Liberty - is usability compatible with security?

The Liberty 1.0 specification could make the Internet easier to use, but will it make it more or less safe?

The Liberty Alliance project aims to simplify the process of signing on to multiple Web sites, eventually allowing a user to use credit card details entered at one site to make purchases at others. Liberty has been developed in large part as a response to the Microsoft-specific Passport system, but as it gets closer to reality, that rivalry is becoming less significant. On Monday 15 July, Sun Microsystems, United Airlines and dozens of other members of the Liberty Alliance Project released version 1.0 of the Liberty specification. Not in itself a product or a service, Liberty is a specification which services will use to communicate authentication information. the Liberty specification is based on another newly released standard, the Security Assertion Markup Language (see page 3). Liberty members usually talk about "simplified sign-on" rather than "single sign-on", but the basic principle is to allow users to move around the Net without having to authenticate themselves at different Web-sites. This idea, common to both Passport and Liberty, meets with a mixed reaction. In the age-old trade-off between usability and security, many people see such systems as going too far in the direction of usability. Making it too easy to log in to commerce sites, means that users will often be more intimately connected with a site than they realise. Sharing information increases the risks of it being misused, and such schemes will make it likely that users will share information in ways they do not realise. In fact, the first version of Liberty is quite limited in scope. It will share authentication only, so that logging into one web site will automatically log a user into other federated web sites -- each one approved by the user. This will save the user time in logging into different sites in one session, and will save the effort of remembering multiple passwords, but will not streamline e-commerce. A more feature-rich second phase of Liberty is expected early in 2003, said Michael Barrett, vice president of Internet strategy for American Express and a member of the Liberty Alliance. This version will include a standard way to exchange other information as well, such as credit card numbers or addresses, said Jonathan Schwartz, Sun's newly appointed executive vice president of software. This will allow users to buy products and services at multiple sites, having given their details at only one. Liberty includes "opt-in" features that let computer users specify which accounts they want to link with a Liberty-supporting service. When the user visits a new Liberty-supporting site, a dialogue box prompts him or her to allow it to share authentication information with previously registered sites. With version 2, the user will also be able to specify what other information such as phone numbers they're willing to let their accounts share. Version 2 also will let users grant companies one-time permission to exchange information. Allies on Monday billed Liberty chiefly as a boon to consumers and a way to reduce the headaches imposed by having to remember multiple login names and passwords. Navigating different Web sites requires frequent stops to sign on, the equivalent of running into a toll booth every mile on the highway, according to Rob Robless, United Airlines chief technology officer. "There are some issues we need to overcome to increase the consumer willingness to buy things or use services on the Internet," Robless said. Also needed is a foundation for partnerships "so we can make more interesting products or services to buy off the Internet." When Sun launched Liberty in September, it was a direct assault on Microsoft's Passport service, which handled single-sign on by using a centralised authentication site run by Microsoft. At the time, Sun Chief Executive Scott McNealy called Passport a strategy to profit from owning users' personal information, while Microsoft CEO Steve Ballmer derided Liberty, saying it had "has absolutely zero probability of mattering to the world." Those days of acrimony are passing, though. Sun is receding to more of an advisory role while potential corporate users such as Fidelity Investments and Visa International are taking over more of the actual work involved in implementing the technology. "In a year or two we'll look back and say, 'What was all the fuss about?'" Barrett said. Adam Sohn, product manager for Microsoft's .Net Platform strategy, believes Liberty, Passport and other authentication schemes will effectively merge, the same way different banks once maintained separate, exclusive automated teller machine (ATM) networks, but now allow any bank card to work with any machine. "Liberty is what Passport would have looked like if it was thought up by the likes of United Airlines and Visa International," said Illuminata analyst James Governor. Passport once was a standalone technology, but Microsoft is expanding by allowing Passport to "federate" with other authentication sites, quite possibly including Liberty. This more open-armed expansion of Passport will be released in 2003, Sohn said. The company will also let third-party companies perform services necessary to implement Passport. As it stands, Passport, with an estimated 14 million users, according to Gartner