The Identity Web An Overview of XNS and the OASIS XRI TC

0 comments

file time: 2008-02-16

filetype:ppt

Click Here To Download...

>  
 

The Identity Web 
An Overview of XNS and the OASIS XRI TC 

XML WG

December 17, 2002 

Marc LeMaitre 
VP Technology Strategy OneName Corporation

 
 
 
 
 
 

1  

Goals of this presentation 

Introduce the idea of the Identity Web Provide you with it00 motivating forces Compare and contrast it to the WWW Introduce you to eXtensible Name Service (XNS) Give you an update on XNS in standards  
 
 
 
 
 

2  

1992: What if00/b> 

00/font>every digital document on the Internet could be:

Rendered in a common format Exchanged using a common protocol Addressed and linked using a common syntax  

The result would be00/font>

00/font>the World Wide Web

 
 
 
 
 
 

3  

Evolution of content on the WWW 

Web Server 

Map 

Web  
Pages 

Web Pages 
(HTML) 

Web Server 

Map 

Web  
Pages 

Web Pages 
(HTML) 

Web Server 

Map 

Web  
Pages 

Web Pages 
(HTML) 

File Server 

Files 

File Server 

Files 

File Server 

Files 

Enterprise 
domain 

Logical domain 

HTML Link 

HTML Link 

File Server 

Files 

File Server 

Files 

File Server 

Files 

File Server 

Files 

File Server 

Files 

File Server 

Files

 
 
 
 
 
 

4  

Enterprise directory services issues 

Directory Server 

Enterprise 
domain 

Directory 
Tree 

Enterprise  
identity root 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

The n-to-n hierarchical 
mapping problem 
when crossing domains

 
 
 
 
 
 

5  

Meta-directory service issues 

Directory Server 

Meta-domain 

Directory 
Tree 

Meta-identity root 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Metadirectory Server 

Metadirectory 
Tree 

Map 

Map 

Map

 
 
 
 
 
 

6  

2002: What if00/b> 

00/font>every digital identity on the Internet could be:

Rendered in a common format Exchanged using a common protocol Addressed and linked using a common syntax  

The result would be00/font>

00/font>an Identity Web

 
 
 
 
 
 

7  

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

The leap to a Web architecture for Identity  

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Directory Server 

Directory 
Tree 

Identity Server 

Identity 
Tree 

Map 

Identity Server 

Identity 
Tree 

Map 

Identity Server 

Identity 
Tree 

Map 

Enterprise domain 

Logical identity root 

Logical domain 

Link 

Link

 
 
 
 
 
 

8  

The Web Identity Tree 

Abstract Root  
(XML Schema) 

Identity Roots 
(XML Identity Documents) 

Links 

Flat 00 like the Web All relationships are created by linking 00like the Web Distributed control and management 00like the Web  
 
 
 
 
 

9  

Document linking vs. identity linking 

HTML 

HTML 

HTML 

HTML 

URI 

URI 

URI 

URI 

URI 

XML 

XML 

XML 

XML 

Contract 

Contract 

Contract 

Contract 

Contract 

Contract

 
 
 
 
 
 

10  

Federating identity servers 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

XML 

Plain 
Text 

WML 

HTML 

XML 

Identity 
client 

Trust 
boundary 

Identity server 

Identity server 

Identity server 

Identity server

 
 
 
 
 
 

11  

Identity linking close up 

Identity Host 

Identity Document 

Identity Attributes 

Link 

Contract 

Permissions 

Contract 

Permissions 

Identity Host 

Identity Document 

Identity Attributes 

Link 

Contract 

Permissions 

Contract 

Permissions 

Identity 
Link 

Identity hosts manage XML documents representing attributes associated with an identity. These identity documents can be 00irtual00 i.e., the physi-cal data can be stored in lower-layer systems. 

Each link with another identity is defined by a subdocument inside the identity document.  

A link can contain any number of contracts, each defining a set of data shared with the other identity and the applicable security, privacy, and synchro-nization permissions. 

Links create trusted, bidirectional data 00ipes00between any two XNS identities anywhere.

 
 
 
 
 
 

12  

Contract structure 

Identity Document 

Link (one per relationship) 

Contract (one per agreement) 

Attribute references 

Permission objects are extensible to model any type of privacy policy (opt-out, opt-in, opt-over using any type of Rights Markup Language 00 (RML)) in any legal jurisdiction. They also cover access control and synchronization. 

Purpose 

General Terms 

Policy references 

Permissions 

Signature 

A link object can contain any number of contract objects covering different data & purposes. 

Each contract states the terms, purpose, and applicable policies (policy references use URNs). 

Contracts reference the attributes they cover using URNs. 

Contracts are signed and stored by both parties for auditing and non-repudiation.

 
 
 
 
 
 

13  

Permission objects 

Permission 

Access and synch

Permissions  

Controls:

Permission type (disclosure, contact, retention) Purpose (human-readable) Parties (for disclosure)  

Privacy/usage 
Permissions 

Controls:

Access to data Persistent Get and Set permissions for data  
 
 
 
 
 

14  

The negotiation process 

Data Subscriber 

Identity Document 

Attributes 

Data Publisher 

Identity Document 

Attributes 

Link 

Contract 

Permissions 

1) The data subscriber sends an XML form definition (essentially a template contact) to the data publisher. 

3) Both parties 00ign00 the contract and store a copy in their link. 

2) The data publisher processes the form based on the publisher00 attributes and preferences and negotiates the contract. 

Policies 

Schema Def 

Form Def 

Link 

Contract 

Permissions 

Identity  
Link 

1 

2 

3 

Preferences

 
 
 
 
 
 

15  

The synchronization process 

Data Publisher 

Identity Document 

Attributes 

Data Subscriber 

Identity Document 

Attributes 

Link 

Contract 

Permissions 

1) When the publisher updates an attribute, they check to see which contracts reference that attribute. 

2) If the contract specifies a push, the publishing identity composes a Set message and attaches an assertion. 

3) The data subscriber authenticates the message and triggers processing of the updated attribute. 

Attribute 1 

Attribute 2 

1 

Link 

Contract 

Permissions 

2 

3 

Attribute 2

 
 
 
 
 
 

16  

Recap000.. 

The Identity Web is a new abstraction layer for cross-domain data sharing using a Web architecture of linked XML documents Linked documents contain contracts controlling the flow and usage of data negotiated by the controlling identities It is deployed through a federated network of identity servers  
 

Introduction to eXtensible Name Service 
 
How to build an Identity Web

 
 
 
 
 
 

18  

XNS design requirements 

Logical persistent addressing Enable application- and domain-independent mapping of resource identities and their associated data A resource is anything that can be represented on a network 00 person, organization, machine, application etc) Logical schema sharing and versioning Dictionaries of shareable, reusable data definitions Logical security and privacy controls Enables federation and delegation across domains Logical exchange, linking, and synchronization Scalable, extensible peer-to-peer data sharing  
 
 
 
 
 

19  

XNS consists of: A syntax for addressing XML identity docs using eXtensible Resource Identifiers (XRIs) 14 WSDL service modules for federated naming and directory services using XRIs & XML identity docs A considerable amount of thinking about how to support a REST architecture like the Web  
 
 
 
 
 

20  

XNS Public Trust Organization (XNSORG) 

Founded in 2000 Licensed the rights to XNS from OneName Published XNS 1.0 specs on July 10, 2002 Responsible for community governance of XNS and delegation of specifications to other standards organizations Sponsors include:

   download The Identity Web An Overview of XNS and the OASIS XRI TC