Liberty is serious about clients
The Liberty Alliance
today announced its Advanced Client specifications which are
designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers and televisionsFor those of you that are so inclined, you can read the specifications
here but, in a nutshell, the Advanced Client relies on ID-WSF 2.0 (which I discussed
here) to provide the following capabilities:
- Trusted Module - protocols which allow a client (be it hardware, software or a combination of the two) that is sufficiently secure to be trusted by third-parties to participate in identity-based transactions e.g. to make identity assertions on behalf of an identity provider event if the client is disconnected from the identity provider
- Provisioning - over-the-air provisioning of data and/or functionality to the client
- Service Hosting/Proxying (SHPS) - facilities which allow an identity web service service hosted on the client, such as an individual's e-commerce profile, to be accessed under the control of the individual (whether or not the client is connected)
These capabilities allow identity data to be provisioned to and stored on a client device, such as smart card or a mobile phone SIM and subsequently used in a variety of scenarios, including single sign-on and identity federation. In SSO scenarios, the client can either perform the role of an identity provider (self-asserted) or take responsibility for certain aspects of the SSO process, essentially acting as an extension of a third-party identity provider.
The Advanced Client is the third phase of Liberty's four-phase roadmap for delivering client capabilities, following on from the Liberty Enabled Client/Proxy (which I discussed at some length
here and
here) and the Active Client, which provides client-based identity web services and SSO capabilities in an untrusted environment. The final phase is the Robust Client, which will add support for multi-factor authentication and mobility of Trusted Modules.
This is not just about dry specifications though. Earlier in the year at the RSA Conference BT, together with HP and Intel, demonstrated an Advanced Client proof of concept (you can download the presentation
here - it's a 10MB ZIP file!), with HP doing the provisioning and Intel providing the trusted client environment, based on its
Identity Capable Platforms (ICP) technology. The proof-of-concept is based on a Wi-Fi provisioning scenario where an individual subscribes to Wi-Fi on the web and completes the BT-initiated provisioning process using credentials which have been pushed down to the ICP-based trusted Active Client.
As I have said before (and I was as guilty of this as anyone) the work of the Liberty Alliance can be perceived as focusing on server-to-server protocols for enterprise-centric federation. Its work on client-enablement, however, provides compelling evidence that this is not the case. With major telco players such as BT, Ericsson, NTT, Nokia, T-Com, Telefonica, Telenor and Vodafone on its membership roster its highly likely that its client specifications are going to see significant deployment. Their participation also explains the emphasis on over-the-air provisioning and active, trusted participation of the user which are essential for telecom services. With an increasingly mobile and disconnected workforce, this is not just a consumer play and organisations should be monitoring these developments closely.
Labels: BT, HP, identity, Intel, Liberty
