---

Specifications Pass Key Liberty Alliance Milestone; Consortium Announces IGF Public Webcast August 15

REDWOOD SHORES, Calif., Liberty Alliance, July 26 /PRNewswire-FirstCall/–Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced two key milestones for the Identity Governance Framework (IGF). Today, industry leaders submitted IGF to openLiberty.org for open source development of IGF implementations. Liberty Alliance also announced the ratification of market requirements documentation (MRD) for IGF and the commencement of technical specification work. With today’s news, developers, system integrators and organizations in every sector can begin planning IGF deployments referencing the publicly available MRD and building IGF applications based on the open source APIs collaboratively developed at openLiberty.org. Liberty will hold a public webcast to review IGF developments and the roadmap for continuous development and support within Liberty Alliance and at openLiberty.org on August 15 at 8:00am US PT.

“With Liberty Alliance market requirements completed and technical specification work and open source implementations initiated in parallel, IGF is a significant step closer to delivering users and organizations greater privacy and security protection across applications and industries,” said Brett McDowell, executive director of the Liberty Alliance. “Organizations, infrastructure providers and the Web 2.0 community now have a variety of identity governance tools for advancing the Internet’s privacy layer based on open standards from Liberty Alliance.”

IGF is the industry’s first programmatic framework designed to help organizations meet regulatory requirements such as the European Data Protection Initiative, Gramm-Leach-Bliley Act, PCI Security Standard and Sarbanes-Oxley. The framework establishes a standard way of defining enterprise-level policies for organizations to share sensitive personal information securely and confidently between applications and diverse identity sources while helping ensure security and privacy. The rapid completion and publication of the Liberty Alliance MRD represents the growing and urgent need for IGF as an open standard. With the MRD now completed, work can progress rapidly on the creation of the technical specifications and open source implementations required to speed the development of standards-based end-to-end auditing and governance solutions.

Oracle released a draft of the IGF in November 2006 to wide industry support and in February submitted IGF royalty-free to Liberty Alliance for further development based on Liberty’s model of collaboratively addressing the technology, business and privacy aspects of identity management. Liberty’s Technology Expert Group (TEG) will now develop specifications to meet the IGF MRD. Membership in TEG is open to all industry stakeholders and individual contributors interested in participating in the specifications development process. The IGF MRDs announced today are available for public review and download at project liberty.

A two-phased, collaborative approach to IGF development

The further development of IGF standards will take place within Liberty’s TEG and openLiberty.org, a community driven open source project formed to facilitate the development of secure and privacy-respecting identity applications based on Liberty Alliance specifications. This two-phased approach ensures the widest possible collaboration in the development of IGF and provides opportunities for developers and the global open source community to participate in the development of IGF standards. Co-chaired by Paul Madsen of NTT and Carolina Canales-Valenzuela of Ericsson with participation from technology experts from around the world, TEG will collaboratively deliver IGF profiles, specifications and implementation recommendations. Individuals and organizations interested in following the development of IGF within TEG can read the public mail-list archive at http://maa.projectliberty.org/lap-technology/public-mail/.

Consisting of nearly 50 subscribers with leadership and representation from HP, Intel, Internet2/Shibboleth and OpenSAML, openLiberty.org is an open source community open to everyone interested in advancing open source Liberty Web Services and now IGF implementations. openLiberty.org will develop a set of open source libraries and technologies based on the Apache 2.0 license that developers and vendors can use to build products that consume, provide and manage identity-related information based on the IGF protocols. Developers, individuals and organizations can get more information and join the openLiberty.org IGF community at http://www.openliberty.org/wiki/index.php/IGF_Introduction

“The development of IGF specifications within Liberty Alliance in conjunction with open source implementations at openLiberty.org represents a new era in the collaborative development of open identity standards,” said Jason Rouault, vice president of the Liberty Alliance Management Board and chief technologist for Identity and Security Management, Software, HP. “The two-track approach to IGF development will allow developers to more easily and quickly drive policy and privacy attributes into open source identity initiatives.”

Support for developers and a call for industry-wide participation

Liberty Alliance, supporters of IGF and openLiberty.org invite the developer and open source communities to participate in the further development of IGF. The framework provides developers with a declarative model for access to identity data for creating business applications. Through the development of open source implementations, developers will be able to re-use the APIs developed within openLiberty.org to more easily develop application features and controls to ensure compliance of identity data usage with enterprise policies and privacy regulation requirements.

