Title: The Identity Web An Overview of the XNS Protocol
1The Identity WebAn Overview of the XNS Protocol
- Digital Identity World
- October 10, 2002
Drummond ReedCTO, OneName Corporation
2Executive Summary
- The Identity Web is a new abstraction layer for
cross-domain data sharing using a Web
architecture of linked XML documents - It is deployed through a federated network of
identity servers using the XNS protocol - The XNS protocol consists of
- An URN syntax for addressing identity documents
- 14 independent WSDL services for federated naming
and directories using identity documents - An OASIS XNS TC is under formation we invite you
to participate
3XNS Public Trust Organization (XNSORG)
- Founded in 2000
- Licensed the rights to XNS from OneName
- Responsible for community governance of the XNS
protocol and delegation to other standards
organizations - Sponsors include
4Part 1 The Big Picture
5The goal a unified XML abstractionlayer for
naming and directory services
XNS
Identity Services
Webarchitecture
Hierarchicalarchitecture
DNS
DSML
IP
LDAP
Naming and Addressing Services
Directory Services
61992 What if
- every digital document on the Internet could
be - Rendered in a common format
- Exchanged using a common protocol
- Addressed and linked using a common syntax
- The result would be
- the World Wide Web
72002 What if
- every digital identity on the Internet could
be - Rendered in a common format
- Exchanged using a common protocol
- Addressed and linked using a common syntax
- The result would be
- the Identity Web
8Evolution of the Identity Web
Web Servers
Identity Servers
Logical Organization and Linking
Digital Identities(XML)
Web Pages(HTML)
File Serversand other content stores
Directory Serversand other identity stores
Files
Directory Entries
Physical Organization and Storage
Digital Transactions (Web Services)
Digital Content (the Web)
9Document linking vs. identity linking
HTML
HTML
XML
XML
SOAP
Contract
Contract
HTTP
URI
URI
Contract
HTML
HTML
XML
XML
Contract
URI
URI
URI
Contract
Contract
10Identity linking close up
Identity servers host XML documents representing
attributes associated with an identity. These
documents can be virtual, i.e., the physi-cal
data can be stored in lower-layer systems.
Identity Host
Identity Host
Identity Document
Identity Document
Identity Attributes
Identity Attributes
Each link with another identity is defined by a
subdocument inside the identity document.
Link
Link
Contract
Contract
IdentityLink
Permissions
Permissions
A link can contain any number of contracts, each
defining a set of data shared with the other
identity and the applicable security, privacy,
and synchro-nization permissions.
Contract
Contract
Permissions
Permissions
Links create trusted, bidirectional data pipes
between any two XNS identities anywhere.
11Contract structure
A link object can contain any number of contract
objects covering different data purposes.
Identity Document
Link (one per relationship)
Each contract states the terms, purpose, and
applicable policies (policy references use URNs).
Contract (one per agreement)
General Terms
Contracts reference the attributes they cover
using URNs.
Purpose
Policy references
Permission objects are extensible to model any
type of privacy policy (opt-out, opt-in,
opt-over) in any legal jurisdiction. They also
cover access control and synchronization.
Attribute references
Permissions
Signature
Contracts are signed and stored by both parties
for auditing and non-repudiation.
