Taking Liberty's word for it

Rupert Goodwins: As Microsoft and the Liberty Alliance show scant signs of trusting each other, should users be sceptical of federations of trust no matter who's behind them?

Ladies and gentlemen -- roll up, roll up. It's time for another one of those tiffs the IT industry does so well. For your delight and amusement, Microsoft takes on the Liberty Alliance in a battle to the death! Who will win in the fight to give you, the lucky consumer, the golden age of Net freedom through federated authentication? But among the razzmatazz and the carefully positioned press releases, none of the players want to discuss a deeper issue -- do we want what they're doing at all?

Federated security works by security services sharing information. You have access to one service, and you agree for that access to be used to let you into another. You store your details in one site, and agree for those details to be passed onto another. Microsoft's Passport is one way of doing this, and the Liberty Alliance will be another.

Liberty Alliance lists four good things about itself and what it does. It will support a broad range of identity-based products and services; enable organisations to realise new revenue and cost-saving opportunities that economically leverage their relationships with customers, business partners and employees; provide consumers with choice of identity providers, the ability to link accounts through federation, and the convenience of a single sign-on; and finally it will increase ease-of-use for consumers to stimulate e-commerce.

Sounds nifty if you're an organisation and great if you're selling identity-based products and services -- which, of course, every member of the Liberty Alliance does, as does Microsoft. But is it a good idea if you're a consumer?

It would be wonderful in a perfect world if you never had to log on to anything, never had to carry keys you could lose or remember a PIN to get at your cash. The world, gracelessly, refuses to comply. The next best thing, the Liberty Alliance and Microsoft says, is to have just the one key, just the one PIN, just the one login. Oddly, the rest of the world doesn't agree. No car is sold with the selling point that you can open it with your house keys: no bank would recommend you set all your PINs to the same number. A single point of vulnerability is never good.

Usability and security need to be traded off: I wouldn't go as far as the system administrator who said that if 20 percent of his users weren't having trouble logging in, he was being too lax, but he had a point. Like most people, I get annoyed when I click on a link and get landed at a registration form that wants my name, address, email, and so on. Wouldn't it be nice if I could do all that with just one more click? Well, no. I want some friction. I want to be continually aware who I'm giving my name to, I want the freedom to give the companies concerned variations on my name and details, I want to have those 30 seconds of typing to reconsider whether it's worth giving my name in exchange for the data.

With federated identity, that goes away. The sense that you're multiplying the number of entities who know who you are -- and, presumably, are going to use that data in some way that impacts on you -- fades. The caution that we all should have when entering into a new business relationship is dissipated. The most important component of security on the Net -- an awareness of what's happening and with whom -- is nullified.

But, says the Alliance, federated identity provides users with a choice as to which companies and how many business entities they wish to trust with their identity and personal information. We have that choice already: it's there by default. Federated identity works in the other direction. You'll be able to move from service to service without relogging in, say the Feds. As I do already, thanks to cookies. What am I getting, exactly?

There is a business case to be made for federated identity within an organisation as part of a way of controlling access to resources, but current security systems are capable of doing that already -- it's not a problem that needs solving in that way. Similarly, federated identity is a good match to the seductive dot-com dream of companies dissolving into loose alliances of groups hiring each other to work on cross-corporate projects: it's just a shame that people don't seem to want to organise themselves to work like that.

I'm reminded strongly of another great innovation that was going to revolutionise our online lives by removing the need to log on to multiple sources of information. You didn't even have to go to the trouble of selecting what you wanted to see more than once -- truly the acme of convenience and the 'fluid user experience' that the Alliance and friends are promoting. You may remember the name of this technology: push. You may even remember trying it, either through Microsoft's Active Desktop, Pointcast or Marimba, and discovering that it was a clumsy and annoying way for companies to make you do what they wanted, when they wanted.

Federated identity may be just as unwelcome a corporate swoop on our ability to control what we do online and with whom we do it, but it's more subtle because it claims to be the opposite. The problems it solves don't need solving: the liberties it provides come with hidden strings. I recommend you check out the Liberty Alliance Web site -- at the nobly named www.projectliberty.org -- and the specs for version 1.0, which in its favour doesn't do very much at all yet. Count all the policy/security notes sprinkled through it, and think just how well everyone using this technology will have to behave when commercial pressures will be pulling them in other directions.

The circles of trust that underpin the system are in reality circles of business relationships -- that's what you'll be buying into. As the stock market shows, trust should never be lightly assumed and business relationships should always be explicit. We must satisfy ourselves on both counts before giving federated security room in our online lives.

To have your say online click on TalkBack and go to the ZDNet UK forums.