The Identity Web An Overview of the XNS Protocol - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

The Identity Web An Overview of the XNS Protocol

Description:

... is defined by a subdocument inside the identity document. ... Identity Document. Management. Services. Trust. Management. Services. Data Sharing & Linking ... – PowerPoint PPT presentation

Number of Views:162
Avg rating:3.0/5.0
Slides: 42
Provided by: Bri8245
Category:

less

Transcript and Presenter's Notes

Title: The Identity Web An Overview of the XNS Protocol


1
The Identity WebAn Overview of the XNS Protocol
  • Digital Identity World
  • October 10, 2002

Drummond ReedCTO, OneName Corporation
2
Executive Summary
  • The Identity Web is a new abstraction layer for
    cross-domain data sharing using a Web
    architecture of linked XML documents
  • It is deployed through a federated network of
    identity servers using the XNS protocol
  • The XNS protocol consists of
  • An URN syntax for addressing identity documents
  • 14 independent WSDL services for federated naming
    and directories using identity documents
  • An OASIS XNS TC is under formation we invite you
    to participate

3
XNS Public Trust Organization (XNSORG)
  • Founded in 2000
  • Licensed the rights to XNS from OneName
  • Responsible for community governance of the XNS
    protocol and delegation to other standards
    organizations
  • Sponsors include

4
Part 1 The Big Picture
5
The goal a unified XML abstractionlayer for
naming and directory services
XNS
Identity Services
Webarchitecture
Hierarchicalarchitecture
DNS
DSML
IP
LDAP
Naming and Addressing Services
Directory Services
6
1992 What if
  • every digital document on the Internet could
    be
  • Rendered in a common format
  • Exchanged using a common protocol
  • Addressed and linked using a common syntax
  • The result would be
  • the World Wide Web

7
2002 What if
  • every digital identity on the Internet could
    be
  • Rendered in a common format
  • Exchanged using a common protocol
  • Addressed and linked using a common syntax
  • The result would be
  • the Identity Web

