THE LIBERTY ALLIANCE Project on Monday is announcing availability of Version 1.0 of its specifications for a federated network
identity system for e-commerce and Web services.
According to the Liberty Alliance, the specifications represent the first step in enabling an open, federated network identification
infrastructure to link similar and disparate systems. Through the specifications, users can decide whether to link accounts
with various identity providers.
Companies such as Sun Microsystems, Nokia, MasterCard, and American Express are members of Liberty Alliance and expressed
their support of the specifications. Various vendors on Monday may provide road maps for supporting the Liberty effort in
products.
"First and foremost, what we were trying to enable in the first phase of Liberty is simplified single sign-on," said Paul
Madsen, strategic product manager for identity services at Liberty Alliance member Entrust, and a member of the Liberty technology
group editing the Version 1.0 specifications.
"The [user] is given greater control over what accounts they tie together," Madsen said.
The next version of the specification will address permission-based attribute sharing, in which organizations can share
user information according to permissions granted by the user.
Version 1.0 enables "opt-in" account linking, in which users can choose to link accounts with different service providers.
Other functions of the specification include simplified sign-on for linked accounts, in which users can authenticate at
one account and navigate to other linked accounts without having to again log in; authentication context, which lets institutions
or companies communicate the type of authentication that should be used for user log-ins; and global log-out, in which a user
can log out of one site and be automatically logged out of other linked sites.
The specification leverages protocols such as SAML (Security Assertion Markup Language).
Liberty's specifications are intended to remove some of the burden for users as they traverse multiple Web sites to do transactions,
Madsen said.
He said he anticipated interoperability between Liberty and Microsoft's single sign-on plan, Passport. Users of Passport
could authenticate to a Liberty provider, he said.
According to the alliance, Version 1.0 specifications do not involve exchange of personal information, but provide a format
for exchanging authentication information between companies to protect user identities. Uses include business-to-consumer
commerce, business-to-business commerce, and enterprise-to-employee applications.
Version 1.0 features "pseudonymity," in which the actions of an individual will not be tied together, to prevent multiple
transactions of a user from being correlated with a user's actual identity. This prevents businesses from colluding to get
views of a user and prevent hackers from accessing user information, Madsen said. A user is protected by a randomly generated
stream of code acting as a pseudonym, to enable the user to interact between two Web sites.
"The benefit of that is, ultimately, the user's privacy is protected," Madsen said.
An analyst gave the Liberty Alliance specifications a mixed review.
"The alliance has produced an important standard--the Liberty Alliance [Version 1.0] specifications -- that, once implemented
in e-business infrastructures, will allow users to link their accounts across different organizations, security
domains, and application environments," said analyst James Kobielus, senior analyst at the Burton Group in Alexandria, Va.,
in an e-mail response to questions. "Users will be able to optionally link -- and de-link -- their accounts, so as to reduce
the number of times they need to enter user IDs and passwords when transacting business across one or more 'federated' or
affiliated organizations."
"The principal shortcomings of the Liberty Alliance 1.0 specifications is that they are new, unproven in the field, rely
on the still immature but promising SAML 1.0 standard, and leave many complex technical integration details to be worked out
by organizations that implement Liberty-enabled account linking. Liberty 1.0, like SAML 1.0, which Liberty's specs extend,
still needs to be implemented and integrated in a critical mass of commercial products and services," Kobielus said.
Meanwhile, in response to the Liberty news, Microsoft said it is taking a broader approach to network identity management,
according to Adam Sohn, product manager for .Net platform strategy at Microsoft, in Redmond, Wash.
Microsoft plans to support a variety of network security standards in addition to SAML, which is at the core of the Liberty
Alliance specification. Those additional technologies include PKI (public key infrastructure) and Kerberos, Sohn said.
To counter the Liberty Alliance work, Microsoft said that the work being done to develop the WS-Security specification will
play a more important role in authenticating user credentials on the Internet than the Liberty Alliance specification.
"[Liberty Alliance] is solving a slightly more narrow problem than WS-Security," Sohn said.
"We think there needs to be a general purpose architecture for identity management that can support lots of security types,"
Sohn said. "SAML assertions are one type. We don't think you can just pick one and enforce it across the world. Different
customers have different needs."
In the consumer space, Microsoft has its Passport authentication service, which allows users to travel participating password-protected
Web sites and applications under a single identity. For the enterprise, Sohn said Microsoft is building out its Active Directory
server software to also support its single sign-on technology.
Whereas the Liberty Alliance specification is based on SAML, Dan Blum, an analyst at the Burton Group said that it will
provide a necessary component for developing a method of authenticating users on the Internet that isn't fulfilled with other
standard security technologies such as PKI and Kerberos.
"The Liberty Alliance features solve a very important problem, which cannot be solved with other technologies," Blum said.
"That said, it doesn't put any of those technologies [PKI and Kerberos] out of business. PKI and Kerberos have not really
scaled to the enterprise. SAML plus the Liberty Alliance specification is more appropriate for enterprise use."
Matt Berger, a San Francisco-based correspondent for the IDG News Service, an InfoWorld affiliate, contributed to this article.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
