The Liberty Alliance's circle of trust is a group of two or more businesses or service providers--banks, online retail stores or financial services companies--that share network IDs. These organizations operate under specific business agreements that dictate how they use the identities and conduct business.
The business client or consumer determines which elements of his or her identity information are shared among service providers in a circle of trust. The Liberty Alliance recommends that you notify the user about which information you're collecting. The user should give his or her consent for the ID information being exchanged among the different online sites in a circle of trust.
This "opt-in" process requires that the user agree to share information from Site A with Site B (see "Step by Step," page 63). The user confirms the information-sharing agreement when he or she arrives at the second site (B). From that point on, he or she only has to log on to one of those sites. That simplifies things for the user, and lets a business offer its clients ease of use and personalization features.
The circle of trust may sound a lot like Microsoft's Passport, but it's very different. First, the Liberty Alliance is producing specifications based on open standards, such as SAML (Security Assertion Markup Language), XML, HTTP and WSDL (Web Services Description Language); Passport is a Microsoft proprietary service based solely on Kerberos. Passport runs on Windows and Internet Explorer only, but the Liberty Alliance's standards can work across any operating system and browser platform.
Liberty specifications aren't interoperable with Microsoft's Passport, but that doesn't mean the two won't ever meet: An ID provider acting as both a Passport site and part of a circle of trust can map between the two identity technologies (see "At Liberty To Show Your Passport," below).
The Liberty Alliance uses open standards from the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards (OASIS) in its specs. The earlier Version 1 and 1.1 alliance specs recommend using a third-party domain service to store a user's cookie. Then any site within the domain's circle of trust could read that cookie.