The Identity Web An Overview of XNS and the OASIS XRI TC

Similar documents
ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Web Services Registry Web Service Interface Specification

CA SiteMinder Web Services Security

Web Services, ebxml and XML Security

SAML-Based SSO Solution

Federated Web Services with Mobile Devices

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

UDDI, ebxml,, WSIL, XRI, WSDM (and the GRID) Matthew J. Dovey Technical Manager Oxford University e-science e

SAML-Based SSO Solution

National Identity Exchange Federation. Terminology Reference. Version 1.0

Security Assertions Markup Language (SAML)

Chapter 17 Web Services Additional Topics

ArcGIS Server and Portal for ArcGIS An Introduction to Security

OASIS Standards Development Supporting Identity Management, Privacy and Trust in Cloud Computing Services

Project Moonshot. IETF 77, Anaheim. Sam Hartman, Painless Security LLC Josh Howlett, JANET(UK) Image Viatour Luc (

Federated Identity Manager Business Gateway Version Configuration Guide GC

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Federation Metadata Document Structure Proposal

Identity Provider for SAP Single Sign-On and SAP Identity Management

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

BELNET R&E federation Technical policy

Unity Connection Version 10.5 SAML SSO Configuration Example

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Canadian Access Federation: Trust Assertion Document (TAD)

F O U N D A T I O N. OPC Unified Architecture. Specification. Part 1: Concepts. Version 1.00

Security and Certificates

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

CA SiteMinder Federation

Some Notes on Metadata Interchange

The Platform for Privacy Preferences (P3P) A user empowerment approach. ETH Zurich. Marc Langheinrich APPEL Subgroup Chair P3P Working Group

Privacy Enabled Identity Management for C2 Systems

SOLUTION ARCHITECTURE AND TECHNICAL OVERVIEW. Decentralized platform for coordination and administration of healthcare and benefits

New trends in Identity Management

Setting Up Resources in VMware Identity Manager

Oracle Cloud Using the MailChimp Adapter. Release 17.3

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

ActiveVOS Technologies

70-742: Identity in Windows Server Course Overview

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Dictionary Driven Exchange Content Assembly Blueprints

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Intercloud Security. William Strickland COP 6938 Fall 2012 University of Central Florida 10/08/2012

Web Services Registry Web Service Interface Specification

Request for Comments: ISSN: S. Cantor Shibboleth Consortium August 2018

SOA-20: The Role of Policy Enforcement in SOA Management

Kerberos Revisited Quantum-Safe Authentication

A RESTful Approach to Identity-based Web Services

Single Sign-On. Introduction

Oracle Utilities Opower Solution Extension Partner SSO

Oracle Fusion Middleware

RID IETF Draft Update

Sentinet for BizTalk Server SENTINET

VMware Horizon 7 Administration Training

Web 3.0 Overview: Interoperability in the Web dimension (1) Web 3.0 Overview: Interoperability in the Web dimension (2) Metadata

Introduction to Identity Management Systems

Send and Receive Exchange Use Case Test Methods

Novell Access Manager

Canadian Access Federation: Trust Assertion Document (TAD)

These are suggestions not policy. It is one approach that may help us understand

Oracle Insurance IStream

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Oracle Cloud Using the Microsoft Adapter. Release 17.3

Information Network I Web 3.0. Youki Kadobayashi NAIST

Existing Healthcare Standards

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Chapter 10: Application Layer CCENT Routing and Switching Introduction to Networks v6.0

CA IdentityMinder. Glossary

Prescription Monitoring Program Information Exchange (PMIX) Architecture. Version 1.0. April 2012

FPKIPA CPWG Antecedent, In-Person Task Group

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Quality of service issues for world-wide mobile telephony

CA CloudMinder. SSO Partnership Federation Guide 1.51

Extending Services with Federated Identity Management

Cirius Secure Messaging Single Sign-On

Canadian Access Federation: Trust Assertion Document (TAD)

TECHNICAL GUIDE SSO SAML Azure AD

Canadian Access Federation: Trust Assertion Document (TAD)

Data Use and Reciprocal Support Agreement (DURSA) Overview

Copyright

Schedule Identity Services

Lesson 13 Securing Web Services (WS-Security, SAML)

Proposed Revisions to ebxml Technical. Architecture Specification v1.04

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Who s Protecting Your Keys? August 2018

Course Outline 20742B

Glossary of Exchange Network Related Groups

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Canadian Access Federation: Trust Assertion Document (TAD)

Oracle Insurance IStream

CA CloudMinder. SSO Partnership Federation Guide 1.53

Oracle Fusion Middleware

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Chapter 8 Web Services Objectives

