Liberty Alliance is alive and kicking

Group's new president says the world is catching on to the need for sharing identity information securely.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
6 min read
REDWOOD CITY, Calif.--Launched in 2001 to outflank Microsoft's Passport service for checking people's online identities, the Liberty Alliance is alive and kicking while Passport is mostly history.

In fact, prime time is just around the corner for the Liberty Alliance, according to Roger Sullivan, the group's newly appointed president. The entire planet is finally coming around to the notion that identity information needs to be shared securely, just what Liberty's protocols enable, Sullivan said in an interview.

But even though Microsoft's Passport fizzled, there are plenty of other identity efforts under way. Attracting the most attention are IBM and Novell, which have put their weight behind an open-source effort called Higgins. Also, Microsoft is back in force: Windows Vista includes a feature called CardSpace meant to let people control identity information.

The multitude of options and rivaling standards remains an obstacle to broad acceptance of any of them, Sullivan said. It confuses the people who need to buy into the idea of federated identities--a world in which somebody only needs to log in once and bits of personal information can be securely shared between trusted applications.

Sullivan, an Oracle vice president who became president of the Liberty Alliance this month, sat down with CNET News.com earlier this week.

Q: What is the simple four-line definition of Liberty Alliance today?
Sullivan: Liberty Alliance is an assembly of both enterprise customers as well as vendors from all around the world. We have come together to develop open standards for identity management. Historically, all of those standards have focused on federation protocols, one enterprise interacting with another enterprise in a secure way and being able to exchange identity credentials from one enterprise to the other.

I don't want to get hit by a bus and die because nobody has permission, but on the other hand I don't want the government in my knickers when I want to share photographs.

Q: Liberty Alliance launched a little over five years ago. Has the objective changed?
Sullivan: No, it has always been the same mission. Over those years, what Liberty has accomplished is establishing a technical infrastructure through protocol development as well as business and policy guidelines.

Q: How has the Liberty Alliance's work progressed over the past years?
Sullivan: I think it has taken a little bit longer than a lot of folks anticipated in the early days. Four or five years ago, folks imagined that there was a real pent-up demand for this kind of federation work. But I think that the growth and acceptance in the marketplace has been slower because there has been confusion.

Q: What's at the core of this confusion?
Sullivan: There's confusion about when complete control of identity information is appropriate for an individual versus a business relationship. Some folks have said they want to control information themselves. That's admirable in some applications, but let's say you get smacked by a bus, all your identity information is on you and you need to provide somebody access right there and then. Those kinds of questions about the business practices, but also when strong authentication is appropriate versus single-factor authentication--all of those issues, Liberty has grappled with for years.

Q: Sounds like a negotiation between people who are for privacy rights and people who want to enable whatever they can.
Sullivan: Very much so, you have privacy rights organizations on the one hand, you have folks who are trying to enable business, or provide services to those businesses, and then you've got the individuals themselves who are saying, "Just tell me what the heck I need to do to control this because I'm confused, I don't want to get hit by a bus and die because nobody has permission, but on the other hand I don't want the government in my knickers when I want to share photographs."

Q: Seems that confusion is also not helped by other initiatives that pop up such as Microsoft's CardSpace and Higgins, which is being pushed by Novell and IBM. Is this competition?
Sullivan: First and foremost, you do the market a severe disservice if you set up competition. We think Higgins solves legitimate problems, complementary to Liberty. The average person on the street or even the average enterprise CXO (the X being whatever position one holds) isn't going to be able to articulate exactly where Higgins is complementary to Liberty or where it overlaps. That requires more inclusion, and the attitude on our part to reach across the aisle and, with Higgins, clarify for what they do well and what we do well.

Q: How about Microsoft?
Sullivan: Division does nobody in the industry any good because customers, at the end of the day, want to figure out how to make CardSpace interoperate with other infrastructures. We fully recognize that CardSpace will be a way that customers authenticate into a federated environment. We have to figure out how they work together, and we have to be able to articulate that common vision and purpose to the marketplace. Otherwise the market is going to say, "Hey, I'll just wait till you guys sort it out, call me when it's over, and then I'll start deploying it."

Q: And isn't that essentially what has been going on?
Sullivan: Exactly.

Division does nobody in the industry any good.

Q: Do you have a solution?
Sullivan: Yes, I think the openLiberty Project is a very concrete example of how Liberty is allowing non-Liberty folks to participate in the conversation. Last, June, for the first time ever, we opened up a Liberty meeting to non-Liberty participants. Many of the leaders in the identity world were represented and, from a Liberty perspective, our eyes were opened. We should not view these people as competitors; we should view them as trying to solve a problem that they're trying to articulate as well. Let's help them try to sort that out, let's reveal to them the good work that we've already done, and let them make use of it, if it's appropriate to them to make use of it.

Q: You've been talking about what you call "convergence" of different identity standards for years. How come these things aren't converging?
Sullivan: Because the way that the dialogue has been conducted to this point has been an all or nothing dialogue, and that's true on both sides. The dialogue very quickly degenerates into bits and bytes. There's been this overly focused effort on the technology standards themselves, and who's got to give and who's got to compromise.

Q: So pretty much people had their heels in the sand when there was discussion about convergence. Engineers in particular don't like to give up the work that they've done, or worked on hard on and are proud of.
Sullivan: And who could blame them, but if you sit a customer in front of them and the customer says, "I'm not going to buy either of you until you both figure out how to work together," that sharpens the mind really quick.

Q: Is there change?
Sullivan: The difference today is that we're moving beyond the technology standards. It is a fact that CardSpace will be on millions of desktops with the advent of Windows Vista. It will be there so one has to figure out how to interoperate with it as an identity provider.

Beyond that, there's an attitudinal shift that I think is really important. Around the world, in privacy groups, government agencies, vendors and enterprise customers, there is interest in identity. This is not accidental, I think that there's demand that is leading us toward the knee of the hockey stick in the identity space.

Q: The convergence is happening finally?
Sullivan: It's happening. The dialogue is happening. If we can agree on the essential elements, the 80 percent of what each is trying to accomplish, and then we're adding our own value-added on top of that, great.

You're announcing a focus on open-source developers to get Liberty's work adopted more broadly. You could see this as a sign of desperation, that there are not enough people adopting it today so it needs to be free and open to everybody.
Sullivan: I could understand that point of view, and I could understand someone cynically saying that. What I would say in response to that, however, is that identity management and security is not simple. What we're trying to do with this initiative is open the doors and say, "You don't have to sign up to be a full-fledged member of Liberty in order to participate." It has been a roadblock for open-source developers.

Q: You recently became president of Liberty. What's on the top of your agenda?
If I could leave 2007 by changing the perception of folks who have known about Liberty from, "Oh Liberty, they're still around?" to "Yes, they're doing good stuff, they're driving conversation in this space," then I am very proud.