8
Evolution of the Identity Web
Web Servers
Identity Servers
Logical Organization and Linking
Digital Identities(XML)
Web Pages(HTML)
File Serversand other content stores
Directory Serversand other identity stores
Files
Directory Entries
Physical Organization and Storage
Digital Transactions (Web Services)
Digital Content (the Web)
9
Document linking vs. identity linking
HTML
HTML
XML
XML
SOAP
Contract
Contract
HTTP
URI
URI
Contract
HTML
HTML
XML
XML
Contract
URI
URI
URI
Contract
Contract
10
Identity linking close up
Identity servers host XML documents representing
attributes associated with an identity. These
documents can be virtual, i.e., the physi-cal
data can be stored in lower-layer systems.
Identity Host
Identity Host
Identity Document
Identity Document
Identity Attributes
Identity Attributes
Each link with another identity is defined by a
subdocument inside the identity document.
Link
Link
Contract
Contract
IdentityLink
Permissions
Permissions
A link can contain any number of contracts, each
defining a set of data shared with the other
identity and the applicable security, privacy,
and synchro-nization permissions.
Contract
Contract
Permissions
Permissions
Links create trusted, bidirectional data pipes
between any two XNS identities anywhere.
11
Contract structure
A link object can contain any number of contract
objects covering different data purposes.
Identity Document
Link (one per relationship)
Each contract states the terms, purpose, and
applicable policies (policy references use URNs).
Contract (one per agreement)
General Terms
Contracts reference the attributes they cover
using URNs.
Purpose
Policy references
Permission objects are extensible to model any
type of privacy policy (opt-out, opt-in,
opt-over) in any legal jurisdiction. They also
cover access control and synchronization.
Attribute references
Permissions
Signature
Contracts are signed and stored by both parties
for auditing and non-repudiation.
12
Federating identity servers
Identity server
Identity server
XML
XML
XML
XML
XML
XML
Trustboundary
XML
XML
XML
XML
XML
XML
Identity server
Identity server
Identityclient
PlainText
WML
HTML
XML
13
Federated identity service applications
Identity
Persistent global addressing (URNs), logical
naming, cross-domain mapping
Address-ing
Cross-domain authentication (SSO), authorization,
access control, auditing
Security Management
Permission management, regulatory compliance
PrivacyManagement
Schema sharing, versioning,intelligent forms,
receipts
Data Sharing
Persistent links, chain-of authority, workflow
Linking Synchronization
14
Part 2 The XNS Protocol
15
XNS in the enterprise stack
Browser
Application ID
Application
Browser ID
LogicalIdentityRoot
Logical
Web (HTML over HTTP)
Web Portal (HTML Cookies over HTTP)
Web Services (XML over SOAP)
Identity Web Services (XNS over SOAP)
Enterprise Security
Enterprise Security
Enterprise Security
Enterprise Directory
Enterprise Directory
Enterprise Directory
Enterprise Integration
Enterprise Integration
Enterprise Integration
Physical
Application
Application
Application
Persistence
Persistence
Persistence
EnterpriseIdentityRoot
Domain
Domain
Domain
16
XNS in the SOAP stack
WSCL
ebXML
XLANG
WSFL
BTP
Service Interaction Orchestration
ebXML RR
UDDI
Business Registry
XKMS
XRML
XML Encryption
XML Signature
SAML
Security
WS-Security
Security Protocols
WS-Inspection
WSDL
Service Description
WS-Routing
Intermediary Services
XNS
Identity Protocols
DIME
WS-Reliability
HTTPR
BXXP
ebXML TRP
Transport Services Encapsulation Reliability
SOAP v1.1
SOAP v1.2
DIME SOAP
SOAP w/Attachs
Messaging Protocols
HTTP
HTTPS
IIOP/S
FTP
SMTP
UDP
MQ
JMS
Transport Protocol
Original source IONA SOAP Interop website
(http//www.xmlbus.com/interop/img/SoapBuildersInt
eropRoadmap.gif)
17
Design requirements
  • Logical persistent addressing
  • Cross-domain mapping of identities and data
  • Logical schema sharing and versioning
  • Dictionaries of shareable, reusable data
    definitions
  • Logical security and privacy controls
  • Federation and delegation across domains
  • Logical exchange, linking, and synchronization
  • Scalable, extensible peer-to-peer data sharing

18
Enterprise directory services
The n-to-n hierarchicalmapping problemwhen
crossing domains
Enterprise identity root
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
Enterprisedomain
19
Metadirectory services
Metadirectory Server
Meta-domain
Meta-identity root
MetadirectoryTree
Map
Map
Map
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
20
Federated identity services
Logical domain
Logical identity root
Identity Server
Identity Server
Identity Server
Link
Link
IdentityTree
IdentityTree
IdentityTree
Map
Map
Map
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
21
Specifications
  • A persistent addressing (URN) syntax for identity
    documents
  • 14 WSDL services for
  • Addressing identity documents
  • Reading and writing attributes from identity
    documents
  • Obtaining and asserting identity credentials (a
    special form of attributes)
  • Forming contracts between identity documents
  • Bindings to transport protocols (e.g., SOAP)

22
The XNS Base Services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Reputation
Introduction
Directory
Higher-level services
Folder
Certification
Data
Negotiation
Session
Hosting
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
23
Naming Addressing services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
24
ID and Name services
XNS ID and Name services provide persistent
addresses (URNs) on top of existing DNS and IP
addresses (URLs) for abstraction of identity.
Identity Name

URNs
1
ID
Domain Name
Domain Name
URLs
IP Address
IP Address
IP Address
Resource
Resource
Resource
IP AddressService
Domain NameService
XNS Identity Service
25
Context-appropriate identifiers
  • Anonymity is required for privacy-friendly
    personalization
  • Pseudonymity is required for permission-based
    sharing of identity across domains
  • Veronymity true identity is required for many
    personal and business transactions
  • XNS addressing supports all three

26
Identity Document Mgmt services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
27
Treating identities as XML documents
  • Core defines the XNS abstract schemas
  • Discovery defines the XNS metaschema vocabulary
    and enables location of schema instances
  • Hosting adds/deletes/moves identity docu-ments at
    a host identity (network endpoint)
  • Data gets/sets identity data (attributes) within
    an identity document
  • XNS identity addressing enables efficient global
    resolution of every attribute and attribute
    version