A key objective of the dual approach to IGF standards development is to demonstrate multi-protocol implementations. This means eventual support for ID-WSF, SAML 2.0, WS* and OpenID specifications and collaboration with other industry identity initiatives such as the Concordia Project, Project Bandit and the Eclipse Higgins project. As specifications development work progresses within Liberty’s TEG and at openLiberty.org, the groups will regularly work together to offer mutual guidance and support to ensure work is complementary and meets the Liberty Alliance IGF MRDs. Liberty Alliance expects to release draft IGF specifications during 2Q, 2008.

“Today’s news represents a significant milestone in the evolution of IGF and the collaborative development of an open, standards-based approach to meeting cross-industry governance objectives,” said Prateek Mishra, director, Identity Management Standards, Oracle. “IGF will allow organizations in every sector to easily create an open end-to-end governance framework based on Liberty Alliance specifications and openLiberty.org implementations.”

Industry support for IGF momentum and the openLiberty.org development process as the framework quickly moves toward open standard ratification

• CA – “Today’s highly interconnected business environment requires standardized ways of managing the flow of user identity data across disparate systems and applications. The release of the IGF use-case MRD is an important milestone in the delivery of practical, vendor-neutral standards for this growing challenge. CA will continue to work with the Liberty Alliance partners to define adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies.” Andy Rappaport, Senior Architect, Identity and Access Management at CA.

• HP – Sai Allavarpu, director of products for HP Identity Center, Software, HP, said, “Addressing governance, risk and compliance is hard enough within an enterprise and when enterprises federate with their partners, suppliers and customers, the challenge of compliance gets exponentially more complex. IGF and the open source tools developed at openLiberty will help enterprises in federated networks leverage a common, standards-based framework to better manage their compliance while optimizing their governance processes.”

• Luminance Consulting – “Just like the concept of ‘identity’ adds valuable context to applications, web services and SOAs, the enforcement of governance adds a critical layer of functionality to identity systems and implementations,” said Andrew Shikiar, Principal of Luminance Consulting. “Liberty’s rapid and open development of the Identity Governance Framework MRD and its submission to openLiberty.org will bring tangible benefit to any organization seeking to implement a governance framework and policies across their enterprise.”

• Eclipse Higgins Project – The IGF software implementation plans to build on the Higgins’ Identity Attribute Service Component. “We are very pleased that IGF plans to build on and coordinate with Higgins,” said Paul Trevithick and Mary Ruddy, Eclipse Higgins Project co-leads.

• NEC – “Identity Governance Framework and open source implementations are useful tools to establish systems that can effectively cope with privacy protection and internal control. NEC is supportive of developing IGF standards.” Makoto Hatakeyama, Identity Architect, NEC

• Oracle – “As a founder of the Identity Governance Framework, we are very pleased with the technology community’s positive response to the specification and as a leading provider of enterprise applications, database and middleware, we look forward to continuing to work with Liberty and other industry leaders within openLiberty.org to continue the development of IGF,” said Amit Jasuja, vice president, Development, Security and Identity Management at Oracle. “Our support of the specification will help organizations further advance their information security initiatives.”

• SSC, New Zealand Government – “We are committed to frameworks that foster privacy aware online services and IGF has the potential to complement and extend the identity systems we have in place today,” said Colin Wallis, Chair of the Liberty Alliance eGovernment Special Interest Group, Programme Manager, Authentication Standards, New Zealand Government. “We welcome the rapid completion of market requirements and look forward to seeing the further development of IGF within Liberty Alliance and at openLiberty.org.”

• Ping Identity – “Safeguarding individual and corporate use of identity on the Internet will require an international effort. As a participant in the build-out of identity infrastructure, we see it as our duty to support all efforts which help protect one’s identity on the Internet,” said Andre Durand, CEO, Ping Identity. “The Liberty Alliance offers the perfect forum for international collaboration and consensus building towards this end.”

