Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy The Internet Your Rights Online

Liberty Alliance Completes Phase 2 105

g0_p writes "According to CNET the Liberty Alliance project released its phase 2 specifications for the Liberty Identity Web Services Framework. This will provide the much talked about 'single-sign-on' to multiple websites capability. Websites will be able to securely share information about the user including credit card data. The biggest benefit of sharing this kind of data is for people using web services through handhelds and mobile phones (Lesser buttons to click to buy birthday gift..). This may be significant, since many of the new phone models have web browsing capability and there is a considerable surge in sales. Now that this phase is complete we should start seeing this standard being implemented out there on the web. It would also be interesting to see how it stands up against Microsoft Passport in terms of security which has had troubles in the past."
This discussion has been archived. No new comments can be posted.

Liberty Alliance Completes Phase 2

Comments Filter:
  • phase 2 was ????
  • by pegr ( 46683 ) * on Thursday November 13, 2003 @12:48PM (#7465666) Homepage Journal
    No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.
    • You mean like American Express or Bank of America, who are both major sponsors of this project?
      • Sponsoring the project is not the same as assuming the risk. If it weren't for that little issue, this would have been done already (MS not withstanding). MS as muddied the waters for the already-risk averse...
    • by ePhil_One ( 634771 ) on Thursday November 13, 2003 @01:19PM (#7465997) Journal
      No initiative is going to work unless someone gets a major credit card company on-board to assume the risk, pure and simple.

      What they need is a compelling reason for consumers to want their web sites to share sign on information like credit card info. I certainly wont be shopping anywhere that plans to share my info with anybody else.

      All their marking fantasy will hit the brick wall of consumer distrust and make a digusting "splat" sound

      • I would like to see micropayments get worked in to a system like this, THAT would be a compelling reason for consumers to adopt such a system. Access premium content by logging in through a gateway and digitally signing a payment agreement, no credit card hassle every time you want 25 cent comics.
      • Sharing is not really the right word here. It's more like the web sites have access to the user's information from a central (or distributed) database that's under control of the user. The idea is not to share anything without the user's permission. The site gets the single sign-on id from the user (via a form or a cookie) and a password. It then (securely) requests the info it needs from the database. The user is allowed to see what it is requesting and, if they approve, the info is returned. That's the th
    • According to the article: "Sun Microsystems launched Liberty at the behest of Visa International"
    • The whole thing is flawed right from the start. A *single sign-on* is way less secure than multiple sign-ons with different passwords. If your single password is compromised, consider yourself violated in all areas managed by that single sign-on.
      For me, if my email gets compromised, my credit card data is still safe. That's just smart.
      Look at it this way, would the military use a single sign-on? No freakin way.
  • ...called the Interoperability Prototype for Liberty [experimentalstuff.com].

    Just to see what would turn up, I ran PMD [sf.net] over the source code - it came out pretty clean [infoether.com].
  • by Empiric ( 675968 ) * on Thursday November 13, 2003 @12:51PM (#7465704)
    Frankly, I don't want "single-sign-on", and I don't get why other people would either. The information I'd want to be available to my bank is completely different from what I'd want to be available to "Jim's Hardware Shack".

    Presumably, in order for this to work effectively, if you have one standardized set of information about "you", it would have to be the superset of information you'd need for all the sites you use. And, to be efficient from an implementation standpoint, I'd expect this information will be replicated all over the place in various caching mechanisms. This leaves your information fully available to web site operators reputable, disreputable, secure and hackable alike. As well as likely creating a situation where if your primary "record" is compromised, it could provide enough information to allow access "as you" to *all* the web sites you use. This seems like quite a high price to pay for the need to create a separate login for each site, which realistically, is probably on the order of a dozen or two registered sites a year for most users.
    • From every demo I've seen, you can specify whether your information gets shared or not. But, I'll be honest, I don't remember to what granularity.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday November 13, 2003 @12:59PM (#7465805)
      Comment removed based on user account deletion
      • Does it run (on) Coherent ^H^H^H Linux?!!!
      • It's so easy to break into most people's computers that this is also a bad idea. It's better to have your data in physical form, where someone needs to break in to your house to get to it.
      • Why not have it all be stored client-side and just have the user click a button to send everything?

