The Liberty Alliance Project
Tuesday published a public review
draft of a maintenance update of the version 1.0 specifications it released in
July.
The version 1.1 draft primarily makes some editorial changes in an effort
to clarify the specifications, but also adds a few fixes and minor
enhancements.
For instance, the new version fixes a vulnerability in the Liberty-enabled
Client/Proxy Profile (LECP), identified by both IBM and Sun Microsystems.
The Liberty Alliance said the vulnerability could have allowed a spurious
site to interpose itself between a user and a service provider, allowing
the site to impersonate the user. One of the enhancements is intended to
add security and privacy protections by allowing a service provider and
identity provider to periodically change opaque handles. Opaque handles are
random identifiers shared between service providers and identity providers
that allow them to identify users. Also, another enhancement is intended to
give flexibility in discovering which identity provider or providers an
end-user is using.
The Liberty Alliance Project is seeking input on the
new draft until Dec. 16.
The next major release of Liberty’s specifications, version 2.0, is planned
for release in 2003. Liberty said that version will provide an
infrastructure for developing and supporting identity-enabled Web
services — including a framework for permissions-based attribute sharing,
and the ability to allow groups of organizations (or authentication
domains) to be linked together.