July 15, 2002 4:10 PM PDT
Sun sends forth first version of Liberty
The "single sign-on" standard produced by the Liberty Alliance Project lets users who sign on to one Web site carry over that authenticated status when moving to other Web sites. It's based on another newly released standard, the Security Assertion Markup Language.
A more feature-rich second phase of Liberty is expected early in 2003, said Michael Barrett, vice president of Internet strategy for American Express and a member of the Liberty Alliance.
While version 1.0 handles usernames and passwords, version 2 will provide a standard way to exchange other information as well, such as credit card numbers or addresses, said Jonathan Schwartz, Sun's newly appointed executive vice president of software.
Liberty includes "opt-in" features that let computer users specify which accounts they want to link with Liberty and, with version 2, what other information such as phone numbers they're willing to let those accounts share. Version 2 also will let users grant companies one-time permission to exchange information.
Allies on Monday billed Liberty chiefly as a boon to consumers and a way to reduce the headaches imposed by having to remember multiple login names and passwords. Navigating different Web sites requires frequent stops to sign on, the equivalent of running into a toll booth every mile on the highway, according to Rob Robless, United Airlines chief technology officer.
"There are some issues we need to overcome to increase the consumer acceptance to buy things or use services on the Internet," Robless said. Also needed is a foundation for partnerships "so we can make more interesting products or services to buy off the Internet."
When Sun launched Liberty in September, it was a direct assault on Microsoft's Passport service, which handled single-sign on by using a centralized authentication site run by Microsoft. At the time, Sun Chief Executive Scott McNealy called Passport Microsoft's strategy to profit from owning users' personal information, while Microsoft CEO Steve Ballmer derided Liberty, saying it had "has absolutely zero probability of mattering to the world."
Those days of acrimony are passing, though. Sun is receding to more of an advisory role while potential corporate users such as Fidelity Investments and Visa International are taking over more of the actual work involved in implementing the technology.
"In a year or two we'll look back and say, 'What was all the fuss about?'" Barrett said.
Adam Sohn, product manager for Microsoft's .Net Platform strategy, believes Liberty, Passport and other authentication schemes will effectively merge, the same way different banks once maintained separate, exclusive automated teller machine (ATM) networks, but now allow any bank card to work with any machine.
"Liberty is what Passport would have looked like if it was thought up by the likes of United Airlines and Visa International," said Illuminata analyst James Governor.
Passport once was an independent technology, but Microsoft is expanding by allowing Passport to "federate" with other authentication sites, quite possibly including Liberty. This more open-armed expansion of Passport will be released in 2003, Sohn said. The company will also let third-party companies perform services necessary to implement Passport.
As it stands, Passport, with an estimated 14 million users, according to Gartner Group, has many more participants than the brand-new Liberty. But a host of new Liberty-enabled products are expected.
Sun itself, which sells servers and Sun Open Network Environment (Sun ONE) software for authenticating users and governing their access to computing resources, plans to announce its plans for incorporating Liberty into its Identity Server software package.
Six other companies companies announced plans Monday to build Liberty features into their software. Novell, which had an early start in software for directories of information such as username-password pairs, will release its Liberty-enabled products by the end of 2002.
Other companies with Liberty software planned include NeuStar; RSA Security, OneName, which sells digital identity software; Communicator, which sells secure electronic communications products; and Entrust, which provides Internet security software and services.
While Passport may have more users, Liberty members have some powerful subscriber lists of their own that potentially could give Liberty a huge boost. Liberty members include online service companies such as America Online, EarthLink and Intuit; old economy companies such as United Airlines, American Airlines and General Motors; mobile phone giants Vodafone, NTT Docomo, Nokia, Nextel and France Telecom; and financial services companies Bank of America, Visa, American Express, Citigroup and MasterCard.
This smoother world of e-commerce, however, requires a profusion of alliances between companies that want to become Liberty partners. But Mark Foster, chief technology officer of network identity company NeuStar, foresees a day when such alliance issues recede.
In the early phases of Liberty, allies will join in "circles of trust" in which authenticated users may move easily among the Web sites of those companies, Foster said. In a second generation, different circles of trust will federate, and in a third phase, trust relationships could be created on demand instead of needing to be set up in advance.
With Liberty, a person buying music at Sony's Web site could follow a concert advertisement link, then buy a ticket from concert promoter's site without having to login again, Schwartz said.
John Worrall, vice president of worldwide marketing for RSA Security, bemoaned the headaches of trying to remember who he is on the Net.
"I'm John Worrall. I've had that identity forever. But a funny thing happened with the electronic age. As I started going online, I started acquiring multiple identities," he said. He has with five professional identities and six personal ones.
The Liberty specification was technically complete two months ago, but it couldn't be released until corporations finished hammering out the intellectual property arrangement, Bennett said.
Royalty issues have come to the fore as Sun and others have tried to ensure that Internet standards will be used widely and not become a mechanism for profits. Liberty is mostly, though not quite, a royalty-free specification.
"By default, the direction of the organization is to move in a royalty-free direction...We cross-license intellectual property on a royalty-free basis to each other," Bennett said. However, members with "sensitive pieces of intellectual property may wish to opt out," he said.
AOL Time Warner, a late arrival to the Liberty group, has disclosed it has intellectual property in the Liberty realm, Schwartz said. It has agreed to license that intellectual property to Liberty for free, though, he added.
The SAML technology is a product of the Oasis standards group, a possible paving of the way for making Liberty a formal standard. American Express' Bennett said the alliance wants to standardize Liberty, but is first focusing on hammering out the technology before deciding to standardize through Oasis, the World Wide Web Consortium or the Internet Engineering Task Force.
Liberty could bump up against other standards, though. For example, while the WS-Security standard under development at Oasis currently is complementary with Liberty, some of the future directions that IBM and Microsoft plan for it overlap with Liberty, Bennett said.
It's not clear yet how much Liberty and WS-Security will step on each other's toes in the future. Sun has joined IBM and Microsoft in backing WS-Security, raising the possibility that there's room for some accommodation.
Liberty also uses the XML Signature specification, Bennett said.
At a higher level, Liberty is designed to work with a world of cell phones so people on the road can use it. It also includes a provision to let people log off of Liberty-connected services in one fell swoop.
And Liberty records the mechanism by which a user has been authenticated, a necessary measure to handle alliances between Internet sites that require different levels of authentication. For example, one site may require only a username and password, but more rigorous sites may require physical authentication such as thumbprints or smart cards.