        I can think of a great little program [gator.com] that can help you with that! Oh, and BTW, your system may not be optimized, it's broadcasting an IP to hackers, and your clock isn't accurate.

        -moitz-

      • by 4of12 ( 97621 )

        I like the idea of standard protocols for authentication, but with plenty of flexibility built in.

        There should be no reason for Jim's Hardware Shack to have access to my full profile of personal information at all.

        It should be sufficient that I can locally create a digital check:

        1. my name or handle (and I should be able to create as many or few as I like),
        2. Jim's Hardware Shack's name (or any of the names they want to use),
        3. my secret pin to sign the check or fund transfer request,
        4. an amount,
        5. a time interv
      • Try RoboForm [roboform.com]. It's free to store less than 30 logins.
      • I still don't see why this idea came around where they HAVE to store all your information on someone's server somewhere. Why not have it all be stored client-side and just have the user click a button to send everything? It can be heavily encrypted on the hard drive and over the connection, and you won't have to worry about someone hacking the server and stealing everything or worry about unwanted information sharing.

        I already keep this information stored in a device I already carry around with me. It's s

      • But, for the paranoid types like yourself, the server can be your machine! You can run your own copy of the Liberty Alliance server software and keep all your own data securely encrypted on your hard disk. When you want to use your single sign-on from anywhere on the Internet, it will direct the request to your machine and return the info to the requesting web site.

        Graham
    • by stevesliva ( 648202 ) on Thursday November 13, 2003 @01:06PM (#7465889) Journal
      SSO in its standard form simply allows using the same identity and credentials at multiple sites. Your SSO credentials are only the intersection of all sets of personal information needed by SSO sites, not the superset. Each site then stores additional information hashed with your unique SSO id. It's a matter of debate what that intersection should be:
      • Username/Identifier
      • Password/PIN/etc.
      • Secret Question?
      • Secret Answer?
      • Zipcode?
      • etc...
      It is possible to have SSO with only the first two, but the many numbnuts that forget their password require some secure form of reset.
      • If those five or so attributes are the only thing that is shared, how is this useful for the customer? I still have to fill out my credit card, address, and other info at each site, right?

    • Well *I* know why people want single sign on. They don't want to sign on at all. They don't understand simple information theory that once a secret is gone, it is gone. They don't realise that if they give someone else all the information needed to complete a credit card transaction, they can now do the same thing.

      Hopefully... well, not hopefully, but probably, there will be more identity theft and fraud where the credit card company doesn't assume the costs, and people lose real money over their lax secre
    • "Frankly, I don't want "single-sign-on", and I don't get why other people would either."

      <distribution country="uk">
      David Blunkett wants you to have a single-sign-on, your opinions be damned... Now you can use a single number to access your bank account, travel abroad, and prove your age in bars.
    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion

    • Actually, the whole point to the Liberty Alliance was to avoid the centralization inherent to Microsoft's Passport. If Liberty Alliance succeeds, it's because it was developed by businesses who want to do business but don't necessarily trust eachother. Liberty Alliance has the potential to be a good compromise between the broken eggs that is Passport and the problem of multiple sign-ons.

      I've generally never had a problem with multiple-sign-on, but I guess other people do. Alternatively, all this single-
  • Who cares? (Score:2, Insightful)

    by sulli ( 195030 ) *
    Did I ask for a single sign-on to a bunch of unrelated sites? No!

    I'd much rather control my own damn info and type the CC # into a lot of individual forms than have sites share my data. (Anyway, this problem is solved by browsers' auto-form-fill and auto-password features.)

