News

Tool eases move to Liberty 1.0

• By Rich Seeley
• October 30, 2002

Web services application developers working to implement the XML-based Liberty 1.0 security specification from the Liberty Alliance need flexibility in implementation, according to Roger Sullivan, president of Phaos Technology Corp.

Wall Street-based Phaos, which released a Java-based toolkit for implementing Liberty 1.0 this month, is responding to developer demands for flexibility, said Sullivan. The Liberty 1.0 standard, created by the Liberty Alliance, aims to let users store personal preferences identifiers. The group was formed by Microsoft competitors like Sun, Novell and Oracle along with several user organizations to counter Microsoft's Passport effort.

''One of the early customers for this toolkit is a manufacturing consortium that is putting together an application that will allow them to communicate with agents around the country,'' Sullivan said, noting that the undisclosed firm sought to link agents to data on credit information, loan applications and the like. He maintained that the Phaos Liberty-compliant toolkit enabled the firm to build the application as they wanted.

Ari Kermaier, senior software engineer at Phaos, described his company's toolkit as ''a set of class libraries and a Java API in terms of which the developer can program his application, similar to the way the Sun JDK gives you class libraries for collection classes like hash tables. [It] provides class libraries for security and, in this case, for the message classes and message structure for Liberty. Those sit on top of more general class libraries for SAML, of which Liberty is a profile, and it also includes libraries for basic XML security such as signed documents, encryption and SOAP Security.''

The Phaos Liberty Toolkit is not an end-to-end solution, Kermaier said, because that would limit how the developer could implement it in applications requiring single sign-on and other security technologies. The toolkit implements all the message constructs of the Liberty specification so that programmers can exchange the Liberty specification messages for whatever application they are focusing on, such as single sign-on, he said. ''We've also implemented the transport bindings for SOAP and HTTP. What we haven't done is integrate it into a fixed end-to-end solution the way some of the larger vendors have. We've left it flexible so that programmers can tailor it to their individual situation and perform the message exchanges they want to perform.''

Phaos' Sullivan argues that providing this kind of flexibility in implementing the Liberty Alliance vision of Federated Identity is the most realistic approach to Web services security.

''We think, frankly, as people are feeling their way to implementing these Federate Alliance authentication models, they will want more flexibility rather than less,'' Sullivan said. ''Everyone has evolved their own business practice over 20, 50, 100 years. And we're not going to be able to flip a switch and have everyone in the Federate Alliance work in the same way.''

In addition to vendors like Sun and Oracle, the Liberty Alliance includes user companies like American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corp., Sun Microsystems, United Airlines and Vodafone.

For more information click on http://www.projectliberty.org or http://www.phaos.com.