RealTime IT News

Liberty Alliance Updates Specs

The Liberty Alliance Project Tuesday published a public review draft of a maintenance update of the version 1.0 specifications it released in July.

The version 1.1 draft primarily makes some editorial changes in an effort to clarify the specifications, but also adds a few fixes and minor enhancements.

For instance, the new version fixes a vulnerability in the Liberty-enabled Client/Proxy Profile (LECP), identified by both IBM and Sun Microsystems. The Liberty Alliance said the vulnerability could have allowed a spurious site to interpose itself between a user and a service provider, allowing the site to impersonate the user. One of the enhancements is intended to add security and privacy protections by allowing a service provider and identity provider to periodically change opaque handles. Opaque handles are random identifiers shared between service providers and identity providers that allow them to identify users. Also, another enhancement is intended to give flexibility in discovering which identity provider or providers an end-user is using.

The Liberty Alliance Project is seeking input on the new draft until Dec. 16.

The next major release of Liberty's specifications, version 2.0, is planned for release in 2003. Liberty said that version will provide an infrastructure for developing and supporting identity-enabled Web services -- including a framework for permissions-based attribute sharing, and the ability to allow groups of organizations (or authentication domains) to be linked together.