blog

Liberty is serious about clients

Tuesday, March 20, 2007 by

The Liberty Alliance today announced its Advanced Client specifications which are

designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers and televisions

For those of you that are so inclined, you can read the specifications here but, in a nutshell, the Advanced Client relies on ID-WSF 2.0 (which I discussed here) to provide the following capabilities:

  • Trusted Module – protocols which allow a client (be it hardware, software or a combination of the two) that is sufficiently secure to be trusted by third-parties to participate in identity-based transactions e.g. to make identity assertions on behalf of an identity provider event if the client is disconnected from the identity provider
  • Provisioning – over-the-air provisioning of data and/or functionality to the client
  • Service Hosting/Proxying (SHPS) – facilities which allow an identity web service service hosted on the client, such as an individual’s e-commerce profile, to be accessed under the control of the individual (whether or not the client is connected)

These capabilities allow identity data to be provisioned to and stored on a client device, such as smart card or a mobile phone SIM and subsequently used in a variety of scenarios, including single sign-on and identity federation. In SSO scenarios, the client can either perform the role of an identity provider (self-asserted) or take responsibility for certain aspects of the SSO process, essentially acting as an extension of a third-party identity provider.

The Advanced Client is the third phase of Liberty’s four-phase roadmap for delivering client capabilities, following on from the Liberty Enabled Client/Proxy (which I discussed at some length here and here) and the Active Client, which provides client-based identity web services and SSO capabilities in an untrusted environment. The final phase is the Robust Client, which will add support for multi-factor authentication and mobility of Trusted Modules.

This is not just about dry specifications though. Earlier in the year at the RSA Conference BT, together with HP and Intel, demonstrated an Advanced Client proof of concept (you can download the presentation here – it’s a 10MB ZIP file!), with HP doing the provisioning and Intel providing the trusted client environment, based on its Identity Capable Platforms (ICP) technology. The proof-of-concept is based on a Wi-Fi provisioning scenario where an individual subscribes to Wi-Fi on the web and completes the BT-initiated provisioning process using credentials which have been pushed down to the ICP-based trusted Active Client.

As I have said before (and I was as guilty of this as anyone) the work of the Liberty Alliance can be perceived as focusing on server-to-server protocols for enterprise-centric federation. Its work on client-enablement, however, provides compelling evidence that this is not the case. With major telco players such as BT, Ericsson, NTT, Nokia, T-Com, Telefonica, Telenor and Vodafone on its membership roster its highly likely that its client specifications are going to see significant deployment. Their participation also explains the emphasis on over-the-air provisioning and active, trusted participation of the user which are essential for telecom services. With an increasingly mobile and disconnected workforce, this is not just a consumer play and organisations should be monitoring these developments closely.

Posted in Uncategorized

Leave a comment: