Kirk Evans Blog

.NET From a Markup Perspective

Liberty Alliance – C’mon, everyone’s doing it.

James Governor posted a comment to a post I made.  James… if the comment is closed, feel free to blog your comments on your own blog and link to my blog entry… I will get the trackback.  Click here for the thread that James is commenting on.  Here is James’ comment:

actually i wanted to comment on your evangelizing to telecoms blog but its closed apparently. some good points–but standards are not to be sniffed at. i take your point about java “duty” – but if you don’t start going along with standards – you will find this market really hard. explictly announcing you won’t support Liberty sounds like bad news from that perspective. see eWeek today:,1759,1681595,00.asp

Thanks for the point, James.  I absolutely agree, standards should not be sniffed at, especially those that make sense and are right for the customer.  And Microsoft is committed to standards that make sense.  Kerberos is a prime example where Microsoft supports a standard that makes sense for our customers.  Microsoft was a key component for getting WS-Security adopted by OASIS, again because WS-Security makes sense for our customers.  Other specifications that Microsoft openly supports that make sense for customers are SSL, TLS, Triple DES… and we haven’t even reached into a vast number of RFCs yet that are implemented in the services provided by Windows.  Microsoft believes in standards, and embraces them when they make sense. 

Not every spec written makes sense for customers.  Not every spec that someone writes means that everyone has to join in.  I participated in a “standard” that describes delivering calendar data over RSS or Atom… does the fact that I proposed something that augments RSS mean that every news aggregator must now support it?  Does this mean that every blog engine out there should have to support ESS just because me and some other guys wrote out what we saw as a solution to a common problem?  Absolutely not: me and a group of other guys offered this “spec” as a means of providing a common format with the knowledge that there are several different approaches and efforts underway in the market already. This just illustrates the point that not every specification is required to be implemented by every vendor, and not every vendor agrees with every specification.

When I hear people ask about this article, I can’t help but think of a group of kids, after school, behind the playground… someone brought a pack of cigarettes to school, and are trying to convince one of the kids to join in.  “C’mon, everyone’s doing it.”  It’s funny to picture members from the Liberty Alliance circled around Steve Ballmer, his eyes shut tight, hands on his ears, shaking his head vigorously “No… No… It’s just not right…” while the Liberty Alliance members chant “C’mon, Steve-O… everyone’s doing it.”

Blind adherence to a “specification” is technical self-gratification.  Not every specification makes sense in a bigger picture.  This is simply a fact of competition: different vendors will have different implementations of combinations of specifications.  This quote from the article you referenced speaks volumes about this very concept:

Some see eventual convergence of the standards. “At some point, the security specs might have to merge,” Schmelzer said. “It will be interesting to see if Sun continues to support Liberty Alliance—no reason why they shouldn’t—and how that will merge with efforts to support the WS-* stack. Maybe they’ll just support both sets of specs and hope for convergence.”

Hope for convergence?  How sane is that?  How does this make any business sense whatsoever?  The WS-* stack is not just about identity, it is not just about transactions, it is not just about reliable messaging… it is about delivering a cohesive set of building blocks where identity can be used with transactions while providing guaranteed delivery.  Why hope for convergence when it is unlikely by design?  IBM, BEA, Microsoft, and others are not hoping that you will be able to create security over transacted service calls, everyone is working dilligently towards making this a reality through WS-*.  Maybe IBM has an idea how to change the minds of all the Liberty Alliance members to see the light, or maybe IBM really does think complexity is a viable business model.  Instead of crossing our fingers for something that is unlikely, show me where the work has been done to actually address that convergence now… I honestly haven’t seen it, maybe I am missing something.

(Side note: Speaking of competition, I thought I would bring up the fact that Microsoft has an identity solution already available in the market called Passport.  We have other identity solutions as well, including Active Directory, ADAM, MIIS, and the upcoming Active Directory Federation Services.  There are several Microsoft products that offer SSO implementations, including SharePoint Portal Server, BizTalk Server 2004, and Host Integration Server. )

The WS-* specifications offer a composable architecture that provide an open and interoperable framework for secure, reliable, and transacted services.  You can find out more about this vision in the following article.

An Introduction to the Web Services Architecture and Its Specifications
Get an introduction to the Web services architecture. This white paper describes the design principles underlying the architecture and foundational technologies for Web services.   

If you want to find out more about Microsoft’s vision for federated identity, then have a look at the following article on the MSDN Developer’s Center.

Federation of Identities in a Web Services World
Understand the issues regarding federated identity management. Read about a comprehensive solution based on the Web services specifications outlined in the WS-Security roadmap and other related Web services specifications.

You might also want to look at what Microsoft is doing to provide real-world implementations to customers based on standards such as Kerberos through Active Directory Federation Services.