Friday, January 26, 2007

Liberty Advanced Client

I've been working on the Liberty Alliance's Advanced client work over the last year. This work involves enabling and/or describing how a client can participate in Liberty protocol transactions to provide any of the following transactions:

  • A trusted extension of the Identity Provider (IdP) which can provide for delegated Single Sign On (SSO) and federation to relying parties. The delegation provides for a client that can enable the user to participate in transactions when off-line from the IdP and/or perform these operations without involving the IdP as a privacy enhancing capability (the IdP doesn't know exactly who the user actually SSO's with nor when).
  • A locally hosted instance of a Liberty ID-WSF service (a Client Service Instance (CSI)). Of course any client that can expose a network visible endpoint for their service (or a PAOS endpoint to provide functionality along the lines of Cardspace) doesn't need any advanced support - that can be done using existing ID-WSF protocols. This work involves showing how the CSI can make use of a network entity (the Service Hosting/Proxying Service (SHPS - pronounced ships)) to increase availability when the client is behind a firewall and/or experiences changes in its connectivity (such as going through a tunnel or being turned off at night).
  • Provisioning of functionality modules down to a device. This includes models where the provisioning can take place in a trusted environment (so a Trusted Module (TM), which exposes the IdP extension features above, can be provisioned over the wire to a user's device.
  • Reporting/Accounting - a feature required in some cases for the client to report on events that have taken place to a host authority. For example, in some cases, the TM will report after the fact on the operations it performed to the IdP so that the IdP can track and/or audit usage. This reporting is, of course, optional and likely wouldn't take place in areas where privacy is a concern.

You can read more about these technologies in the presentation I gave earlier this week at the Liberty 2.0 workshop. In the presentation, I provide a history of the evolution of the intelligent client capabilities in Liberty as well as a peek at the future technologies.

Early drafts of the protocols along with an overview are working through the publication process within Liberty and should be available soon. I will post a note about them when they become available.

You can also come see some of this work at the Secure Identity Provisioning demonstration that Intel, HP, and British Telecom will be showing at the Liberty Workshop at the RSA Security Conference on Monday the 5th of Feb. You can read more about this demo and get the information necessary to register and get a free conference exhibit pass at the Liberty Event page.

Tags : / / / / / / / /

No comments: