Liberty Alliance urges standard for UK ID card plan

As the U.K. government moves ahead with a national identification card plan, it should be based on open standards, the executive director of the Liberty Alliance said Wednesday at a press briefing in London.

While the U.K. announced in May that it hopes to start issuing national ID cards by 2008, resolving broad issues of how citizens may interact with an increasingly Web-based government may be years away. However, companies are already speculating as to how the identity -- and security -- of people who access government information may be verified and managed.

Some private companies, such as General Motors and Fidelity Investments, have adopted a federated identity approach: the use of a single-source authentication entry point for customers. With a single user name and password, customers can pass to different Web sites without re-entering their information.

With government, as well, "you have to have a federated approach," said Donal O'Shea, executive director of the Liberty Alliance.

The Liberty Alliance Project, a consortium of companies and government organizations, creates standards for identity federation. Formed four years ago, the Liberty Alliance -- backed by IBM Corp., Sun Microsystems Inc. and others -- has worked with the Organization for the Advancement of Structure Information Standards (OASIS) to develop SAML (Security Assertion Markup Language) for identity federation. A third organization, WS-Federation, backed by Microsoft., is also working on a federated identity standard.

The standard -- if any -- that is used by governments could have a strong impact on vendors vying for large-scale government IT infrastructure contracts.

The technology adopted by the U.K. government should be an open-source standard that will allow people to verify who they are across many organizations, O'Shea said. It should not make the "classic mistake" of not allowing for flexibility in databases that might be in use for up to 50 years for services yet to be envisioned, he said.

The adoption of standards for national ID cards could have implications for both the private and public sectors.

In July 2004, IBM signed a deal with France Telecom SA's mobile division for a single-sign on service for customers accessing different Web sites and mobile services using Liberty Alliance standards. Questions were raised in France as to whether hackers would be able to aggregate information stored across systems, O'Shea said. While nothing is impossible, O'Shea said "we were able to show them that's not the way it works."

Civil liberties and privacy rights questions remain among the public in regard to national ID cards, and whether people will trust and accept the concept of identity federation. "Ultimately, the right not to have information be used by anyone who wants to should be there," said Graham Kemp, head of the U.K. public sector for Sun.