    • Re:Who cares? (Score:3, Interesting)

      by jfengel ( 409917 )
      Actually, I find it rather scary to have my CC# stored in my browser. First, I'm never sure when it's going to fill it out without my noticing. Is it possible to trick my browser into auto-filling it into a hidden form?

      Second, how well protected is by browser's forms cache? Is my CC# stored, unencrypted, on my disk somewhere? The info is available to anybody who sits down an borrows my browser.

      There are a host of problems with single-sign-on, but auto-fill is at least as dangerous, IMO.
  • by jonbrewer ( 11894 ) * on Thursday November 13, 2003 @12:54PM (#7465749) Homepage
    This tripe reads like a press release. Leading in with "According to CNET" is particularly deceptive when used here. I say that g0_p, the submitter, works for Ketchum [ketchum.com], the public relations firm that represents Liberty Alliance. I also say that Robert Lemos [search.com] the "CNET Staff Writer" responsible for the article, just took a press release and changed a few words. This is not his writing, nor are the other ten articles he "wrote" for CNET this week..
  • by Anonymous Coward on Thursday November 13, 2003 @12:55PM (#7465753)
    "They that can give up essential liberty to obtain a little temporary keystroke reduction deserve neither liberty nor keystroke reduction."
  • MS Passport... (Score:4, Insightful)

    by herrvinny ( 698679 ) on Thursday November 13, 2003 @12:55PM (#7465759)
    If Passport doesn't convert to the "Liberty Identity Web Services Framework", I fail to see how this can get wide consumer usage. Remember, people just want to buy stuff online, they don't want to learn about the differences between passport and a services framework. Somehow they're either going to have to persuade MS to use the framework, or make a superior client that's easy to download (maybe make it an ActiveX control?) Of course, the problem is, Passport ships with Windows/IE, so it's going to be more quickly available that any other client.
    • Re:MS Passport... (Score:3, Insightful)

      by stevesliva ( 648202 )
      Passport doesn't require a client, does it? I assume the real Passport server program ships with Windows Server 2003 and IIS, but there's no passport client per se... MSN messenger and originally XP registration forced you to get a MS Passport, but passport authentication works just fine with any modern web browser, or else Hotmail would be useless from non-Windows OSes.

      So anyways, if it's like Passport, really you just need to get large websites to use the Liberty Identity Service, and users of those

      • No, doesn't seem to. If I go to passport.net and click sign in with Firebird I get an HTML login page. If I do the same in IE6 I get a password dialog box, a 'richer' experience if you will. This seems to be the direction MS is going with things, and I for one welcome it, stuff plays with everything but Windows 'enhances' your experience.
    • How is this whole single signon thing difference to Kerberos? If I set myself up as the Grand Unified Site To Trust, and you allow users who log in to me access to your systems, surely this is the same. You have to trust me.
  • Athens (Score:2, Interesting)

    by mapnjd ( 92353 ) *

    Am I the only one here who's heard of Eduserv Athens [athensams.net]? (Disclaimer: I am employed by Eduserv in a different department).

    Athens has over 2,500,000 users (from UK and Irish Academia and the NHS) and allows secure single sign on to more than 300 resources. It has also been around for years (at least 7). So all this talk of secure single sign-on being "new" seems to be a bit of misinformation as far as I can tell.

    Downside: Athens is not open-source :-(
    Upside: Eduserv are a not-for-profit company that ma

    • Athens has over 2,500,000 users (from UK and Irish Academia and the NHS) and allows secure single sign on to more than 300 resources. It has also been around for years (at least 7). So all this talk of secure single sign-on being "new" seems to be a bit of misinformation as far as I can tell.

      Yeah, and with **Only ONE sign in*** you too can have access to thousands of articles and millions of comments on Slashdot!!! What an innovation!

      Honestly what you describe sounds nothing like what the article is t

      • Very humourous.

        But seriously, Athens is not a one-stop shop for data, it is:

        • A large user database
        • An API for 3rd party data collections to authenticate against + verify that the user has access to that particular collection (or subsets of that collection).
        • A secure single sign-on mechanism for all these third party datasets; all hosted and managed remotely.

