Identity is More Than Specs at Liberty Alliance

First Published:
Date Published: October 25 2004
Copyright © 2004 by Kevin Savetz

Good standards are not born, they are made. When it comes to creating standards for federated identity management, the Liberty Alliance is one of the organizations at the forefront.

The group's mission is to serve as the premier open standards organization for federated identity management and services. By literally writing the rules for online identity federation, and releasing them to the public as open standards, Liberty is doing just that.

Formed in September 2001, the Liberty Alliance released its first set of technical specs in April of the following year. "We're proud that it's rapid production and we've stayed that course," Britta Glade, vice chair of Liberty Alliance's business and marketing expert group, said.

The three areas central to Liberty's work are the "Identity Federation Framework," which enables identity federation and management; interface specifications, which enable specific identity services such as personal identity profiles, calendar service, and wallet service; and Web services, which provide the structure for building interoperable identity services on the Web.

But Liberty is not just about writing specs: it also deals with the business and privacy issues behind them. At first glance, "a lot of people look at Liberty and think 'technical specs organization' but we also think that the policy work that we do is very important," Glade said. The organization has released guidelines for privacy and business practices, such as standards for 401(k) federation and mobile devices.

"Technology is about 20 percent of the challenge. The bigger challenge is really business relationships," she said.

Liberty Alliance is comprised of five expert groups, including business and marketing, technology, and public policy. "The public policy group is something that we pride ourselves on because we've always had an eye towards privacy, towards making sure what we do is consistent with global needs in that category," she said.

"If you're a business manager with an organization, you don't really care about technical specifications. The business side can be more of a challenge than the technical side," she said. To that end, the organization's Web site includes best practices guidelines for managers concerned about privacy and security.

Liberty also does conformance testing, giving its stamp of approval to technologies that have proven interoperable with its implementation guidelines.

More than 150 companies are members of the organization, including American Express, AOL Time Warner, France Telecom, General Motors, Hewlett-Packard, and VeriSign. Members can review specifications before they are made available to the public. Once released, Liberty's open standards are available for anyone -- member or not -- to use.

"Often you have standards organizations that build walls around themselves. We look at ways to collaborate and utilize open standards, and contribute and draw from open standards as best we can," Glade said. The organization has a formal relationship with OASIS, and also has working relationships with the Electronic Authentication Partnership, Open Mobile Alliance, and the P3P Project.

In addition to the main technology framework, services groups create specialized, industry-specific specifications that can sit on top. These include specs for gaming, geolocation, personal identity profiling, and calendar services. The gaming specs, for example, will allow developers to create avatars that can participate in other games, even games from other developers. Currently, the only means of accomplishing this is to create proprietary one-offs for each game and platform. With a common framework, developers will be able to create code once and apply it across devices and platforms. Five gaming companies have joined Liberty's games services group to build the specs for their narrowly defined requirements.

"We believe we can create specs a little bit faster because they're very specifically tied to a particular business needs," Glade said.

On the horizon, Liberty plans to work on standards for strong authentication, in order to make tokens, smart cards, and other alternatives to passwords more widely accessible on the Web. Combined with federated identity management, a single smart card could provide a user access to many Web sites with security that is far superior to what is typical today.

More than 400 million Liberty-enabled identities and clients are expected to be in use by the end of 2005, Glade said. "There's the opportunity for an explosion of federated identity with this many devices," she said. "It really can help organizations to things more efficiently, more profitably. The world opens with good federation in place."

Articles by Kevin Savetz