12Federating identity servers
Identity server
Identity server
XML
XML
XML
XML
XML
XML
Trustboundary
XML
XML
XML
XML
XML
XML
Identity server
Identity server
Identityclient
PlainText
WML
HTML
XML
13Federated identity service applications
Identity
Persistent global addressing (URNs), logical
naming, cross-domain mapping
Address-ing
Cross-domain authentication (SSO), authorization,
access control, auditing
Security Management
Permission management, regulatory compliance
PrivacyManagement
Schema sharing, versioning,intelligent forms,
receipts
Data Sharing
Persistent links, chain-of authority, workflow
Linking Synchronization
14Part 2 The XNS Protocol
15XNS in the enterprise stack
Browser
Application ID
Application
Browser ID
LogicalIdentityRoot
Logical
Web (HTML over HTTP)
Web Portal (HTML Cookies over HTTP)
Web Services (XML over SOAP)
Identity Web Services (XNS over SOAP)
Enterprise Security
Enterprise Security
Enterprise Security
Enterprise Directory
Enterprise Directory
Enterprise Directory
Enterprise Integration
Enterprise Integration
Enterprise Integration
Physical
Application
Application
Application
Persistence
Persistence
Persistence
EnterpriseIdentityRoot
Domain
Domain
Domain
16XNS in the SOAP stack
WSCL
ebXML
XLANG
WSFL
BTP
Service Interaction Orchestration
ebXML RR
UDDI
Business Registry
XKMS
XRML
XML Encryption
XML Signature
SAML
Security
WS-Security
Security Protocols
WS-Inspection
WSDL
Service Description
WS-Routing
Intermediary Services
XNS
Identity Protocols
DIME
WS-Reliability
HTTPR
BXXP
ebXML TRP
Transport Services Encapsulation Reliability
SOAP v1.1
SOAP v1.2
DIME SOAP
SOAP w/Attachs
Messaging Protocols
HTTP
HTTPS
IIOP/S
FTP
SMTP
UDP
MQ
JMS
Transport Protocol
Original source IONA SOAP Interop website
(http//www.xmlbus.com/interop/img/SoapBuildersInt
eropRoadmap.gif)
17Design requirements
- Logical persistent addressing
- Cross-domain mapping of identities and data
- Logical schema sharing and versioning
- Dictionaries of shareable, reusable data
definitions - Logical security and privacy controls
- Federation and delegation across domains
- Logical exchange, linking, and synchronization
- Scalable, extensible peer-to-peer data sharing
18Enterprise directory services
The n-to-n hierarchicalmapping problemwhen
crossing domains
Enterprise identity root
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
Enterprisedomain
19Metadirectory services
Metadirectory Server
Meta-domain
Meta-identity root
MetadirectoryTree
Map
Map
Map
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
20Federated identity services
Logical domain
Logical identity root
Identity Server
Identity Server
Identity Server
Link
Link
IdentityTree
IdentityTree
IdentityTree
Map
Map
Map
Directory Server
Directory Server
Directory Server
DirectoryTree
DirectoryTree
DirectoryTree
21Specifications
- A persistent addressing (URN) syntax for identity
documents - 14 WSDL services for
- Addressing identity documents
- Reading and writing attributes from identity
documents - Obtaining and asserting identity credentials (a
special form of attributes) - Forming contracts between identity documents
- Bindings to transport protocols (e.g., SOAP)
22The XNS Base Services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Reputation
Introduction
Directory
Higher-level services
Folder
Certification
Data
Negotiation
Session
Hosting
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
23Naming Addressing services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
24ID and Name services
XNS ID and Name services provide persistent
addresses (URNs) on top of existing DNS and IP
addresses (URLs) for abstraction of identity.
Identity Name
URNs
1
ID
Domain Name
Domain Name
URLs
IP Address
IP Address
IP Address
Resource
Resource
Resource
IP AddressService
Domain NameService
XNS Identity Service
25Context-appropriate identifiers
- Anonymity is required for privacy-friendly
personalization - Pseudonymity is required for permission-based
sharing of identity across domains - Veronymity true identity is required for many
personal and business transactions - XNS addressing supports all three
26Identity Document Mgmt services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
27Treating identities as XML documents
- Core defines the XNS abstract schemas
- Discovery defines the XNS metaschema vocabulary
and enables location of schema instances - Hosting adds/deletes/moves identity docu-ments at
a host identity (network endpoint) - Data gets/sets identity data (attributes) within
an identity document - XNS identity addressing enables efficient global
resolution of every attribute and attribute
version
28Directory services at the identity layer
- Folder provides directory services internal to an
identity document - Similar to the folder function of file systems
- Directory (coming in 1.x) will provide directory
services across a community of identity documents - Will enhance LDAP/DSML functions with XNS
addressing, messaging, assertion, and linking - Will integrate XQL and XPath-based queries
29Data Sharing Linking services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
30The negotiation process
Data Subscriber
Data Publisher
1) The data subscriber sends an XNS form
definition (essentially a template contact) to
the data publisher.