        Just because something is in use in academia in our relatively small country does not make it a mickey-mouse solution.

        A recent addition is c

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Thursday November 13, 2003 @12:59PM (#7465806)
    Comment removed based on user account deletion
  • by astrashe ( 7452 ) * on Thursday November 13, 2003 @01:03PM (#7465865) Journal
    If I would see a car lot called "Honest Al's Used Cars", I'd hold on to my wallet. Honest people don't usually point out their own honesty.

    And when bunch of big companies try to figure out easy and effective ways to share information about me, and call it "the liberty alliance", I doubt that liberty is uppermost in their minds.

    As everyone has pointed out, no one wants this stuff, and we'd all be better off if it just went away.

  • by IA-Outdoors ( 715597 ) on Thursday November 13, 2003 @01:05PM (#7465881)
    I only know that Sun has a liberty compliant implementation. Does anybody know of an OSS project geared at being compliant? Also, I think one thing this project needs to tackle next is authentication strength. I may have app A and app B authenticating to one backend data source (i.e. Active Directory, LDAP, IMAP, etc) but app A may have more critical data and may require additional creditional (i.e. biometrics, smart card, etc). Being able to chain these credentials to the applications desire authentication strength is going to be key.
  • Remember the good old days when someone would actually implement a technology (C, TCP/IP, OpenGL, etc) and then specify it later, after some real world shake-down?

    These days you hear about some potential technology, then a group of 10-50 companies form a committee, then maybe 10 years later if you're lucky the technology will actually be implemented. Of course, by then the technology is pretty much obsolete, and probably unusable by most of the industry due to patent encumberance since most of the compan

  • by aberant ( 631526 ) on Thursday November 13, 2003 @01:19PM (#7466005) Homepage Journal
    When i think of ultimate security of my personal information it doesn't include giving it to some service to remember it for me because i am too lazy to pull out my wallet and type in some numbers. Heck, if i'm going that far I should just get a remote control for my computer so i can hit the amazon.com button on it and then hit the big red BUY! button. Anyway.. back to my point.. I dont trust that people that i don't know will take care of personal information better then i can.
  • by Anonymous Coward
    Now my little brother only has to crack one password before he can buy his new Plasma screen...
  • Everyone's posts seem to be exclusively focused on the merits of Liberty re: the internet. I think a lot of corporate customers are interested in a standard, open single-sign-on solution to link up their internal web applications. A lot of them are using their own internal hacks or using proprietary solutions that work only in the context of a particular app server.

    My last customer (for a variety of reasons) was concurrently supporting iPlanet, Tomcat and JRun and wanted to be sure that their users coul

  • by jimm ( 5532 ) <jim@jimmena r d . c om> on Thursday November 13, 2003 @01:36PM (#7466175) Homepage
    AAARRRGGGHHH! It's "fewer buttons to click", not "lesser buttons to click".

    This is worth wasting karma over. If you can't communicate clearly, how do you expect others to take you seriously? How do you expect to be able to CODE well?
    • This is also worth wasting karma over:

      How do you expect to be able to CODE well?

      How do you get through life assuming that everyone is a programmer? Again, I seem to have forgotten where I am. Slashdot - the "home away from home" for narrow-minded ideologues.
      • You are correct; I should not have assumed that the original poster writes code. However, my original point stands: one must be able to communicate well in order to perform almost any skilled job.

        Oops. I just assumed the poster has a job and is skilled.
  • by cybrthng ( 22291 ) on Thursday November 13, 2003 @01:43PM (#7466257) Homepage Journal
    SSO should be independant of your data sources. SSO doesn't rely on your billing address/information for authentication.

    SSO is a token/cookie/uri that is passwd between websties that accept the "token" as proof that you have been authenticated.

