Simon Pugh on identity management and Liberty Alliance

October 2002: Liberty Alliance wins first
Digital Identity World award

To illustrate the point that we use multiple identities for different purposes, Simon Pugh began by saying he is speaking today as a member of the Liberty Alliance, not as VP of standards and infrastructure for MasterCard, although he is both. And, as a matter of fact, here's another Simon Pugh identity:

If you receive an e-mail titled "Greetings from Simon Pugh" or anything with the name "Simon Pugh" in the title - DO NOT OPEN IT. It will erase the boot sector of your hard drive. [ Symantec]

"I would like to think I own my identity," he says. But that's not always the case. Governments, airlines, and credit-card issuers assign identities to us. And those assigned identities are not necessarily fungible. Simon's UK identity evaporated when he moved to the US, and he had to reboot. Managing all these identities consumes a ridiculous amount of time and effort -- even though Simon doesn't live in the UK any more, he still has to manage that identity, for example.

On Liberty vs. Passport: they are very different entities. Liberty is a framework for interop, not a product or a service. It anticipates federation of diverse emerging identity providers. "While Liberty is an interop system for connecting identity systems, it doesn't necessary mean that two participating services will share your identity, that's a function of the business relationship between the providers. The vision of "circles of trust" begins with individual relationships -- with airlines, with banks. Over time, you begin to link these together, under your control.

Key components of the architecture include:

The federation framework It specifies things like account linking, single sign-on, session management. Based on SAML, it's now stable and not expected to change much.

Web services framework To be released shortly (a few weeks). Anticipates a range of clients, including mobile devices. It will deliver "concept of permissions-based attribute sharing." In other words: translucent databases.


Q: Does privacy come down to contractual agreements and faith in law?

A: Guidance will be provided by a multinational consortium, but there isn't one set of global privacy regulations. Crossing political/legal boundaries is a challenge.

Q: How do I articulate ahead of time a complex enough set of parameters to account for complex network interactions among providers?

A: Service provicers may have additional controls, but you're right, no pre-registration or profile can account for every possible circumstance. There needs to be a balance between ease of use -- asking the average person a whole bunch of questions about how to use their information -- and practical use.

Q: What progress has there been toward digital signatures?

A: Liberty doesn't mandate any specific authentication technique. It provides a way for one identiy provider delivering an assertion to another as to what type of authentication was used.

Q: Wearing your MasterCard hat for a moment, you didn't say much about your provider role.

A: MasterCard isn't the company that issues you your card, it is not the company that maintains the relationship with the consumer who holds the card. Our financial partners are the identity providers, and have those relationships, and have an interest in integrating aspects of them. Clearly MasterCard may offer services to its members as a way of kickstarting things in the marketplace. We can if asked. Because our members own us, they feel comfortable delegating functions to us.

Q: Can you give us one example of adoption?

A: General Motors, SecuritiesHub, Niteo -- see [Actually, here is the enabled products list.]

Former URL: