Liberty Alliance submitting spec to OASIS

The Liberty Alliance next week will announce two new draft specifications and for the first time turn over a portion of its work to a standards group providing the first evidence that efforts to create a standards-based identity management framework may be fragmenting.

Liberty will announce at next week’s RSA Conference that the first phase of its work, which was completed in June 2002 and updated in January, will be turned over to the Organization for the Advancement of Structured Information Standards (OASIS). The first phase, which was renamed Identity Federation Framework (ID-FF) in March, is basically Liberty’s Version 1.1 specification that outlines single sign-on and account sharing between partners with established trust relationships.

The Liberty move may be a reaction to IBM Corp. and Microsoft Corp., who are not Liberty members, but are trying to create their own federated identity management framework built on WS-Security, an evolving Web services standard they created and submitted to OASIS.

"I fear that the IBM/Microsoft Web Services Security Group and the Liberty Alliance have passed the point of no return in that they can no longer get together and create a common model for federated identity," says Dan Blum, an analyst with the Burton Group. "Above WS-Security, they are not sharing similar components."

Draft specifications for Liberty’s second and third phases of work, which now incorporate the WS-Security protocol for securing Web services messages, also will be introduced at RSA and will outline how to build a permission framework and sets of services for user identities that can be shared across the Internet. The second phase of Liberty’s work, called Identity Web Services Framework (ID-WSF), will allow islands of trusted partners to link to other islands of trusted partners and provide users with the ability to control how their identity information is shared. Phase 3, called Identity Services Interface Specifications (ID-SIS), will build services on top of ID-WSF.

The two draft specifications are not being submitted to OASIS at this time but will be opened to the usual public review.

"I think it is significant that Liberty is ready to open up to a wider world than its own group," says Prateek Mishra, co-chair of the Security Services technical committee at OASIS and director of technology and architecture at Netegrity, a Liberty Alliance member.

Liberty’s Version 1.1 specification will become a foundation document to help create Version 2 of OASIS’s Security Assertion Markup Language (SAML), according to sources. SAML 1.0 is a standard for exchanging authentication and authorization information and is incorporated into and extended by Liberty’s Version 1.1. The hope is that ID-WSF and ID-SIS will eventually extend SAML 2.0 to create a single standards-based environment for federated identity and sharing of identity credentials.

Work on SAML 2.0 will begin at the end of June, according to Mishra.

Handing Version 1.1 over to OASIS is a milestone because Liberty, which has 160 members, is now fully aligned with SAML and OASIS after claiming previously that it was a de facto standards organization.