Give Us Liberty or Give Us .NET

Sun is leading the fight against Microsoft's Passport by putting together the Liberty Alliance Project. After balking awhile, AOL just signed up. Suddenly there's a war going on. Are you feeling better already?

Microsoft makes a big deal about its "right to innovate" and gets pounded for failing to do exactly that. There can be little doubt, however, that the company's Passport authentication system filled the bill (pun intended). It promised users a simple and easy way to authenticate themselves to the commercial world, without having to remember countless conditional logins and passwords, while also sparing users the hassle of entering credit card numbers over and over again. Of course, it was all part of Microsoft's own .NET system. It also was tied in with a project Microsoft first called Hailstorm, but later rebranded as .NET My Services.

From the beginning the system was attacked as a lock-in scheme. At the O'Reilly Open Source Summit this past summer, Clay Shirky challenged Microsoft's Craig Mundie and Dave Stutz by asking, "Can I use a Hailstorm schema to have a Palm Pilot communicate with a Linux server, without contacting a Microsoft server during that transaction?" When Shirky pressed for a clear answer, Dave Stutz replied, "I'll say...yes?"

This kind of waffling did not reassure the rest of the software industry. In October 2001, Sun rallied a bunch of other companies together to create the Liberty Alliance Project to "support the development, deployment and evolution of an open, interoperable standard for network identity. It will require collaboration on standards so that privacy, security and trust are maintained." The idea is to give every individual control over his or her own federated identity. They explain it this way:

Federated identity represents the natural evolution of the next generation of the Internet. The first waves of the Internet, namely communications, global access, commerce, and community identity, gave us a pervasive user medium that has largely been relegated to one-to-one, customer-to-business relationships and experiences. The inflection point starting the Internet's next wave will be marked by an era of open, federated identity with promises of bold new business taxonomies and opportunities, coupled with economies of scale that, until recently, were simply unimaginable. Federated identity will enable the next generation of the Internet: federated commerce. In a federated view of the world, a person's online identity, their personal profile, personalized online configurations, buying habits and history, and shopping preferences are administered by users, yet securely shared with the organizations of their choosing. A federated identity model will enable every business or user to manage their own data, and ensure that the use of critical personal information is managed and distributed by the appropriate parties, rather than a central authority.

What this project lacks in market share and brand awareness (not to mention Passport's baked-in support with every new copy of Windows XP), it makes up for in PR. "Liberty Alliance Project charter members currently represent over a billion network identities", the same home page claims.

The unveiling of this project attracted relatively little notice back in October, but at that time AOL still wasn't involved. Now it is.

Of course this plays into the natural tendency of press folks to enter war coverage mode. Suddenly it's AOL vs. Microsoft again.

But is it really? Do we need yet another alliance to save us from yet another Microsoft intermediation play? Is the Liberty Alliance yet another monolithic solution to yet another monolithic problem? And do our federated selves really sense any of this is a huge problem (including our lack of individual federation)?

Let us know what you think.

Doc Searls is Senior Editor of Linux Journal.

email: doc@ssc.com

______________________

Doc Searls is Senior Editor of Linux Journal

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

These products all assume there's something wrong with the current style of tedious authentication. As a user, I really don't mind retyping my identity information, because the web browser autocompletion features usally cover 80% of the effort. I only wish the browsers were able to selectively "snapshot" forms for me, and save them as web pages, allowing me to browse copies of my transactions. (Maybe OmniWeb or Opera can add this feature :-) With just a little more work at the client side, and maybe some standardization with online purchasing procedures, I think it'd be possible to remove most of the existing problems that Passport and others purport to fix.

The only "service" these centralized identity servers will provide is more reliable tracking for the companies that use them. I don't think that's a "good thing", because corporations like Microsoft, Sun, AOL/TW, etc. act as if they aren't bound to the same privacy laws that restrict government snooping into our private lives.

Just something to think about...

No to Passport's centralized authority.

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

Sun, Microsoft, IBM, HP, RedHat etc. -- They all want the same thing. They want to make money, and there's nothing wrong with that. Whatever happens it really doesn't matter, someone is going to make money, and someone will lose money. The real issue is standards, we need standards before products. Take for instance X/Motif, it is a standard and effectively the only windowing toolkit on UNIX (everything else runs on top of that, or a direct clone of that). It wins because it is a standard -- raise your hand if you are using OpenLook on UNIX. OK, I'll ask the same question about Java in 5 years. If it is not a REAL standard by that time it will go the OpenLook route and be obsoleted.