Oracle Cloud Using the Adobe esign Adapter. Release 17.3

70-487: Developing Windows Azure and Web Services

Transcription:

The Identity Web An Overview of XNS and the OASIS XRI TC XML WG December 17, 2002 Marc LeMaitre VP Technology Strategy OneName Corporation

Goals of this presentation Introduce the idea of the Identity Web Provide you with it s motivating forces Compare and contrast it to the WWW Introduce you to extensible Name Service (XNS) Give you an update on XNS in standards 1

1992: What if every digital document on the Internet could be: Rendered in a common format Exchanged using a common protocol Addressed and linked using a common syntax The result would be the World Wide Web 2

Evolution of content on the WWW Logical domain Web Pages Web (HTML) Pages HTML Link Web Pages Web (HTML) Pages HTML Link Web Pages Web (HTML) Pages Web Server Web Server Web Server Map Map Map Files Files File Server Files File Server File Server Files Files File Server Files File Server File Server Files Files File Server Files File Server File Server Enterprise domain 3

Enterprise directory services issues Enterprise identity root The n-to-n hierarchical mapping problem when crossing domains Directory Directory Server Directory Directory Server Directory Directory Server Enterprise domain 4

Meta-directory service issues Meta-identity root Meta-domain Map Metadirectory Metadirectory Server Map Map Directory Directory Server Directory Directory Server Directory Directory Server 5

2002: What if every digital identity on the Internet could be: Rendered in a common format Exchanged using a common protocol Addressed and linked using a common syntax The result would be an Identity Web 6

The leap to a Web architecture for Identity Logical identity root Logical domain Identity Identity Server Map Link Link Identity Identity Server Map Identity Identity Server Map Directory Directory Directory Server Directory Server Directory Directory Server Directory Directory Directory Server Directory Server Directory Directory Server Directory Directory Directory Server Directory Server Directory Directory Server Enterprise domain 7

The Web Identity Abstract Root (XML Schema) Identity Roots (XML Identity Documents) Links Flat like the Web All relationships are created by linking like the Web Distributed control and management like the Web 8

Document linking vs. identity linking HTML HTML XML XML URI URI Contract Contract Contract HTML HTML XML XML URI URI URI Contract Contract Contract 9

Federating identity servers Identity server Identity server XML XML XML XML XML XML Trust boundary XML XML XML XML XML XML Identity server Identity server Identity client XML HTML WML Plain Text 10

Identity linking close up Identity Host Identity Host Identity Document Identity Document Identity Attributes Identity Attributes Identity hosts manage XML documents representing attributes associated with an identity. These identity documents can be virtual, i.e., the physical data can be stored in lower-layer systems. Link Contract Permissions Contract Permissions Identity Link Link Contract Permissions Contract Permissions Each link with another identity is defined by a subdocument inside the identity document. A link can contain any number of contracts, each defining a set of data shared with the other identity and the applicable security, privacy, and synchronization permissions. Links create trusted, bidirectional data pipes between any two XNS identities anywhere. 11

Contract structure Identity Document Link (one per relationship) Contract (one per agreement) General Terms Purpose Policy references Attribute references Permissions Signature A link object can contain any number of contract objects covering different data & purposes. Each contract states the terms, purpose, and applicable policies (policy references use URNs). Contracts reference the attributes they cover using URNs. Permission objects are extensible to model any type of privacy policy (opt-out, opt-in, opt-over using any type of Rights Markup Language (RML)) in any legal jurisdiction. They also cover access control and synchronization. Contracts are signed and stored by both parties for auditing and non-repudiation. 12

Permission objects Permission Controls: Privacy/usage Permissions Permission type (disclosure, contact, retention) Purpose (human-readable) Parties (for disclosure) Access and synch Permissions Controls: Access to data Persistent Get and Set permissions for data 13

The negotiation process Data Publisher Identity Document Attributes Data Subscriber Identity Document Attributes 1) The data subscriber sends an XML form definition (essentially a template contact) to the data publisher. Preferences 2 Link 1 3 Policies Schema Def Form Def Link 2) The data publisher processes the form based on the publisher s attributes and preferences and negotiates the contract. Contract Permissions Identity Link Contract Permissions 3) Both parties sign the contract and store a copy in their link. 14

The synchronization process Data Publisher Identity Document Attributes Data Subscriber Identity Document Attributes 1) When the publisher updates an attribute, they check to see which contracts reference that attribute. 1 Attribute 1 Attribute 2 Link Attribute 2 3 Link 2) If the contract specifies a push, the publishing identity composes a Set message and attaches an assertion. Contract Permissions 2 Contract Permissions 3) The data subscriber authenticates the message and triggers processing of the updated attribute. 15

