Version 1.1 Draft Provides Maintenance Updates to Existing 1.0 Specifications
Liberty Alliance Project – The Liberty Alliance Project, a business and technology consortium formed to develop open specifications for federated network identity, today released for public review a draft of the version 1.1 specifications, a maintenance update to the version 1.0 specifications released in July. Version 1.1 includes editorial changes that clarify the version 1.0 specifications, as well as fixes and minor enhancements. The update is the result of feedback that the Liberty Alliance has received from members and non-members during the last three months. The version 1.1 document is the first to be issued by the Liberty Alliance for public input, prior to final approval.
“The Liberty Alliance is striving to address the requirements of a wide range of businesses and industries, and as part of this effort we are encouraging non-members as well as members to provide feedback regarding the version 1.1 specifications, which are works-in-progress,” said Simon Nicholson, chairman of the Liberty Alliance Technology Expert Group. “Because so many organizations are involved in the work of the Alliance, we have a unique opportunity to understand the business issues companies want to solve and the end-user benefits they want our specifications to provide.”
The majority of the updates in the version 1.1 specifications are focused on reducing barriers for implementers, by improving flexibility and clarifying some ambiguities in the version 1.0 specifications. In addition to the editorial changes, the following enhancements are among those included in the version 1.1 draft release.
– Liberty-Enabled Client/Proxy (LECP) Profile Changes
These changes fix a vulnerability in a Liberty-enabled Client/Proxy Profile that was identified concurrently by IBM and Sun and brought to the attention of the Alliance. This LECP vulnerability could have allowed a spurious site to interpose itself between the user with a mobile device and a service provider. By obtaining the user’s authentication assertion, the spurious site could then impersonate the user at the service provider. This vulnerability was addressed previously in the Liberty Alliance Errata document published in October, and is now included in version 1.1.
– Additional Flexibility for Identity Providers and Service Providers
Two other minor enhancements provide additional flexibility in the specifications for identity and service providers. First is an enhancement that will allow a service provider and identity provider to periodically change the opaque handle (the random identifier shared only between a service provider and identify provider that identifies the user), which may enhance security and privacy protection, depending upon its usage. The second enhancement provides additional flexibility in discovering which identity provider(s) an end-user is using.
The Liberty Alliance specifications focus on enabling interoperability between technology systems to make it easy for businesses to provide opt-in account linking and simplified sign-on functionality to partners, customers and employees. Some examples that illustrate how the Liberty Alliance specifications could benefit end-users:
Businesses could increase productivity and reduce hassle for their employees by linking the various applications they use to do their jobs, and/or applications on the corporate Intranet, such as 401K, health benefits, and travel services. This would enable employees to move seamlessly from one service or application to another without having to enter multiple user names and passwords.
Businesses could reduce IT costs, increase operational efficiencies and enhance relationships with their suppliers, vendors or other partners by enabling them to access multiple business applications within an extranet in a more seamless way.
Businesses could provide more convenience to customers. In the travel industry, for example, various companies that choose to establish partnerships, or “circles of trust,” could provide their customers with the ability to book airline tickets, rent cars, reserve hotel rooms using the affinity programs within each of the companies without requiring customers to enter usernames and password information at each site.
The Liberty Alliance is taking a phased approach to the release of its specifications and anticipates that the next major release of specifications, version 2.0, will be issued in 2003. Version 2.0, which will build upon version 1.1, will provide an infrastructure for developing and supporting identity-enabled Web services from companies, organizations or government entities. The infrastructure will include a framework for permissions-based attribute sharing and will allow groups of organizations, often referred to as “circles of trust” or authentication domains, to be linked together, as opposed to operating as separate islands.
The Liberty Alliance encourages interested parties to review and provide feedback on the version 1.1 draft specifications, which are now available on the Liberty Alliance Web site at www.projectliberty.org/specs/v1_1draft/. Feedback can be provided by sending e-mail to email@example.com. The period of public review will remain open until December 16th, when the Liberty Alliance Technology Group will work to finalize the document.
About the Liberty Alliance Project
The Liberty Alliance Project (www.projectliberty.org) is an alliance of more than 130 technology and consumer organizations formed to develop and deploy open, federated network identification specifications that support all current and emerging network devices in the digital economy. Federated identity will help drive the next generation of the Internet, offering businesses and consumers convenience and choice. Membership is open to all commercial and non-commercial organizations.