Liberty Alliance releases legal, privacy guidelines

Consortium offers statement of industry best practices for federated identity

The Liberty Alliance Project, an industry consortium working on standards for federated identity systems, released a set of guidelines Tuesday that aims to help organizations deal with some of the legal and privacy issues that arise from such federated identity projects.

The technologies that underlie the Liberty Alliance Project are mature enough for companies to build federated identity systems, according to Russ DeVeau of Liberty Alliance Communications. But companies must also agree on what types of information will be shared and the security and privacy measures they need to have in place to achieve what the Liberty Alliance calls a "circle of trust" among the organizations involved.

"The biggest barriers are how organizations actually work together to federate," DeVeau said.

Federated identity refers to the use of a single sign-on point through which users can then move onto other Web sites or applications without having to enter their user names and passwords repeatedly. Proponents say it can make life simpler for consumers who have to juggle a handful of different user names and passwords, and can mean better security and savings for organizations through fewer password resets.

The 15-page document, targeted at policy managers, was developed through Liberty Alliance's Public Policy Expert Group (PPEG), which includes members from the Business Industry Political Action Committee, a U.S. pro-business group; the U.S. General Services Administration, a U.S. government procurement and policy agency; plus Oracle and Sun Microsystems.

The Liberty technical architecture does not inherently address liability or indemnification, as those are issues that are contractual between the service vendor and the customer, said Michael Aisenberg, chair of Liberty's PPEG and director of government relations for VeriSign.

The guidelines published Tuesday offer the advantage of being developed in the marketplace rather than imposed by a government, Aisenberg said. They are the closest thing that exists to a global statement of industry best practices for federated identity, he said.

"The problem with many technologies in the past has been the intrusion of government saying 'Here's a solution, everyone has got to deploy it,'" Aisenberg said. "That freezes technology in place. That stagnates the incentives for innovation. That makes a telephone system rely on copper for 100 years."

The Liberty Alliance was founded in 2001 and has about 150 members including vendors, private companies and government agencies. The guidelines can be viewed at http://www.projectliberty.org/resources/whitepapers/deployment_guidelines_v2_9.pdf.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies