hack mozilla to record your data, but I'd rather take that risk than hand it over to N employees at Microsoft.
You could go further and create a web site security standard other than a simple password. It would offer a public key meta field, then Mozilla could query YOUR server to get a cert that containted an encrypted password to be handed over.
The point is
Re:Mozilla already has a base to work from. (Score:1)
Irony (Score:3, Funny)
(My weapon is the razor-sharp sting of sarcasm!)
Local Storage of Passwords (Score:1)
Last Post! (Score:1)
a thousand years ago. Why not, then, the last step of doing away with
computers altogether?"
-- Jehan Shuman
- this post brought to you by the Automated Last Post Generator...