• Symlabs – “The development of Identity Governance Framework within Liberty Alliance Technical Expert Groups is a positive step toward realizing the promise of open standards for identity management in complex, real-world networks,” said Sampo Kellomaki, Identity Architect, Symlabs. “Liberty’s global focus and use-case methodologies aim to deliver highly practical identity management solutions that serve a wide range of enterprises.”

About the August 15 Liberty Alliance IGF Webcast

The public webcast, An Overview of the Identity Governance Framework: Putting Privacy and Regulatory Compliance First, will be held on Wednesday, August 15 at 8:00am US PT. The session will feature Prateek Mishra and Phil Hunt of Oracle and leaders of the IGF initiative within Liberty Alliance, and Brett McDowell, Liberty’s Executive Director. The webcast will include a 45 minute presentation and 15 minute Q and A and is designed to show developers and organizations how they can leverage IGF today and over the long-term to build and deploy open, secure and privacy respecting governance solutions. Registration and more information is available at projectliberty.org

About Liberty Alliance

Liberty Alliance is the only global identity organization with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trusted Internet by addressing the technology, business and privacy aspects of digital identity management. The Liberty Alliance Management Board consists of representatives from AOL, Ericsson, Fidelity Investments, France Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty Alliance works with identity organizations worldwide to ensure all voices are included in the global identity discussion and regularly holds and participates in public events designed to advance the harmonization and interoperability of CardSpace, Liberty Federation, Liberty Web Services, OpenID, SAML 2.0, WS- Federation and WS-* specifications. More information about Liberty Alliance is available at http://www.projectliberty.org.

Trademarks

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

---

Contribution of PKI technology through Sun Microsystems, Mozilla opens certificate revocation list distribution points

DALLAS, July 25–Entrust, Inc. believes that everyone deserves to be secure on the Internet. To support that goal, the layered security expert is contributing public key infrastructure (PKI) technology to the open-source community through Sun Microsystems, Inc. and the Mozilla Foundation. Specifically, Entrust will supply its certificate revocation list distribution points (CRL-DP) patent 5,699,431 to Sun under a royalty-free license for incorporation of that capability into the Mozilla open-source libraries.

“When it comes to online security, PKI really is the gold standard. If companies are going to use open-source PKI, we felt it was our duty to make sure they had the important piece of CRL-DP incorporated,” said Entrust Chairman, President and Chief Executive Officer Bill Conner. “To this day, PKI remains one of the strongest, most-trusted security infrastructures available. The ability to leverage the technology to solve a variety of security challenges makes it the cornerstone of a layered security model – regardless of its intended purpose or objective.”

Certificate revocation lists (CRL) are used to track revoked users’ security credentials and associated rights. CRL-DPs are a key aspect of secure and robust PKI deployments and allow for efficient distribution and processing of revocation lists. Specifically, CRL-DPs partition a revocation list into more manageable pieces and allow greater efficiency, improved performance and reduced network traffic.

“Having support for CRL-DPs is an increasingly essential ingredient to any PKI-enabled application,” said Karen Tegan Padir, vice president, software infrastructure Sun Microsystems. “We appreciate Entrust’s intellectual property contribution, and we are pleased to share this valuable security resource with the open-source community.”

As part of the agreement, Sun Microsystems will incorporate the CRL-DP capability into the Mozilla Network Security Services (NSS) libraries. Under the flexible Mozilla licensing scheme, users of these libraries will have access to the CRL-DP capability and may use the associated NSS code under the terms of any of the Mozilla Public License (MPL), GNU General Public License (GPL), or GNU Lesser General Public License (LGPL).

“Incorporating the CRL-DP capability into our existing NSS libraries will significantly elevate the value of the PKI-enabled applications that use these libraries,” said Frank Hecker, executive director of the Mozilla Foundation. “We are grateful Entrust wanted to participate in this offering and understands that secure technology like PKI is too important not to provide to the open-source community.”

About Entrust

Entrust secures digital identities and information for consumers, enterprises and governments in 1,650 organizations spanning 60 countries. Leveraging a layered security approach to address growing risks, Entrust solutions help secure the most common digital identity and information protection pain points in an organization. These include SSL, authentication, fraud detection, shared data protection and e-mail security. For information, call 888-690-2424, e-mail entrust@entrust.com or visit http://www.entrust.com.

Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All Entrust product names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners.

Sun, Sun Microsystems, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.