Liberty Alliance

From Project VRM
Jump to navigation Jump to search

Liberty Alliance & VRM

The Liberty Alliance defines its ID-Web Services Framework (ID-WSF) for the registration, discovery, and invocation of identity services - SOAP-based web services into a user's identity.

In effect, ID-WSF provides plumbing for distributing the various identity attributes of a user (assuming/enabling that the user has approrpiate control over such sharing). Too date, Liberty has defined how ID-WSF can be used for sharing personal profile, gaming prefs, presence, geolocation, calendar, etc.

If you think of a personal RFP as just a different slice of a given user's identity, then ID-WSF could provide one (of many possible e.g. OpenID DTP) mechanism for sharing this slice in a privacy and security-enhanced manner.

I hope to fill in the specifics of how this might work on this page going forward but the bare basics are as follows:

  1. Joe maintains his RFPs at
  2. registers the fact that it is Joe's electronics RFP server at Joe's Discovery Service

  1. Joe visits by SSO'ing in from his IDP
  2. sends a SOAP call to query Joe's Discovery Service for 'VRM providers that cover electronic goods' (Joe's IDP tells where Joe's Discovery Service is)
  3. Joe's Discovery Service returns the endpoint (and appropriate credentials to use in any message sent there) in its response to
  4. sends a SOAP call to query for Joe's electronics RFPs
  5. responds (after checking permissions previously set by Joe, if unclear, it can use the Interaction Service to clarify policy with Joe) with Joe's electronics RFPs (not sending the clothing RFPs etc) formatted as an XML doc (according to VRM defined schema)
  6. parses Joe's RFP and creates appropriate offers for Joe, e.g. not showing him the iPod deal and only showing Samsung plasmas


  1. could, guided by Joe, create an RFP and push it to Joe's VRM server for future retailers.
  2. Much of ID-WSF's value (and complexity) is in ensuring that the above sequence can happen without all providers learning a single identifier for Joe, and thereby enabling subsequent collusion.
  3. the providers can 'negotiate' appropriate security characteristics of the above messages, e.g. TLS and message-level signing, or no security at all, etc
  4. Joe's VRM service (or his discovery service, etc) could be hosted on his phone etc - there is no built-in presumption of network providers
  5. Liberty's People Service would enable a 'Gift Registry' use case where Joe is able to view the RFP's of his friend Alice (assuming Alice wants this to happen).