Notes from Liberty 2.0 Workshop

Project Liberty hosted an Idenity Web services workshop and here are my notes:

  • Project Liberty announced OpenLiberty, an open source initiative focusing on “a wide range of new relying party (identity-consuming) applications”. This effort certainly looks like an attempt expand potential addressable market for identity enabled services.
  • Beyond the basic Circle of Trust (CoT), there are other more interesting models of CoT, such as CoT Peering (Roaming user/services) and Hierarchies of CoT. These new features will certainly allow better modeling of the real-world identity in digital identity.
  • Identity Federation Framework (ID-FF) “Focused on human-to-application interaction”
  • Identity Web Services Framework (ID-WSF) “Focused on application-to-application interaction”
  • Identity Service Interface Specs (ID-SIS) “Defines particular useful services”, such as personal profile, geolocation, etc.
  • Web Service Consumer (WSC) “is the requester endpoint, and a Web Service Provider (WSP) is the responder endpoint.”
  • ID-SIS Personal Profile (PP) provides web services on attributes associated to an identity.
  • Discovery Service (DS) is “a hub for locating, and possibly getting coarse-grained authorization to use, various identity services of yours”.
  • Interaction Service (IS) A PP service can check your DS to find an IS that agrees with “your own policy preferences for what’s important enough to bother you with”.
  • Throughout an user’s interaction among different identity enabled services, “the user might be known only by a pseudonym” instead of a global unique user ID, such as a Social Security Number.
  • Open source implementations: OpenSSO, LaSSO, ZXID, Conor’s stuff, OpenSAML, Shibboleth, Lasso
  • Google Earth + Fboweb: A mash-up of Google Earth and real-time flight information from FAA. This is possible because there isn’t access information. If authentication is required, the user might have to provide two separate identity credentials, which can lower usability. Identity technologies such as ID-WSF can simplify the access model with Single Sign-on.
  • Layered Web Apps (composite web app built from individual web services), all components within need to be aware about identity.
  • Context translation – Invoker’s identity might be different from the reponder’s identity.
  • Vendor (and Social) Relationship Management (VASRM) using People Service. VASRM is also known as Customer to Business (C2B), Customer-Managed Interactions (CMI), Customer Managed Relationships (CMR). See also People Service Whitepaper.
    • A RFP consists two parts:
      • What (i.e. HD plasma screen, plane tickets, etc.)
      • Conditions (i.e. style, specs, price, etc)
    • In VRM, an user specifies both.
    • In VASRM, the two pieces are divided. For example, a bride might specify what she want on her wedding registry and guests decide at what price the bride will receive the gift.
  • Advanced Client (aka Intelligent Client)
    • Trusted Module (TM) allows the client to function without an IdP in a protected environment.
      • Local manufacture of Assertions by TM (Minting Assertion)
        • IdP authorizes TM to create assertions
        • Relying Party (RP) can verify delegation against the assertions
        • Unique keys for each RP can enable privacy protection
      • Long term storage IdP issued assertions (Hoarding)
        • IdP issues assertion to TM and TM have the option on when to use the assertion.
    • Client Service Instance (CSI) is a locally running service, which can be profile, calendar, payments, etc. It may not be in a trusted environment, and may have privacy, availability, and connectivity issues.
    • Service Hosting/Proxying Service (SHPS) provides remote instance of the service that synchronizes with CSI. WSCs calls SHPS instead of CSI. SHPS serves as a proxy for CSI by forwarding invocations to CSI.
    • See Conor’s blog.
  • The Higgins Project
    • An open source project that provides identity interoperability framework using card-based UI Metaphor.
    • Supports many protocols/standards, such as WS-Trust, CardSpace, LDAP, OpenID, XRI, RSS, and possibly Liberty.
    • Supports Windows, Suse Linux, etc.
    • Eclipse plugin and non-Eclipse based tools available for developers.
  • Simple Authentication and Security Layer (SASL)
  • See John’s blog.
  • Public IdPs:,

Special thanks to Project Liberty for hosting the event and thanks to all speakers for their educational speeches. All quotes sources are either from associated link (included in the same paragraph/bullet point branch) or from the presentation slides.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s