Recap.. The Identity Web is a new abstraction layer for cross-domain data sharing using a Web architecture of linked XML documents Linked documents contain contracts controlling the flow and usage of data negotiated by the controlling identities It is deployed through a federated network of identity servers 16

Introduction to extensible Name Service How to build an Identity Web

XNS design requirements Logical persistent addressing Enable application- and domain-independent mapping of resource identities and their associated data A resource is anything that can be represented on a network person, organization, machine, application etc) Logical schema sharing and versioning Dictionaries of shareable, reusable data definitions Logical security and privacy controls Enables federation and delegation across domains Logical exchange, linking, and synchronization Scalable, extensible peer-to-peer data sharing 18

XNS consists of: A syntax for addressing XML identity docs using extensible Resource Identifiers (XRIs) 14 WSDL service modules for federated naming and directory services using XRIs & XML identity docs A considerable amount of thinking about how to support a REST architecture like the Web 19

XNS Public Trust Organization (XNSORG) Founded in 2000 Licensed the rights to XNS from OneName Published XNS 1.0 specs on July 10, 2002 Responsible for community governance of XNS and delegation of specifications to other standards organizations Sponsors include: 20

The XNS 1.0 Specifications

XNS 1.0: a two-part specification Part 1 Identity addressing An XML-based URI and URN syntax for addressing identity documents called extensible Resource Identifiers XRIs Embrace the benefits of URNs Independent of application Independence of transport type Independence of resource type Extend the benefits of combined URIs and URNs 22

XRIs extend the benefits of URIs and URNs Human readable and memorable identifiers Some subset should be human friendly Permanent identifiers Persist beyond the life of a particular network representation Privacy-protected identifiers For people and their PII (blinding/obfuscation/non triangulation) Cross-referenceable identifiers Representing the same logical, well-known resource across physical domains or locations Versionable identifiers Managing state across multiple instances of a resource at different network locations Federated identifiers Manage identifiers that are delegated between authorities Linked data Link physically-disparate data of an identified resource into logical data objects 23

XRIs support many-to-one relationships Identity Name ID Identity Name ID Identity Name ID XRI To support anonymity and pseudonymity, many XNS names can resolve to an XNS ID and many XNS IDs can resolve to an identity. Domain Name IP Address Resource 24

The OASIS XRI TC First step in XNS standardization process OASIS Call for Participation issued Dec. 6 First meeting January 9, 2003 Will focus on specifications for the URI and URN format of an XNS address (called an XRI Extensible Resource Identifier) Charter participants include AMD, Cisco, Novell, Visa International, EDS, Gemplus, Nomura Research, Wave Systems, OneName, XNSORG 25

XNS 1.0: a two-part specification Part 2 Identity Services A suite of WSDL services for: Registering/resolving identity document addresses Reading and writing attributes from identity documents Obtaining and asserting identity credentials (a special form of attribute) Forming contracts between identity documents Ongoing work to simplify these services to fit into a REST architecture 26

The XNS WSDL services suite Trust Authentication Session Certification Reputation* Linking Classification Data Management Addressing Negotiation Folder Data Name Introduction* Directory* Hosting ID Description Discovery Core Addressing Syntax XRN XRI * Not defined in XNS 1.0 specifications 27

Treating identities as XML documents Core defines the XNS abstract schemas Discovery defines the XNS metaschema vocabulary and enables location of schema instances Hosting adds/deletes/moves identity documents at a host identity (network endpoint) Data gets/sets identity data (attributes) within an identity document XRI addressing enables efficient global resolution of every attribute and attribute version 28

Directory services at the identity layer Folder provides directory services internal to an identity document Similar to the folder function of file systems Directory (coming in 2003) will provide directory services across a community of identity documents Will enhance LDAP/DSML functions with XNS addressing, messaging, assertion, and linking Will integrate XQL and XPath-based queries 29

XNS, SAML, and PKI In XNS, credentials are identity attributes XNS Trust Management services standardize methods for obtaining and asserting these attributes The payload of these messages are SAML assertions Certification service is a solution to distributed key management Reputation service can supplement trust decisions with community feedback 30

Conclusion XNS services and XRI addressing can provide the digital identity infrastructure necessary for Web services The same set of services can be tailored to serve in a REST-based architecture XNS helps solve a wide variety of enterprise and Internet data sharing problems The OASIS XRI TC begins its work on January 9, 2003 We would like to extend an invitation to all OASIS members to participate 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback