(EKMI) Defining symmetric key management protocols ... - Oasis

cabbagepatchtapeInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 10 μήνες)

122 εμφανίσεις

What do OpenID, Higgins, I
-
Names,
and XDI Have in Common?

An OASIS Webinar on XRI and XRDS

May 6, 2008

Gabe Wachob,

XRI TC Co
-
Chair

Paul Trevithick,

The Higgins Project

Drummond Reed,

XRI TC Co
-
Chair

John Bradley,

ooTao, OpenID

Les Chasen,

NeuStar XRI GRS

Markus Sabadello,

XDI.org

What do

OpenID, Higgins, i
-
names, and XDI
have in common?

They all use two new OASIS technologies
you may not even have heard of yet.

How did these specifications already
become key building blocks of the Internet
identity layer? What problems do they
solve? Where do they fit with the work of
other OASIS Technical Committees?

That’s what we’ll cover today...

OASIS XRI Technical Committee

Formed January 2003

XRI (Extensible Resource Identifier)


A new type of Internet identifier (URI)
designed expressly for digital identity


An open standard for
abstract

structured

identifiers


Abstract
, i.e., identifiers upon which
discovery can be performed


Structured
, i.e., a syntactic framework for
expressing identifiers


“XML for identifiers”

XRDS (Extensible Resource
Descriptor Sequence)


A simple, extensible service discovery
format for XRIs or URLs


The logical equivalent of a DNS
resource record at the XRI layer of
identification


The discovery format used by OpenID
2.0, OAuth, and Higgins

Local Path/Query

IP Address

Domain Name

URI/IRI

Abstract

Identifier

Layer

Reassignable

XRI “i
-
names”

Persistent

XRI “i
-
numbers”

XRDS

Docu
-

ment

XRDS

Resolution

TN

(Tele
-

phone

Number)

Other

concrete

identifier

types

Concrete

Identifier

Layer

Synonyms

Examples of XRI i
-
names


Human
-
friendly reassignable identifiers



=gmw



=
用例




@boeing



@cordance*drummond.reed



+flower



$xml

Examples of XRI i
-
numbers


Persistent identifiers (never reassigned)



=!7a42.cd93.40f4.18e5



=!7a42.cd93.40f4.18e5!283



@!b3a7.5537.9fea.31ec



+!3792



+!3792!14

Examples of XRI cross
-
references


Identifiers reused across contexts



=(mailto:gabe.wachob@gmail.com)



=(http://equalsdrummond.name)



@(http://boeing.com)



@cordance*(urn:isbn:0
-
395
-
36341
-
1)



+flower*(http://en.wikipedia.org/rose)

Examples of XRIs transformed
into URIs


XRI Syntax 2.0 defines a strict trans
-
formation of an XRI into an IRI and URI


xri://=drummond.reed


xri://=%E7%94%A8%E4%BE%8B


xri://@!b3a7.5537.9fea.31ec!133


xri://=(mailto:gabe.wachob@gmail.com)


xri://@cordance*(urn:isbn:0
-
395
-
36341
-
1)

<XRDS xmlns=“xri://$xrds”>


<XRD xmlns=“xri://$xrd*($v*2.0)”>


<Query>*example</Query>


<Expires>2005
-
05
-
30T09:30:10Z</Expires>


<ProviderID>xri://=</ProviderID>


<EquivID>xri://=example.name</EquivID>


<CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID>


<Service priority=“10”>


<Type>xri://$res*auth*($v*2.0)</Type>


<URI>http://res.example.com/=!7c4.58ff.7c9a.e285/</URI>


</Service>


<Service priority=“10”>


<Type>http://openid.net/server/1.0</Type>


<Type>http://specs.openid.net/auth/2.0/signon</Type>


<Path>+openid</Path>


<URI>http://authn.example.com/openid/</URI>


</Service>


</XRD>

</XRDS>

Query and
synonyms

Service #1

Service #2

Example XRDS document

The XRI 2.0 specifications


XRI Syntax 2.0


Explicit syntax for
reassignable and
persistent identifiers


Global context symbols


Cross
-
references for
identifier reuse across
contexts


Flexible delegation at all
levels of hierarchy


Lossless transformation
into IRI and URI forms


XRI Resolution 2.0


HTTP(S)
-
based
resolution protocol


XRDS: simple XML
discovery document
format


Synonym management
and verification


Service endpoint
selection logic


Redirect and Ref
processing

Why have XRI and XRDS already
become key building blocks of
the Internet identity layer?

