Liberty Alliance Hints at Agreement with Microsoft on Security Spec

Group considering interoperability with Passport.

• By Matt Migliore
• 10/02/2002

A spokesperson for the Liberty Alliance told Security Strategies that while the group does wholeheartedly support interoperable standards, a final decision has not yet been made on whether it will offer functionality for linking to Microsoft’s single-sign-on solution.

Should the Liberty Alliance ultimately decide to tie itself in some way to Passport, the move would support growing sentiment within the industry that the two identity systems will eventually find common ground.

At its inception in September 2001, the Liberty Alliance was positioned as the polar opposite of Passport. The group’s founder, Sun Microsystems Inc., touted the federated, open-standards characteristics of the Liberty specification as a trustworthy alternative to the proprietary-based Passport.

Microsoft has since vowed to open up Passport to give organizations more control over their own customers’ user identities and profiles. The company has said it will work to ensure interoperability with existing authentication systems.

Many analysts have been waiting for the Liberty Alliance and Passport to achieve some level of cohesion. Madsen’s comments at the Catalyst conference seem to indicate the wait may soon be over.

"We see opportunities for interoperability between Passport and Liberty Alliance; this option could be part of a 1.1 specification, possibly later this year," said Madsen.

An official release date for a 1.1 spec has not yet been confirmed, though a 2.0 version is expected in the first quarter of 2003.

According to Shawn Willett, a principal analyst with Current Analysis Inc., the Liberty Alliance can only benefit from interoperability with Passport. A recent report by Gartner estimates Passport has approximately 14 million users. By federating with it, Willett says, the Liberty spec would gain a lot of credibility.

However, he notes that federating with Passport would require Microsoft’s cooperation, which remains a question mark.

A prepared statement from a Microsoft spokesperson described the company’s position on the Liberty Alliance project this way: “Microsoft has not ruled out working with the Liberty Alliance and continues an open dialogue on an informal basis. In the past several months, we have had a bunch of productive discussions with members of the Alliance, and we expect that to continue moving forward.”

So far, the Liberty Alliance is supported by more than 95 technology and consumer organizations. The addition of Microsoft would give it a leg up on some of the other emerging standards for federated identity, including the recently announced WS-Security specification.

WS-Security, a security spec developed by IBM Corp., Microsoft and VeriSign Inc., is being called a foundation for federating Web services identity. As such, it could directly compete with the Liberty Alliance.

Willet says he expects WS-Security and the Liberty spec to achieve some level of interoperability or to merge into a single standard. “For federated identity to really work, it needs to be supported by everybody,” he says. “Federated identity is kind of a new concept, and it’s going to take some time for it to filter through the corporate world.”

Willet says, before enterprises will begin to adopt standards for federated identity, “interoperability [between existing specifications and systems] needs to happen.” He notes, “Some users are really showing interest in the Liberty spec, but the great majority are waiting and hoping for some kind of merger.”