22 August 2002 The Liberty Alliance, a consortium of businesses working to define standards for business-to-business (B2B) and business-to-consumer (B2C) single sign-on, has been criticised as a redundant technology by a senior security executive at KPMG.
Nick Bleech, the head of information security services at KPMG, said that the specifications released by the Liberty Alliance do not address the subtle differences between B2C and B2B relationships.
Moreover, he believes that the B2B specifications that the Alliance has produced overlap with existing industry standards efforts such as the security assertion mark-up language (SAML) and the Kerberos authentication protocol.
According to Liberty Alliance spokesmen, the group’s specifications will provide a standard way to integrate internal and external authentication systems. However, KPMG’s Bleech views the Liberty Alliance specifications as an additional layer of standards for which there is no demand in the B2B market.
“I don’t see any demand for businesses needing to log into different websites. Instead they are more interested in authentication at the messaging level, specifications for which are provided by SAML,” said Bleech.
SAML is an XML specification being developed by the Organization for the Advancement of Structured Information Standards (OASIS). It provides a standard way to authenticate users of one application with other applications and will eventually be included in the Liberty Alliance specifications.
But Bleech also criticised the Alliance for not addressing broader issues surrounding B2B single sign-on, such as where liabilities and responsibilities should lie. “Projects like this are very risky because the lawsuits start flying between business partners when one of the member’s security breaks,” said Bleech.
The Liberty Alliance was launched in September 2001 by Sun Microsystems and has since attracted a diverse group of technology companies, network operators and large corporate IT users. Prominent members include America Online (AOL), Nokia, General Motors, Citigroup, United Airlines and RSA Security.
In July 2002, the group released its first set of specifications that set out a method for authenticating Internet users which are moving between two companies’ web sites or web applications. The unique proposition of the Alliance is that it is a federated architecture. In other words, each member company keeps hold of their user and customer profiles and does not send any of this over the Internet.
Instead, a user authenticated by one business is then considered to be authenticated for other businesses using the Liberty Alliance specification. Further specifications defining additional information regarding the user will be released later this year.