Not only have XRI and XRDS become an
integral part of OpenID 2.0, but the XRI
technical community is now a strong part
of the OpenID community.







Bill Washburn





Executive Director,





OpenID Foundation

XRI and XRDS have become essential
elements of the Higgins Project. Without
them, we couldn’t fully implement the
abstract data model that is the heart of
Higgins and the key to user
-
controlled
identity and data sharing.








Paul Trevithick





Higgins Project Lead

Where are XRI and XRDS being
used today?


OpenID 2.0


OAuth Discovery


Higgins Project


XDI.org i
-
name/i
-
number registries


XDI data sharing

Case Study: the top 3 problems
XRI/XRDS solved for OpenID 2.0


Extensible service discovery


OpenID recycling


Automatic secure resolution

http://middleware.internet2.edu/idtrust/2008/papers/01
-
reed
-
openid
-
xri
-
xrds.pdf

What is OpenID?


An open community specification for
user
-
centric Internet authentication


Based on the concept that users can have
their own globally
-
resolvable identifiers and
OpenID authentication providers


Primary use case:
eliminate the need
for different usernames and passwords
at every website

Relying Party

(RP)

User

Discovery

OpenID Provider

(OP)

2

3

4

1

5

XRDS

Document

=drummond.reed

Problem #1:

Extensible service discovery


OpenID 2.0 need to describe what
versions an OpenID identifier supports


Also what OpenID extensions it
supports (SREG, AX, PAPE, etc.)


And what other services may be
available (e.g., OAuth, SAML, XDI)


And it needed redundant, prioritized
OpenID provider endpoint URLs

Solution:

XRDS documents


Simple, standard discovery format


Can be hosted on any blog, web
server, IdM system, etc.


Easily extensible using new URIs or
XRIs to define service types


Can be extended with elements from
any other namespace

<XRDS xmlns=“xri://$xrds”>


<XRD xmlns=“xri://$xrd*($v*2.0)”>


<Query>*example</Query>


<Expires>2005
-
05
-
30T09:30:10Z</Expires>


<ProviderID>xri://=</ProviderID>


<CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID>


<Service>


<Type>xri://$res*auth*($v*2.0)</Type>


<URI>http://res.example.com/=! 7c4.58ff.7c9a.e285/</URI>


</Service>


<Service priority=“10”>


<Type>
http://openid.net/server/1.0
</Type>


<Type>
http://specs.openid.net/auth/2.0/signon
</Type>


<Path>+openid</Path>


<URI>http://authn.example.com/openid/</URI>


<URI>https://secure
-
authn.example.com/openid/</URI>


<openid:delegate>http://example.com/bob</openid:delegate>


</Service>


</XRD>

</XRDS>

Problem #2:

OpenID recycling


With usernames/passwords, usernames
can be recycled


The service provider controls the binding
with the credential


With OpenID, that’s no longer true


The
user

controls the binding to the
credential!


Losing control of the identifier =

losing control of the credential

Solution:

persistent synonyms


Bind a recyclable OpenID identifier
with a non
-
recyclable (persistent)
identifier, e.g., an XRI i
-
number


Always authenticate based on the
persistent i
-
number


Treat the recyclable identifier as only
a temporary handle for the i
-
number


The user always stays protected

<XRDS xmlns=“xri://$xrds”>


<XRD xmlns=“xri://$xrd*($v*2.0)”>


<Query>*example</Query>


<Expires>2005
-
05
-
30T09:30:10Z</Expires>


<ProviderID>xri://=</ProviderID>


<CanonicalID>
xri://=!7c4.58ff.7c9a.e285
</CanonicalID>


<Service>


<Type>xri://$res*auth*($v*2.0)</Type>


<URI>http://res.example.com/=!1234.5678.a1b2.c3d4/</URI>


</Service>


<Service>


<Type>http://openid.net/openid/1.1</Type>


<Type>http://openid.net/openid/2.0</Type>


<Path>+openid</Path>


<URI>http://authn.example.com/openid/</URI>


</Service>


</XRD>

</XRDS>

Problem #3:

Automatic secure resolution


OpenID could not specify HTTPS
resolution for all OpenID URLs


Too many users do not have access to
HTTPS certs or infrastructure


Thus the default had to be HTTP


This forces users with HTTPS URLs to
type the entire string, e.g.,


https://my.openid.identifier.tld

Solution:

XRI secure resolution


As abstract identifiers, XRIs
always

map
to concrete identifiers


This mapping process
-

XRI resolution
-

offers three trusted modes:


HTTPS, SAML, or both


So XRI i
-
names used as OpenIDs can
use HTTPS resolution as the default


No need for users to know/do anything

XRI and XRDS are also building
blocks for other identity solutions


OAuth


XRDS discovery format


Higgins Project


Context discovery and resolution


XDI.org XRI registries


i
-
name/i
-
number registries & resolution


SAML and Information Cards


Privacy
-
protected identifier claims

What is the relationship of XRI
and XRDS with other OASIS TCs
and the IDtrust Member Section?

XDI (XRI Data Interchange)


The XDI controlled data sharing
protocol is based entirely on XRIs


A globally addressable RDF graph where
the address of every node is an RDF
statement structured as an XRI


subject
-
xri / predicate
-
xri / object
-
xri


Enables a simple portable authorization
format called
XDI link contracts

ORMS (Open Reputation
Management Services)


Newest TC in the OASIS IDtrust
member section


Will define neutral, vendor
-
independent
specs for exchanging reputation data


XRI and XDI TC members participating


XRI for durable subject identifiers


XDI for controlled data sharing

PKI
-
Related TCs


Digital Signature Services eXtended (DSS
-
X)

Advancing new profiles for the DSS OASIS Standard



Enterprise Key Management Infrastructure (EKMI)

Defining symmetric key management protocols



Public Key Infrastructure (PKI) Adoption

Advancing the use of digital certificates as a
foundation for managing access to network resources
and conducting electronic transactions

Conclusion


Abstract structured identifiers offer 3 key
features for the Internet identity layer


Simple, safe, strong identifiers


Simple, extensible, secure service discovery


Interoperability between multiple identity
protocols and frameworks


XRI and XRDS are building blocks
everyone can use

Contact us


Gabe Wachob, XRI TC Co
-
Chair


http://xri.net/=gmw



gabe.wachob@wachob.com


Drummond Reed, XRI TC Co
-
Chair


http://xri.net/=drummond.reed



drummond.reed@cordance.net


Wikipedia


http://en.wikipedia.org/XRI


http://en.wikipedia.org/XRDS




Learn
through the IDtrust Knowledgebase of educational
materials and background on the standards



Share

news, events, presentations, white papers, product
listings, opinions, questions, and recommendations
through postings, blogs, forums, and directories.



Collaborate

with others online through a wiki interface


http://idtrust.xml.org


Q&A

What is the relationship of XRI to
URNs?


Uniform Resource Names are specified
by IETF RFC 2141


They are persistent (non
-
recyclable)
identifiers


XRI combines both URNs and HFNs
(human
-
friendly names) in one syntax
and resolution protocol

What is the relationship of XRI to
the Handle System?


Handle is a persistent object identifier
system developed by CNRI


Specified in RFCs 3650, 3651, 3652


Handle does not include HFNs or other
structured identifier features of XRI


Handle does not use XML or HTTP for
resolution

Does XRI introduce new Internet
namespaces?


Yes. Although it can describe and reuse
many types of existing identifiers, it also
includes four formal namespaces at the
XRI level of identification



= for personal identifiers



@ for organizational identifiers



+ for generic tags



$ for specific tags

Does the XRI TC specify public
registry services?


No, the scope of the XRI TC is limited to
the technical specifications for XRI and
specified XRIs (the $ space)


XDI.org, a member of the XRI TC, offers
public XRI registry services


XDI.org is a completely separate non
-
profit organization

What IPR applies to XRI and
XRDS?


The TC operates under the OASIS “RF
on Limited Terms” mode (standard
royalty
-
free terms)


This has been mandatory from the TC’s
original charter


XDI.org made the initial contribution of
IPR for what was then called XNS when
the TC was formed in 2003

How does Higgins use XRI and
XRDS?


Higgins uses an abstract data model to
access data in different contexts
(distributed repositories)


XRI is used for addressing contexts and
entities within contexts


XRDS is used to resolve the metadata a
Higgins component needs to open a
Higgins context

What open source implementions
of XRI and XRDS are available?


OpenXRI (Java)


http://www.openxri.org



Barx (Ruby)


http://xrisoft.org



MyXDI (C++)


http://www.ootao.com