28
Directory services at the identity layer
  • Folder provides directory services internal to an
    identity document
  • Similar to the folder function of file systems
  • Directory (coming in 1.x) will provide directory
    services across a community of identity documents
  • Will enhance LDAP/DSML functions with XNS
    addressing, messaging, assertion, and linking
  • Will integrate XQL and XPath-based queries

29
Data Sharing Linking services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
30
The negotiation process
Data Subscriber
Data Publisher
1) The data subscriber sends an XNS form
definition (essentially a template contact) to
the data publisher.
Identity Document
Identity Document
Attributes
Attributes
Policies
Preferences
2) The data publisher processes the form based on
the principals attributes and preferences and
negotiates the contract.
Schema Def
1
Form Def
2
3
Link
Link
Identity Link
Contract
Contract
3) Both parties sign the contract and store a
copy in their link.
Permissions
Permissions
31
The synchronization process
Data Publisher
Data Subscriber
1) When the principal updates an attribute, the
data publisher checks to see which contracts
reference that attribute.
Identity Document
Identity Document
Attributes
Attributes
Attribute 1
2) If the contract specifies a push, the
publishing identity composes an XNS Set message
and attaches a SAML assertion.
Attribute 2
Attribute 2
1
3
Link
Link
Contract
Contract
3) The data subscriber authenticates the message
and triggers processing of the updated attribute.
Permissions
Permissions
2
32
Trust Management services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
33
XNS, SAML, and PKI
  • In XNS, credentials are identity attributes
  • XNS Trust Management services standardize methods
    for obtaining and asserting these attributes
  • The payload of these messages are SAML assertions
  • Certification service is a solution to
    distributed key management
  • Reputation service can supplement trust decisions
    with community feedback

34
Application services
Extensibility
ExampleApplicationServices
SSO
Contact
Wallet
Calendar
Calendar
Directory
Reputation
Introduction
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Name
ID
35
Conclusion
  • XNS can provide the digital identity protocol
    necessary for Web services
  • It can help solve a wide variety of enterprise
    and Internet data sharing problems
  • OneName has released an open source Java
    reference implementation (client and server)
  • An OASIS TC is under formation
  • We invite you to participate

36
Appendix
37
Interoperability evolution
WindowsApplications
Groupware(Lotus Notes,MS Exchange)
Web Services Applications
Interoperableapplications
RegistryServices
DirectoryServices
IdentityServices
Identitycoordination
Standaloneapplications
DOSApplications
File ServersEmail Servers
WebInternet EmailInstant Messaging
DOS
Platform
NOS
TCP/IP
PC
LAN
Internet
38
Identity services the 3 essential leaps
RegistryServices(PC)
DirectoryServices(LAN)
IdentityServices(Internet)
Hierarchicalregistry
Hierarchicaldirectory (X.500)
Web (linkedXML documents)
Datamodel
Deploymentarchitecture
Filesystem
Directory ormetadirectoryserver
Federatedidentity servernetwork
Windows API
LDAPDSML
XNS
Standardprotocol
PC
LAN
Internet
39
The identity services layer
Pure Identity (Actors)
Presentation
Servlet
Servlet
Servlet
Servlet
Servlet
Servlet
Webserver
SOAPserver
Otherprotocols
Identityprocessing
XNS
ID app
ID app
ID app
ID app
ID app
Identity server
Businessprocessing
DSML
App
App
Metadirectory
App
Application server
LDAP
Relational data-base server
Object data-base server
Directoryserver
Persistence
Pure Data (Bits)
40
Identity network node distribution
Very many nodeswith only a few links
Number of nodes
A few hubs withlarge numbers of links
Number of links per node
Source Albert-László Barabási, Linked The New
Science of Networks, p. 71, Perseus Publishing,
2002
41
Directory protocol evolution
Identity services
XNS
Number of nodes with k links
Metadirectoryservices
DSML
Directoryservices
LDAP
Number of links (k)
Hub-and-spokearchitecture
Webarchitecture
Write a Comment
User Comments (0)
About PowerShow.com