I'm tired of war

Anonymous's picture

It's something that never seems to end, the world vs Microsoft. It's a war that has been going on for years and seems set to go for many more years. The only thing that changes is what wonderful new product is in the fight. Before it was browsers, media players, Java, applications, and Microsofts desire to have only their own products used. Today it's .Net and Passport and Microsofts way of almost forcing users to register with them just so the poor user can use XP. The arguments of if we actually need this stuff aside, if Microsoft would just stop their strong arm tatics and compete on a level playing field, wars would not be necessary and we could all live in an environment where fair competition and freedom of choice are the go. Sadly, Microsofts continuing strong arm tatics and use of every perverse underhanded method available to lock users into Microsoft only products have forced a continuing war. Rather than Liberty Alliance being a competing product, it is more like yet another saviour from Microsofts absolute control over the software industry and internet. I am an unwilling partner in the alliance fighting against Microsoft, unwilling because I don't want to fight, but if I want to keep my freedom of choice I have no choice but to fight against Microsoft.

Re: I'm tired of war

Anonymous's picture

While we're at it, why don't we force Pizza Hut to share their recipes with every Mom & Pop pizza joint in America. Why don't we level that playing field? Because there is not an army of Geeks that like Mom & Pop. If there was, that's fine, but we don't force the market. Why does the field have to be level? Why do the strong have to be hindered and the weak assisted? This sounds like Capital Gains and Welfare....that doesn't work as expected and neither will this. Why is the playing field unlevel....because it's business and it has never been level....it never will be. There will also be a single or group of dominators. This is a fact of life. Get over it and quit whining like spoiled children.

Re: Try a free-software project that will be producing a solutio

Anonymous's picture

So you want freedom?
Check out http://www.dotgnu.org and help build a truly free vision.

Screw that. They'll already dead and don't even know it.

NIS|LDAP and /etc/password

Anonymous's picture

really what I hope will result is a better YP/NIS+/LDAP auth scheme.

really how do you add people to the network ?

if you use NIS then your passwords are *really* insecure ie $ypcat passwd and a bunch of workstations with libcrack & BIG dictionary on it(this was what they used at my local Uni I cracked most passwords within 3 days (150 ultra10s)).

so NIS+ or NIS can only be used on trusted networks really.

LDAP gets around the nasty's of having to have your workstations config'd right and being a Standard so that most dir severs can export the format the problem is how many servers out there have used this and you have to use a mish mash of tools, basically no central information on how to do it or nice integrated tools.

IF liberty provide tools for networks to exist that can authenticate network users across platforms securely we will have harmony.

libcrypt should be AES based and network should be redundant with ability to serve out to the net so someone loging into a domain can authenticate from another domain e.g. bob@bob.com should be able to log into sun1.jones.com if jones.com auth server allows him and com's with bob.com for the auth tokens

really it's time for network authenication to step up and become cross platform and out there !

regards

john jones

Try a free-software project that will be producing a solution.

Anonymous's picture

So you want freedom?

Check out http://www.dotgnu.org and help build a truly free vision.

What we really want

Anonymous's picture

I'll trust a consortium to define a specification for authentication long before I'll trust a single corporation, especially if that corporation has a poor reputation for both security and leveraging control of one market into control of others. By defining a specification for authentication, multiple competing vendors hopefully will implement the spec. and we can each make our own judgement on who we will trust. If the Liberty project pans out, I think it will be a good thing.

I thought privacy was dead?!

Anonymous's picture

so Scott "privacy's dead, get over it" McNealy is now working on a system that will protect privacy? ok, that's reassuring.

the bottom line here is that consumers will make the decisions themselves...oh wait, anti-trust laws don't allow for that. i guess the the only solution is to keep suing whatever company gains a dominant market share and spread the wealth around. now there's a good plan - that'll help the consumer.

if linux folks REALLY want to get involved with something worthwhile, i'd suggest keeping Linux itself from becoming illegal in the good ole US of A. the sad part is that most linux users are just regular individuals who like technology. they don't contribute billions to grease...i mean bribe...err i mean lobby to keep what they do legal. uncle mickey mouse does, though. wait and see what happens. who knows, maybe the FBI will be conducting linux raids in a few years...

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

We KNOW Microsoft is the enemy re Linux just like

Bin Ladn is the enemy re the USA. With other companies we aren't sure maybe yes maybe no. But

Microsoft has made it clear that for them Linux is

the enemy. So anything that is against Microsoft

is almost by definition GOOD.