Identity Document
Identity Document
Attributes
Attributes
Policies
Preferences
2) The data publisher processes the form based on
the principals attributes and preferences and
negotiates the contract.
Schema Def
1
Form Def
2
3
Link
Link
Identity Link
Contract
Contract
3) Both parties sign the contract and store a
copy in their link.
Permissions
Permissions
31The synchronization process
Data Publisher
Data Subscriber
1) When the principal updates an attribute, the
data publisher checks to see which contracts
reference that attribute.
Identity Document
Identity Document
Attributes
Attributes
Attribute 1
2) If the contract specifies a push, the
publishing identity composes an XNS Set message
and attaches a SAML assertion.
Attribute 2
Attribute 2
1
3
Link
Link
Contract
Contract
3) The data subscriber authenticates the message
and triggers processing of the updated attribute.
Permissions
Permissions
2
32Trust Management services
Identity DocumentManagementServices
Data Sharing LinkingServices
TrustManagementServices
Directory
Reputation
Introduction
Higher-level services
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Naming AddressingServices
Name
Foundation services
ID
Not defined in XNS 1.0 specifications
33XNS, SAML, and PKI
- In XNS, credentials are identity attributes
- XNS Trust Management services standardize methods
for obtaining and asserting these attributes - The payload of these messages are SAML assertions
- Certification service is a solution to
distributed key management - Reputation service can supplement trust decisions
with community feedback
34Application services
Extensibility
ExampleApplicationServices
SSO
Contact
Wallet
Calendar
Calendar
Directory
Reputation
Introduction
Folder
Certification
Data
Hosting
Negotiation
Session
Discovery
Authentication
Core
Name
ID
35Conclusion
- XNS can provide the digital identity protocol
necessary for Web services - It can help solve a wide variety of enterprise
and Internet data sharing problems - OneName has released an open source Java
reference implementation (client and server) - An OASIS TC is under formation
- We invite you to participate
36Appendix
37Interoperability evolution
WindowsApplications
Groupware(Lotus Notes,MS Exchange)
Web Services Applications
Interoperableapplications
RegistryServices
DirectoryServices
IdentityServices
Identitycoordination
Standaloneapplications
DOSApplications
File ServersEmail Servers
WebInternet EmailInstant Messaging
DOS
Platform
NOS
TCP/IP
PC
LAN
Internet
38Identity services the 3 essential leaps
RegistryServices(PC)
DirectoryServices(LAN)
IdentityServices(Internet)
Hierarchicalregistry
Hierarchicaldirectory (X.500)
Web (linkedXML documents)
Datamodel
Deploymentarchitecture
Filesystem
Directory ormetadirectoryserver
Federatedidentity servernetwork
Windows API
LDAPDSML
XNS
Standardprotocol
PC
LAN
Internet
39The identity services layer
Pure Identity (Actors)
Presentation
Servlet
Servlet
Servlet
Servlet
Servlet
Servlet
Webserver
SOAPserver
Otherprotocols
Identityprocessing
XNS
ID app
ID app
ID app
ID app
ID app
Identity server
Businessprocessing
DSML
App
App
Metadirectory
App
Application server
LDAP
Relational data-base server
Object data-base server
Directoryserver
Persistence
Pure Data (Bits)
40Identity network node distribution
Very many nodeswith only a few links
Number of nodes
A few hubs withlarge numbers of links
Number of links per node
Source Albert-László Barabási, Linked The New
Science of Networks, p. 71, Perseus Publishing,
2002
41Directory protocol evolution
Identity services
XNS
Number of nodes with k links
Metadirectoryservices
DSML
Directoryservices
LDAP
Number of links (k)
Hub-and-spokearchitecture
Webarchitecture