From inception, the Liberty Alliance has put heavy emphasis on privacy. Not only do our specifications reflect this, but also the work done by our Policy Expert Group and the guidance this group of experts provides across the Alliance. The decisions made in developing technology were all made to enhance privacy and make it easier to implement good privacy practices.
Nontechnical Privacy Features
- User consent
- All of the relevant specifications explicitly support user consent for relevant transactions
- User choice of identity providers
- Federated architecture allows users to choose an identity provider, or even multiple providers, independent of the used network or service, with Liberty Alliance standards tying all of these providers together as a cohesive whole
- Selection is only constrained by laws, regulations and business models, not the Liberty specifications
- Decentralized or federated storage of PII or other information related to your identity
- Federated architecture allows the information related to a specific identity to be stored in relevant locations defined by the user, government, or business relationship between the consumer and certain Service Provider
- Storage of PII or other identity related information is only constrained by laws, regulations and business models, not by the Liberty specifications
- Liberty specifications support a variety of storage scenarios, including client-hosted
- Simplified password management
Technical Privacy Features
- XML Signature
XMLDSig allows a proper verification of the transaction parties, and if messages are signed and stored, allows for later auditing.
- Pseudonymous access
Identity federation in Liberty creates a pseudonym, constructed of a random set of characters, and being unique in the context of a specific identity provider and service provider.
- Anonymous Access
Liberty specs provide means for a service provider to access identity services without a need to know who the user they are providing services to really is
- Usage Directives
- Consent header block
SOAP header block used to explicitly assert that the Principal consented to the present interaction
- Interaction Service
The Interaction Service specification defines schemas and profiles that enable an identity service to interact with the owner of the information exposed by that identity service
- Client-hosted identity services
Liberty’s architecture includes mechanisms designed to support the storage and serving of identity data from resource constrained devices
- Enhanced Client Proxy
Protocols and processing in the standards take advantage of enhanced client capabilities to provide maximum control over identity sharing through active client mediation
|Liberty Whitepaper: Privacy and Security Best Practices||
• final_privacy_security_best_practices.pdf 655.00 kB
|Given the amount of personal information under consideration with federated implementations, Liberty has developed Deployment Guidelines for implementers with an eye toward the privacy considerations||
• deployment_guidelines_v2_9.pdf 555.39 kB
|Liberty Whitepaper: Liberty Architecture Framework for supporting Privacy Preference Expression Languages (PPELs)||
• Final_PPEL_White_Paper.pdf 458.05 kB
|Overview presentation about Liberty and Privacy.||
• 051024_Liberty_Tokyo_b.pdf 2.07 MB
|Find all of the Liberty Alliance specifications here.||Specifications|
|ITU-T Workshop on Digital Identity for NGN, Presentation on Privacy||
• ITU-TPrivacyPresentationDec06.pdf 1.06 MB
|Liberty Alliance formed the Identity Assurance Expert Group (IAEG) to foster adoption of identity trust services. Utilizing initial contributions from the e-Authentication Partnership (EAP) and the US E-Authentication Federation, the IAEG’s objective is to create a framework of baseline policies, business rules, and commercial terms against which identity trust services can be assessed and evaluated. The goal is to facilitate trusted identity federation to promote uniformity and interoperability amongst identity service providers. The primary deliverable of IAEG is the Liberty Identity Assurance Framework (LIAF).
The LIAF leverages the EAP Trust Framework [EAPTrustFramework] and the US E-Authentication Federation Credential Assessment Framework ([CAF]) as a baseline in forming the criteria for a harmonized, best-of-breed industry identity assurance standard. The LIAF is a framework supporting mutual acceptance, validation, and life cycle maintenance across identity federations. The main components of the LIAF are detailed discussions of Assurance Level criteria, Service and Credential Assessment Criteria, an Accreditation and Certification Model, and the associated business rules.
Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. The LIAF defers to the guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 [NIST800-63] which outlines four (4) levels of assurance, ranging in confidence level from low to very high. Use of ALs is determined by the level of confidence or trust necessary to mitigate risk in the transaction.
The Service and Credential Assessment Criteria section in the LIAF will establish baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated. The LIAF will also establish Credential Assessment Profiles (CAPs) for each level of assurance that will be published and updated as needed to account for technological advances and preferred practice and policy updates.
The LIAF will employ a phased approach to establishing criteria for certification and accreditation, first focusing on the certification of credential service providers (CSPs) and the accreditation of those who will assess and evaluate them. The goal of this phased approach is to initially provide federations and Federation Operators with the means to certify their members for the benefit of inter-federation and streamlining the certification process for the industry. Follow-on phases will target the development of criteria for certification of federations, themselves, and a Best Practice guide for relying parties.
Finally, the LIAF will include a discussion of the business rules associated with IAEG participation, certification, and accreditation.
• liberty-identity-assurance-framework-v1.0.pdf 565.42 kB
|Use this form to submit feedback on the Identity Assurance Framework document||
• Identity Assurance Feedback Form >
|The Liberty Public Policy Expert Group (PPEG) regularly runs Privacy Summit events across the globe, with past events held in Berlin, Brussels, Washington DC, Basel and London. The next Privacy Summit is planned for Japan in June.
The aim of these events has been to get privacy stakeholders from many different disciplines (IT, policy, regulation, legal, academic) round the table for a free-form, peer to peer discussion of strategic issues and possible solutions.
As the series unfolded, we quickly found that a major stumbling block was the lack of a shared terminology and model for the basic concepts of identity data and privacy. It was too easy for useful discussions of ‘second-order’ topics such as trust and privacy to get mired in largely unnecessary confusion over basic concepts and terminology. As a result, we used the Berlin and Brussels summits to generate reports which we believe help move towards such shared understanding.
In particular, the Brussels report sets out simple models which illustrate the different ‘layers’ identity data, their application in different ‘sectors’ (such as employment, healthcare, tax and so on), and the relative roles of credentials, attributes and indices. The report then illustrates concepts such as identity ‘contexts’, the establishment of contexts which span sectors, and some of the ways in which architecture, technology and policy need to interact in order for the system as a whole to function correctly.
We used the Washington DC summit as an opportunity to test the usefulness of these models, and found that they allowed us to quickly establish a common level of understanding amongst all the participants. That enabled us to move on to a productive discussion of the ‘second-order’ topics and capitalise fully on the skills and experience of the assembled stakeholders.
Reports are added here regularly from Summits conducted and feedback received, so check back often.
|The Liberty Public Policy Expert Group (PPEG) has run Privacy Summit events world-wide, gathering privacy stakeholders from many different disciplines (IT, policy, regulation, legal, academic) for a peer-to-peer discussion of strategic issues and possible solutions. Through the Summits, some key lessons have been learned, and simple models derived which help remove many of the obstacles to a productive, multi-stakeholder discussion of privacy issues. These lessons and model are reviewed in this presentation, along with trends to watch for in the future.||
• 6. 080422 EIC Privacy – Wilton.pdf 1.23 MB
|Webcast: Identity Governance Framework: New Standards to Protect Privacy Through Governing Policy||
• 080423 igf-openliberty – P Hunt.pdf 5.26 MB