Group, has many more participants than services based on the brand-new Liberty. However, Liberty is a specification, not a a service, and when Liberty-based services are available, users will sign up to them. A host of such services are expected, and some Liberty members may find ways to import their user bases into Liberty-based schemes. Sun itself, which sells servers and Sun Open Network Environment (Sun ONE) software for authenticating users and governing their access to computing resources, plans to announce its plans for incorporating Liberty into its Identity Server software package. Six other companies companies announced plans Monday to build Liberty features into their software. Novell, which had an early start in software for directories of information such as username-password pairs, will release its Liberty-enabled products by the end of 2002. Other companies with Liberty software planned include NeuStar; RSA Security, OneName, which sells digital identity software; Communicator, which sells secure electronic communications products; and Entrust, which provides Internet security software and services. While Passport may have more users, Liberty members have some powerful subscriber lists of their own that potentially could give Liberty a huge boost. Liberty members include online service companies such as America Online, EarthLink and Intuit; old economy companies such as United Airlines, American Airlines and General Motors; mobile phone giants Vodafone, NTT Docomo, Nokia, Nextel and France Telecom; and financial services companies Bank of America, Visa, American Express, Citigroup and MasterCard. This smoother world of e-commerce, however, requires a profusion of alliances between companies that want to become Liberty partners. But Mark Foster, chief technology officer of network identity company NeuStar, foresees a day when such alliance issues recede. In the early phases of Liberty, allies will join in "circles of trust" in which authenticated users may move easily among the Web sites of those companies, Foster said. In a second generation, different circles of trust will federate, and in a third phase, trust relationships could be created on demand instead of needing to be set up in advance. With Liberty 2, a person buying music at Sony's Web site could follow a concert advertisement link, then buy a ticket from concert promoter's site without having to login again, Schwartz said. John Worrall, vice president of worldwide marketing for RSA Security, bemoaned the headaches of trying to remember who he is on the Net. "I'm John Worrall. I've had that identity forever. But a funny thing happened with the electronic age. As I started going online, I started acquiring multiple identities," he said. He has five professional identities and six personal ones. The Liberty specification was technically complete two months ago, but it couldn't be released until corporations finished hammering out the intellectual property arrangement, Bennett said. Royalty issues have come to the fore as Sun and others have tried to ensure that Internet standards will be used widely and not become a mechanism for profits. Liberty is mostly, though not quite, a royalty-free specification. "By default, the direction of the organisation is to move in a royalty-free direction...We cross-license intellectual property on a royalty-free basis to each other," Bennett said. However, members with "sensitive pieces of intellectual property may wish to opt out," he said. AOL Time Warner, a late arrival to the Liberty group, has disclosed it has intellectual property in the Liberty realm, Schwartz said. It has agreed to license that intellectual property to Liberty for free, though, he added. The SAML technology is a product of the Oasis standards group, a possible paving of the way for making Liberty a formal standard. American Express' Bennett said the alliance wants to standardise Liberty, but is first focusing on hammering out the technology before deciding to standardise through Oasis, the World Wide Web Consortium or the Internet Engineering Task Force. Liberty could bump up against other standards, though. For example, while the WS-Security standard under development at Oasis currently is complementary with Liberty, some of the future directions that IBM and Microsoft plan for it overlap with Liberty, Bennett said. It's not clear yet how much Liberty and WS-Security will step on each other's toes in the future. Sun has joined IBM and Microsoft in backing WS-Security, raising the possibility that there's room for some accommodation. Liberty also uses the XML Signature specification, Bennett said. At a higher level, Liberty is designed to work with a world of cell phones so people on the road can use it. It also includes a provision to let people log off of Liberty-connected services in one fell swoop. And Liberty records the mechanism by which a user has been authenticated, a necessary measure to handle alliances between Internet sites that require different levels of authentication. For example, one site may require only a username and password, but more rigorous sites may require physical authentication such as thumbprints or smart cards.

Have your say instantly, in the Tech Update forum. For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter. Find out what's where in the new Tech Update with our Guided Tour. Tell us what you think in the Mailroom.