    SSO doesn't take the users data store and pass that along, each vendor maintains its own store and uses the token to authenticate from via an agent that handles this.

    For example you can implement RSA clear trust on all of your sites/services but each user store remains to the application. An Agent simply parses the token, passes to the auth server and verifies the information. Your credit card number isn't passed and would be kept independant of your SSO.

    SSO does not mean "Cyber Wallet" if that is what you fear.

    Microsoft's Single Signon is a combination of LDAP/Active Directory, SSO and Wallet. It usually takes the combindation thereof to complete that cycle. Hopefully this is not the direction of the stated sso implementation.
  • by Aspasia13 ( 700702 ) on Thursday November 13, 2003 @01:46PM (#7466283)
    Consumer: "Lord Gates, only you could be so bold. When the US senate hears about this..."

    Lord Gates: "Don't play games with me. You weren't on any mercy mission this time. We intercepted several credit card transmissions from you."

    Consumer: "I don't know what you're talking about, I'm on a shopping mission."

    Lord Gates: "You are a member of the Liberty Alliance and a traitor!" [to guards] "Take them away!" ....

    Later, in a Passport meeting:

    Lackey #1: "Holding her is dangerous... when the Senate hears about this..."

    Lord Gates: "That won't be a problem. The US Senate has been disbanded. The Regional Sales Leaders have direct control now."

    Lackey #2: "But how will you maintain control without the beaurocracy?"

    Lord Gates: "Fear will keep them in line. Fear of our legal department."

    The Saga Continues...

  • I accidentally typed libertyalliance.org into my location bar and what a suprise I recieved! Jerry Falwell is an asshole.
  • In case people have been asleep for the past 5-7 years, Yahoo has this already in place. I have a single login that I use to access my radio stations, my weather, my portfolio, my email, and for all Yahoo shops. The implementation is seamless and is working fine. This isn't breaking news, by any stretch of the imagination, and it certainly won't fly unless a major website (like Yahoo) is behind it.
    • Exactly. And the advantage of central identity has strengthened the power of the user communities that are monetized by Google, Yahoo, Amazon, and Microsoft.

      Unless there is a successful, open means to federate identification, the small, user-driven sites will continue to be snarfed up by larger sites. The power of a concentrated user bases is a business advantage that leads to concentration of user services.

      The real power of federation efforts such as the Liberty Alliance is the ability to create "local"
  • It was all crapola!!

    Liberty Alliance is a way for BUSINESSES to establish trust relationships with regards to YOUR personal data. Yep.. trust one vendor, and if he's a friend to another vendor (duh) they get your info as well. Isn't that convenient.

    One problem... you can't manage your own certificates!! HA!!

    One group was intentionally left out of the Liberty Alliance... us!!

    This just a Sun driven organziation whose goal is to make sure their rip-off of Passport succeeds. It may not use a server

    • A business _could_ take your personal information and publish it on their website (ignoring legal reprocussions). What prevents them from doing so is this business policy that you are bashing.

      Businesses are.. well, in the business of making money. This means that they cannot afford to upset their customers by selling personal information. Even if you doubt this, they cannot risk the legal reprocussions of sharing your credit card information then having the remote site hacked. There are now heavy legal res

  • And so we continue to move closer to a single identifier per person. You're SS# is used for identity verification with nearly every social and financial service, and now we move closer to being wedded to another identifier. Whether we want it or not, Internet ID is going to move closer to this paradigm as time moves on. Ive seen a lot of flambait regarding 'YES to SSO' or 'DOWN with SSO!'. But this kind of consolidation is the same trend every vital service has moved towards.
  • I have never understood why it should be so fucking simple to shop online. I don't want it to be simple. I want it to require multiple steps that make sure no transactions go through without me wanting it. And I certainly don't want to use a credit card for it.

    As long as I've lived, I've been able to securely transfer money from my bank-account, and at least for a decade, I've been able to do so electronically. Why won't online merchants accept this?

    When I buy something through mail-order, I order, you

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...