Patricia Seybold Group, special to SearchWebServices
by Patricia B. Seybold and Geoffrey E. Bock
Our first take on Liberty Alliance version 1.0: Not customer-centric enough!
On July 15, 2002, the Liberty Alliance Project reached an important milestone by publishing Version 1.0 of its technical specifications for federated identity management services. Over 40 major corporations with significant investments in the development of e-business on the Internet—including businesses like United Airlines, SABRE, General Motors, Bank of America, Citigroup, Fidelity, Sony, American Express, MasterCard, and Visa, along with Telco's and Internet service providers like AOL/Time Warner, Bell Canada, Cingular Wireless, France Telecom, Nextel, NTT, Vodafone, Nokia, and Ericsson, and security and identity suppliers such as GemPlus, VeriSign, RSA Security, Register.com, OneName, SchlumbergerSema, ActivCard, and systems suppliers, such as SAP, Sun, Novell, and Cisco—have been working together for the past 10 months to provide the foundations for distributed user identities. And while Microsoft has Passport and its own initiative for addressing comparable sets of issues within a Microsoft-centric environment, it has not ruled out the possibility of working with the Liberty Alliance at some time in the future.
Version 1.0: Single sign-on
Liberty Version 1.0 is essentially a spec to enable single sign-on across a group of co-operating Web sites. Once you log into any Liberty-enabled site, you may be asked if you'd like to be "invited" to have a single log-on and authentication across each of its marketing partner sites. You can opt in or out to each of these single log-on offers individually (yes to United Airlines and Marriott; no to Hertz, for example). Even if you do accept, there is no actual sharing of customer profile information or transaction histories across the participating Web sites. Liberty just saves you the step of logging on separately to each of these supplier's sites. So far, so good. However, as the next releases of Liberty are spec'd and implemented, we need to be really vigilant that end-customers gain more control over two crucial aspects:
- Which suppliers they'd like to interact with beyond the marketing partnerships agreed to by the suppliers.
- Which personal profile information and/or transaction information they'd like to have shared on a context-specific basis.
We are pleased that there is now a technical specification and there are already two products available that implement the initial Liberty spec—Novell's "Saturn" and Sun's SunOne Platform for Networked Identity. But we are displeased with the marketing-centric approach to the design of this crucial enabling technology. We urge you to become actively engaged in shaping the path of the Liberty spec over the next several releases. We need to inject the voice of the end-customer into a process that has, until now, been dominated by marketing executives. We urge you to download the current spec and the plans for future specs from www.projectliberty.org, to join the project, and to add your customers' voices—not just those of your marketing department—to the Liberty Alliance. We also recommend that you compare and contrast our Customer Manifesto (see "Who 'Owns' the Customer in Your Company?") with the ground rules upon which the Liberty Alliance Project has been based.
What's wrong with this picture?
What's wrong with the Liberty Alliance Project's game plan? Here's our quick take. First, the group's Mission statement is not customer-centric enough. Second, the group's vision is one in which businesses make marketing partnerships with one another and customers opt into these business relationships—so-called "Circles of Trust." The Liberty Alliance Project is positing the current airline co-marketing agreements—StarAlliance and SkyTeam—as the correct business model. There's no provision for customers to decide which businesses they want to be in relationship with and to construct their own "Circles of Trust" by nominating the businesses with which they want in the Circles. And there's no provision yet (in Version 1.0) for customers to control which of their profile information they want to share in which contexts with which providers.
Liberty's mission needs to be more customer-centric
The Liberty Project's vision is great—"A networked world across which individuals and businesses can engage in virtually any transaction without compromising the privacy and security of vital identity information"—but part of the Liberty Project's mission is flawed.
The first part of the mission is fine, "To establish open technical specifications that support a broad range of network-identity-based interactions." It's the second part of the mission that's flawed, "To provide BUSINESSES with a basis for new revenue opportunities that economically leverage their relationships with consumers and business partners." That's where we see the conflict between what customers want and what marketing execs within businesses want. Customers don't want to be marketed to. They want to control their relationships and the information they share. A much better mission would be, "To provide CUSTOMERS with a trusted means by which they can streamline their interactions and transactions among the entities with which they choose to do business, while retaining control over the ownership and use of their personal information and the details of their interactions and transactions with each entity."
The third part of the Liberty Alliance Project's mission statement is okay, "To provide businesses with a framework within which businesses can provide consumers with choice, convenience, and control when using any device connected to the Internet."
Who chooses the "Circles of Trust"?
The underlying idea driving the Liberty Alliance Project is simple enough. Whether we are surfing and shopping as individual consumers or working on behalf of a larger organization, we should be able to share information about our identities and interests across a series of Web sites while also ensuring our own personal privacy. As envisioned by the Liberty Alliance, many of our favorite firms (and most useful Web sites) will form "Circles of Trust" on the Internet, much the way that businesses already organize marketing relationships and strategic alliances with one another in the offline world. Once we authenticate ourselves and access one trusted site within a Circle, we will be able to securely connect to any number of related sites without having to repeatedly logon with separate user names and passwords. The main problem with this game plan is that each of these Circles of Trust is established by the companies themselves; not by the customers. So I may not be able to have a single Circle of Trust that includes both American Airlines and United Airlines. Nor am I likely to be able to have one that includes both Citigroup and American Express. From the customer's point of view, this premise is flawed. The solution posited by the Liberty Alliance Project is that customers can join multiple circles of trust and then federate them. But each Circle of Trust is likely to have different underlying assumptions about which information is shared for what purposes.
What information gets shared within a circle of trust?
According to the Liberty Project Alliance vision, as we do business with one firm within a circle, and with our prior permission, related companies will be able to share information about our interests and activities. Thus, in the not too distant future, we might decide to participate in a Circle of Trust run by America Express. As we connect to various airline, car rental, and restaurant Web sites, all of the information about who we are and what we like is coordinated by American Express and shared (again, with our permission) with the participating members we've selected within the Circle. According to the current game plan, the agreements about which information may be shared and how it may be used is up to the members of each Circle of Trust to determine and to disclose. Then, as customers, we can opt in or out of sharing information with each member of the Circle, but we can't yet opt in or out of WHICH information we choose to share in WHICH specific contexts. That's why we need end-customers' active involvement in the next round of specifications. Ideally, the participating players should be soliciting customers' input based on actual customer scenarios and giving customers complete control over which information and relationships they want to enable in the context of different scenarios.
Federated single sign-on is a good start
We are supportive of the Liberty Alliance Project and optimistic that others (e.g., Microsoft, IBM, et al.) will add their voices to help shape this important initiative. But we caution the members that, unless they are willing to let customers create their own Circles of Trust and to have very granular control over which information they are willing to share with which providers on a context-by-context basis, it will never get off the ground!
Copyright 2002 Patricia Seybold Group is the customer-centric executives' first choice for strategic insight, technology guidance, and e-business best practices. Founded in 1978 and based in Boston, Massachusetts, the firm offers customized consulting, strategic research, and executive coaching.
For More Information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.