There's a 21st century adage that says, "On the internet, nobody knows you're a dog." Originally the caption for an amusing cartoon of a family pet sitting at a PC, it's come to symbolise a key problem for companies and consumers around the world. How do you know exactly who you're dealing with when conducting business online?
In the physical world, checking a personal or business identity is relatively easy. There are ID cards, drivers' licences, passports, ABN numbers and a host of other devices that can quickly determine whether a party is legitimate.
But in the online world life's not so easy, and with an increasing amount of business being conducted electronically the race is on to solve the problem.
Adding urgency to the task is the development of web services. This technology, which allows computer systems to exchange information and request actions across public networks, will underpin future electronic commerce. Whether booking a movie ticket or ordering a shipload of coal, web services will have a role to play in hooking parties together.
At the heart of web services is the concept of a user identifying themselves once and then being able to access a range of secure services and information residing on a number of different systems. Log on once and you can visit multiple websites, purchase goods, place orders or request information. It's easy to describe but difficult to achieve.
To enable such a single sign-on to work, a user's trust status must be reliably communicated to any systems requiring it. The concept, known as federated identity, keeps personal details secure but issues an electronic token to any site requiring it. The token is essentially a confirmation that the person involved is legitimate.
For example, a consumer may log on to an airline website and then click on a logo offering a cheap holiday. On being transferred to the holiday company, the consumer may have to log in again or provide credit card details before a booking can be accepted.
However, under a federated identity system, the user's electronic token will be transferred to the holiday website, identifying them as a trusted customer of the airline and removing the need to log in or provide any other personal details. Users remain in control of their personal information and can determine where and when it may be accessed by other parties.
When this concept is extended to larger groups of companies the effect on online commerce becomes clear. So called 'circles of trust' can be formed between organisations offering related services, smoothing the way for easy electronic transactions. The potential for fraudulent activity is also reduced as it becomes significantly harder to use fake identities or steal personal details.
Federated ID principles can also be used within companies, allowing employees to access linked systems without being required to identify themselves multiple times. For example, logging on to the corporate LAN could allow a user to check salary details, book corporate travel, or file expenses without having to constantly provide personal details.
A key challenge for developers of federated ID systems is ensuring they are able to work within web browsers and with browsers older than the most recent versions released. Because the only common web security tool is secure sockets layer (SSL), early versions of federated ID must work with this, however future versions will be able to use more complex security as the installed base of browsers is upgraded over time.
Federated ID also requires identity providers. These are organisations that hold a user's personal details and then provide the electronic tokens to service providers, such as online retailers. Identity providers could be banks, telecommunications companies, government departments, or any organisation in which a user puts a sufficient level of trust.
"Federated ID management is the key that will make or break web services," says IBM security expert Con Yianakos. "It underpins the whole idea of what companies will be able to achieve."
Yianakos says having an agreed set of standards on which federated ID management systems can be built is an important goal for the IT industry. Those standards dictate how ID information is used, how it is transmitted and how it can be protected.
He says IBM has been working with Microsoft on the so-called WS-Security specification that will allow the concept of federated ID to be more widely used. WS-Security was approved by the Organisation for the Advancement of Structured Information Standards (OASIS) in April. It improves the interoperability and security of different systems that use extensible markup language (XML) to exchange data.
The OASIS approval means security and software companies are now able to incorporate the standards into commercial products. Security vendor RSA Security has already announced its Federated Identity Manager product that incorporates WS-Security specifications. WS-Security will also become part of Microsoft's Passport online security service.
Meanwhile, another industry grouping is working on the same task. Founded in 2001, the Liberty Alliance Project comprises more than 150 companies working to formulate the open standards necessary for federated ID management to work. Members are varied and include educational institutions, IT companies and public-sector groups.
Management board members include Sun Microsystems, Sony Corporation, Nokia, Ericsson and American Express.
Sun's Asia-Pacific solutions manager Darren Fowler says his company has been involved in the group since its inception because of the important role the standards will play in the world of ecommerce.
While he declined to name customers, Fowler says there are "a large number" of companies actively trialling web services and federated ID technology, with a view to rolling it out during the next couple of years.
"Identity is a big issue and companies are still grappling with it," he says. "But it is getting more attractive for them."
Fowler points to a recent example where an organisation in Japan is using a federated ID system to allow students to log into a central computer to check their academic records and marks. Rather than the organisation having to manage security for millions of students, it electronically contacts the relevant school to confirm the identities of the enquirers.
Liberty Alliance members are also busy working on specifications that will enable the concept of federated ID to operate in the world of mobile phones. Telecommunications companies are keen to encourage their customers to access services via their handsets, but recognise that people get frustrated when having to type log-in details and passwords. Using a federated ID system would remove this problem.
"The telcos would like to become trusted providers which then have relationships with a range of services that people may want to access from their mobile handsets," says Fowler. "This is a key driver for them and we are seeing some early-adopter take-up in this area already."
Some observers fear that having multiple standards organisations working on the same problem will result in fragmentation and a mishmash of competing systems. Such a situation would undermine the whole rationale behind web services and the concept of a single sign-on for multiple services. They fear a repeat of the frustrating VHS versus Betamax war that erupted when video recorders first hit the market.
However, Fowler does not believe this will happen. "Liberty has an expert group working on standards adoption and to make sure that other standards adopt Liberty specifications and also that Liberty adopts specifications from other standards bodies."
He says Liberty is not out for world domination, but is trying to work out which standards make the most sense for all parties involved.
"If you're trying to conduct business with three organisations and they all adopt different standards, then what is the point of it?
"You won't see a standards battle. You might see some struggles to get a balance, but it is more of a negotiation process."
IBM's Yianakos agrees. "As long as the world revolves around open standards there won't be a problem," he says. "The consortia involved in fleshing out the standards are a means to an end and not an end in itself."
American Express internet strategy vice-president Michael Barrett, who is also president of Liberty Alliance, says companies wanting to extract value from web services need a system of online identity management.
"The Alliance will enable interoperable identity, single sign-on, universal acceptance and a level playing field for all providers of online services," he says. According to Barrett, when American Express first considered using web services, the company quickly realised security integration issues would make the project unworkable. "We waited for the vendor community in the Alliance to come up with a good set of product offerings, then picked a supplier, and now we're off and running," he says.
However, not everyone is convinced of the immediate requirement for the sophisticated ID systems that such groups are working hard to create.
National application integration manager with Dimension Data, Peter Menadue says widespread usage of web services is further away than many IT vendors would like to believe.
"People are looking to deploy web services in a way that works now rather than waiting for some of the broader visions that we have all thought of," he says.
Menadue points to a growing number of companies using web services 'behind the firewall' rather than trying to implement them in the wider business community.
He says it is also quite possible to use web services outside the firewall without federated ID technology, if a given group of companies already has a relationship of trust in place.
"There is no pressing demand to have a security scheme broader than that," says Menadue. "Just because I can trust a business on the other side of the world that I have never interacted with before, does that mean I really want to do it? Probably not."
He says a tremendous amount of noise has been created around Microsoft and Passport, and in some ways the Liberty Alliance was created to counter that. Competitors wanted to make sure that if you wanted to use federated ID you didn't have to do it with Microsoft.
While they won't become widely used overnight, web services - underpinned by federated ID management - have the potential to significantly expand the number of business transactions conducted online. By allowing secure access to multiple sites and services, they improve usability while protecting personal data.
