Liberty Alliance Updates Specs
Page 1 of 1
The version 1.1 draft primarily makes some editorial changes in an effort to clarify the specifications, but also adds a few fixes and minor enhancements.
For instance, the new version fixes a vulnerability in the Liberty-enabled Client/Proxy Profile (LECP), identified by both IBM and Sun Microsystems. The Liberty Alliance said the vulnerability could have allowed a spurious site to interpose itself between a user and a service provider, allowing the site to impersonate the user. One of the enhancements is intended to add security and privacy protections by allowing a service provider and identity provider to periodically change opaque handles. Opaque handles are random identifiers shared between service providers and identity providers that allow them to identify users. Also, another enhancement is intended to give flexibility in discovering which identity provider or providers an end-user is using.
The Liberty Alliance Project is seeking input on the new draft until Dec. 16.