Liberty Alliance updates identity spec

The Liberty Alliance Project on Tuesday updated its specification for creating a standard for network identity and solicited for the first time public comment on the document, signaling the consortium’s intention to act more like a traditional standards body.

The group released version 1.1 of the spec, which corrects a security flaw and clarifies ambiguities in the text of the draft. The 130-member group in July released the first draft, which details how to create a universal user identity to be used for authentication as a user moves from Web site to Web site. The effort is similar to Microsoft’s Passport single sign-on consumer service, which it is trying to adapt for corporate use.

In version 1.1 of the Liberty specification, the group fixed a flaw in the Liberty-enabled Client/Proxy Profile that would allow hackers to interject themselves into the middle of the exchange of identity credentials between a Web site and an end user with a mobile device. The so-called “man-in-the-middle” attack was discovered in October by researchers from both Sun and IBM and quickly corrected. It is now part of the formal specification.

“It took a couple of weeks to turn [the fix],” says Michael Barrett, president of the Liberty Alliance. “We didn’t push as hard as we would have if we had actual users. But this enabled us to prove our rapid response mechanism.”

That is important to corporations that, if they adopt products that support the Liberty Alliance specification, will demand a process that guarantees quick patches to the technology.

The Alliance also added a few enhancements that allow both users and the entities that accept their identity credentials to periodically change the credentials, a process that is similar to changing a users password at set intervals to preserve its integrity.

Barrett says the enhancements were made to bring the specification more in line with corporations that have set policies on managing identity credentials.

In addition to changes to the specification itself, the Alliance also opened the document to general review by the public for the first time. Version 1.0 was only open to comments by members of the Alliance.

“We are trying to make the Alliance as open as possible while respecting the rights of our members,” Barrett says.

The members, which include both user companies and vendors, pay a fee to participate in the group, which has been coy about whether it may at some point turn its work over to a recognized standards body or continue to work as a independent organization. But by opening the specification for public review, the Alliance seems to be signaling that it will continue to do its own work.

In October, Barrett told Network World, “for all intents and purposes the Liberty Alliance is a de facto standards organization.”

Barrett says the group doesn’t have any specific expectations on the public review period that ends Dec. 6, but says, “we will read and consider all significant responses and weed out the wacko stuff.”

The Alliance plans to publish version 2.0 of its specification in the first half of next year, which will focus on wiring together islands of Liberty Alliance supporters to create a mesh of trust. Version 2 also provides a mechanism for data to be moved around between partners and a permission framework to allow consumers to manage that data exchange.