[JDEV] Distributed Authentication - thoughts people?

Thu Sep 27 13:37:54 CDT 2001

Liberty Alliance: An interesting project that has all the right ideas, but
so far is pure vapourware from what I can tell. There is no reason why we
should not join this project if allowed, but I dislike it's entirely
commericial viewpoint. The aim of the LA seems to be entirely getting access
to even more information on consumers. The term "user" is not mentioned on
its front page, only "business" and "consumer". Email wasn't built for mass
marketing, IM wasn't built for market research. Identity shouldn't be built
for companies either. It should be built for the people.

[Max Metral]  Not only is this project commercial vaporware, it's total
"contraryware".  The only reason this project exists is because Microsoft
has something.  I don't think Sun would care about identity and privacy if
you hit them over the head with it.  In fact McNealy is (in)famous for his
comment about telling people "get over it, you don't have privacy online".

Kerberos: Wasn't designed for the web at all. Also very very complex, I
looked into this in depth recently. It's also a not-quite-standard as there
is an "enhanced" (cough) version that MS uses, and then the MIT version that
everyone else uses. However, it's beginning to look like Kerberos will act
as the glue between different systems, allowing them to at least partially
interoperate.
[Max Metral] Yeah, I was rereading the standard the other day and scratching
my head as to how they equated Kerberos with federation when it's pretty
straightforwardly centralized from a trust perspective.  It can work for
sure, but just strange. 

DCE: I tried to find information on it, all I got was a page written in
1995. I've never seen a Windows implementation either. Perhaps this software
solves all,  but I remain to be convinced.

To answer Scott Cote: obviously the final implementation would be decided in
the JIG. But it would probably be based on the jabber network. So for
instance, to login to a website/service you would provide your Jabber
network address ( i suggest this as a more user friendly name JID ) and then
your jabber server would be contacted to authenticate.

However, like I've said before, we should recognise that this is bigger than
Jabber. If we define a protocol, it should be sufficiently abstracted to
allow bindings to other protocols as well, therefore allowing
interoperability.
[Max Metral] We definitely agree here.  I still wonder whether Jabber/JIG is
the right place to address this given what you say here, but there are a lot
of people interested so far be it from me to try to stop progress. :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20010927/824fdf3c/attachment-0002.htm>