Liberty Alliance Spec Wont Cure Security Mess

The Liberty Alliance Project will unveil its specification for identity management this week.

The Liberty Alliance Project will unveil its specification for identity management this week, but members of the group and others said the entities involved in the Web services security standards effort have made little progress toward fusing their pet projects into a coherent platform.

Despite some encouraging signs—such as Liberty founder Sun Microsystems Inc., of Palo Alto, Calif., deciding to support the WS-Security (Web Services Security) authentication effort headed by its chief rival, Microsoft Corp., of Redmond, Wash.—many executives said they feel the differences between the companies will continue to hamper the standards effort. Those involved with the Liberty Alliance said they worry that Microsofts Passport identity service will become the de facto standard.

"Everyone in the industry is very wary of Microsoft, and Liberty is all of us banding together to make sure they dont dominate the market," said Deepak Taneja, chief technology officer of Netegrity Inc., a Web services security company in Waltham, Mass., and a new member of the Liberty Alliance.

At the same time, some Liberty Alliance insiders say that the 1.0 specification released this week is little more than a slightly dressed-up version of the SAML (Security Assertion Markup Language) specification that the Organization for the Advancement of Structured Information Standards produced this spring.

The Liberty Alliance specification focuses on authentication and includes some provisions for setting up a federated identity management network, according to sources familiar with the release.

"The phase one spec isnt much different than SAML, but people will still want to come out and say that [their products] support it," said one executive from a Liberty Alliance member company, who requested anonymity. "What we need to do is meld [the Liberty Alliance specification, SAML, WS-Security and Microsofts Passport] together."

While thats an oft-cited goal among the companies involved, its much easier said than done.

Formed last year, the Liberty Alliance has been working on a standard for federated identity management in Web services, a specification that many see as a direct challenge to Passport.

WS-Security, by contrast, is a method for describing the conventions of how users and companies carry security credentials and how they can protect and verify the integrity of the messages that machines exchange via Web services. The specifications authors, Microsoft, IBM and VeriSign Inc., recently submitted WS-Security to OASIS for consideration as a standard.

SAML is an XML-based language that all proposed Web services standards support and that allows users to transfer security credentials from one affiliated site to another.

Some observers say, however, that once all the posturing and jockeying for position is over, the technologists will find some common ground.

"Ive seen some good signs. Im encouraged by what Sun is doing in joining [WS-Security]," said Bob Sutor, director of e-business standards strategy at IBM, in Armonk, N.Y.

"What customers see now is a wide variety of specs, and they dont have a clue how to glue them together," Sutor said. "Im hoping well see a good industry technology discussion around this and move away from the politics, which were all sick of. But standards take time. Its not going to be tomorrow."

Sutor said Liberty Alliance doing its future work under the aegis of OASIS would be a big step toward knitting together all the specifications.

Related stories:

  • Deal Links Visa, MasterCard Accounts to Passport
  • Tech Analysis: Liberty Alliance or Passport?
  • Averting Web Identity Crisis
  • Commentary: Liberty Is All About Identification Control
  • Commentary: Liberty Liberates Users From Passport
  • Liberty Alliance Support Grows