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

>We KNOW Microsoft is the enemy re Linux

>just like Bin Ladn is the enemy re the USA.

Surely there's more evidence against Microsoft than that...

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

Right on. I am sick of Micro$oft and everything they stick down my throat!

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

Technically I don't see what the big deal is. For E-commerce now, the paradigm is, you fill out a web form with your name, shipping and billing address, and credit card number. Now suppose you downloaded a freeware program that would forge a digital certificate with that payload, or whatever key-value pairs were appropriate for your transaction, like omitting the credit card number for logging into a mail service. The vendor solicits a certificate, you enter the passphrase letting your browser decrypt it, re-crypt it, and send it, `and your purchase is made. Trust in the authenticity of the certificate is irrelevant; it's just an encrypted cookie whose transmission is under user control (assuming you don't click on "remember this password"). Now we just have to get the vendors to look for these things...

Re: Give Us Liberty or Give Us .NET

tseng_mike's picture

Thats based on the assumption that

  1. There is a browser
  2. The browser support this
  3. That's your computer the browser is running on

Passport and Liberty isn't just about ecommerce, its about our identity as a whole. Passport and Liberty also allow us to use single sign-on on 'any' device that are connected to the internet since all the processing is on the server side. Also think when you are travelling, you can still maintain that single sign-on in internet cafes where you wont trust to store your password/details in.

Also If you can find that freeware program that would forge a digital certificate, then the whole ecommerce on the web would break down. Not just passport, or liberty alliance.

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

one thing, are you going to be bale to log on from more than one spot at ones?

like say you have your home pc standing connected all the time and then you connect with your handheld and log in, what happens then?

Re: Give Us Liberty or Give Us .NET

Anonymous's picture

Yes, I would imagine so, just like you can do that with unix and windows (domain). It also wont be that hard to get the current user focused device to route the messages if any to the right device.

Mike

Show us your vision

Anonymous's picture

I just hope the Liberty Alliance is aimed to enhence user experience (a vision), not just to offer an 'alternative' to Microsoft Passport. They need to think of ways which maximise our privacy while still maintaining a functional system. They should'nt clone every feature of passport for the sake of compeition, have a clear VISION (again) where they want to go, openly publish their offering, explain their choices. I don't mind lossing some privacy as long as it in the best interest of me. But let _us_ decide if passport or liberty alliance is better for us. Let us know what we going to sacrafice, how we will benefit, and where we going.

SHOW US THE VISION

Mike Lee

Re: Show us your vision

Anonymous's picture

Why the hell not just stay out of our business, out of our computers, OUT OF OUR LIVES,

and we'll buy just what the hell we THINK *foreign subject??* we need!

Say hi to Mom! *smiles*

Re: Show us your vision

Doc's picture

I agree.

Unfortunately, (to me, at least) the Liberty Alliance has more the look of Microsoft-hatred (and envy) than the look of something that will be truly useful to everybody.

What I'm hoping is that somebody creates something ASAP that demands to be used, because it does most of the jobs Passport does, without the lock-in -- and because it's free.

But I don't think that kind of thing is going to come from any of the big companies who comprise the Alliance. I think it's going to come from independent geeks.

Or I hope it does, anyway.

Re: Show us your vision

Anonymous's picture

this may be somewhat overboard but what about using something in the style of jabber servers for the handeling of the login server?

and if run by a isp you get it in the package solution form them connected to your e-mail and all that:)

the user@host style of adresses er a stroke of genius to porly used...

Re: Show us your vision

Anonymous's picture

Why the hell not just stay out of our business, out of our computers, OUT OF OUR LIVES, and we'll buy just what the hell we THINK *foreign subject??* we need!

Say hi to Mom! *smiles*

Re: Show us your vision

tseng_mike's picture

They need to look at the flaw of the passport design than just slap together a clone specification and call it 'standard'. We need to question ourself, what privacy issue to we take most to heart, Is it:

  • One could potentially track all our usage pattern
  • Lots of merchants have our personal details

There are two ways to do what passport achieve to do, one is centralised, the other being distributed. The problem is none of them are perfect, centralised mean our whole internet usage pattern could be tracked. Distributed means we given out our personal details to hell a lot of people/organisation. That is the question we need an answer for. This is the current state of ecommerce on internet, unless ecash (annoymous shopping, no id needed) or something similar start to pick up. We dont have much option.

Mike Lee

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState