XNS: Unifying Identity, Security, - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

XNS: Unifying Identity, Security,

Description:

Attribute. Name. ID (URN) Attribute ... Attribute ... many names can map to one ID, and many IDs to one identity attribute. ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 29
Provided by: drummo
Category:

less

Transcript and Presenter's Notes

Title: XNS: Unifying Identity, Security,


1
XNS Unifying Identity, Security, Privacy
  • CMU Workshop on the Relationship between Privacy
    Security
  • May 29-30, 2002

Drummond Reed, Director, XNSORGdrummond.reed_at_xns.
org, www.xns.orgCTO, OneName Corporationdrummond
.reed_at_onename.com, www.onename.com
2
Topics
  • Background
  • The Relationship of Identity, Security, and
    Privacy
  • Modeling these Relationships in XML
  • Overview of the XNS Technical Specifications
  • QA

3
Background
  • eXtensible Name Service (XNS) originated in 1999
    as a DNS for identity
  • OneName originally licensed the XNS protocol to
    the XNS Public Trust Organization (XNSORG) in
    Sept. 2000
  • A number of companies were attracted by its
    potential to solve Web-wide identity problems
  • After restructuring the license and charter,
    XNSORG is preparing to release the first public
    specifications for XNS by mid-year

4
Identity, security, and privacy
Data controllers
Identity
Control of data accessand modification (create,
read, update, delete, etc.)
Security
Control of data usage(retention, disclosure,
marketing, aggregation, etc.)
Privacy
5
The control relationships
Identity
Identity
Privacy
Data Controller
Data Controller
Security
Security
Data
Data
6
Security controls authentication, authorization,
access
Identity
Identity
Privacy
Data Controller
Data Controller
Security
Security
Controls
Data
Data
7
Privacy controls preferences, policies, and
permissions
Preferences
Policies
Identity
Identity
Privacy
Data Controller
Data Controller
Permis-sions
Security
Security
Data
Data
8
Modeling these relationships in XML
  • The fundamental design of XNS is to model all
    these relationships using XML in a distributed,
    federated architecture like DNS
  • Key concepts
  • Identity documents
  • Identity addresses
  • Identity links
  • Identity transactions
  • The identity Web

9
Identity trees
Identity
Root
Contact info
Travel preferences
Attributes
Work
Home
Car Rentals
Airlines
Address
Email
Phone
Carriers
Seating
10
Identity documents
Identity Document (XML)
Identity tree
Complex Attribute
Complex Attribute
Simple Attribute
Simple Attribute
Simple Attribute
Complex Attribute
An identity document is an identity tree
serialized as an XML document. An identity agent
is the software process managing this document.
Simple Attribute
Simple Attribute
11
Identity addresses
Identity tree
Identity tree
An identity address is a reference from one
identity tree to another.
12
Address persistence URNs
Name
Name
In an identity service, names reference IDs
(URNs) which never change. So refer-ences based
on URNs persist even if a name changes.
Attribute
ID(URN)
In a name service, names reference attributes
directly, so if a name changes, references break.
Attribute
13
Address privacy many to one
Name
Name
Name
ID(URN)
ID(URN)
ID(URN)
To prevent triangulation (unauthorized
cross-correlation), many names can map to one ID,
and many IDs to one identity attribute.
Attribute
14
Identity links
Identity tree
Identity tree
An identity link replicates a portion of one
identity tree to another identity tree.
15
Links model control relationships
Preferences
Policies
Identity
Identity
Privacy
Data Controller
Data Controller
Permis-sions
Security
Security
Data
Data
16
Link contracts control data exchange
Identity Document
Identity Document
Attribute
Attribute
Attribute
Attribute
Attribute
Attribute
Attribute
Link
Link
Contract
Contract
Controls
Contract
Contract
17
Contract structure
A link object can contain any number of contract
objects covering different data purposes.
Identity Document
Link (one per relationship)
Each contract states the terms, purpose, and
applicable policies (policy references use URNs).
Contract (one per agreement)
General Terms
Contracts reference the attributes they cover
using URNs.
Purpose
Policy references
Permission objects are extensible to model any
type of privacy policy (opt-out, opt-in,
opt-over) in any legal jurisdiction. They also
cover synchronization.
Attribute references
Permissions
Signature
Contracts are signed and stored for auditing and
non-repudiation.
18
Permission objectsprivacy and security controls
Permission
SynchronizationPermission
PrivacyPermission
  • Controls
  • Permission type (disclosure, contact, retention)
  • Purpose (human-readable)
  • Parties (for disclosure)
  • Controls
  • Sync type (push-with-data, push-notification-only
    , pull-on-demand, scheduled pull)
  • Full or incremental
  • Channel security parameters

19
Identity transactions
Data Requestor
Data Provider
1) The DR sends an XNS form def-inition to the DP.
Identity Document
Identity Document
Attributes
Attributes
2) The DP processes the form based on the
principals attributes and preferences and
negotiates the contract.
Policies
Preferences
Schema Def
1
Form Def
2
3
Link
Link
Agent Link
Contract
Contract
3) Both parties sign the contract and store a
copy in their link.
Permissions
Permissions
20
Identity synchronization
1) When the principal updates an attribute, the
DP checks to see which contracts reference that
attribute.
Data Provider
Data Requestor
Identity Document
Identity Document
Attributes
Attributes
Attribute 1
Attribute 2
Attribute 2
2) If the contract specifies a push, the DP
composes an XNS Set message and attaches a SAML
assertion.
1
3
Link
Link
Contract
Contract
Permissions
Permissions
3) The DR authenti-cates the message and updates
the attribute.
2
21
The identity Web
This represents how one user may choose to link
their identities. Identity Web architecture
supports any linking model just like the Web.
OnlineRetailer
Employer
IdentityServer
IdentityServer
XNS
IdentityDocument
IdentityDocument
IdentityDocument
IdentityDocument
XNS
XNS
Identity Links
IdentityServer
IdentityClient
Laptop
Bank
XNS
IdentityDocument
IdentityDocument
IdentityDocument
22
The Web identity services layer
Browser
Browser
Identity
Application
WebIdentityRoot
Logical
Web (HTML over HTTP)
Web Services (XML over SOAP)
Web Identity Services (XNS over SOAP)
Enterprise Security
Enterprise Security
Enterprise Security
Enterprise Directory
Enterprise Directory
Enterprise Directory
Enterprise Integration
Enterprise Integration
Enterprise Integration
Application
Physical
Application
Application
Persistence
Persistence
Persistence
EnterpriseIdentityRoot
Domain
Domain
Domain
23
The XNS Technical Specifications
  • A set of of 12 WSDL Web service definitions plus
    an XML-based URN syntax specification
  • Living service definitions because they are
    published by the XNSORG agent using XNS Discovery
    service
  • This allows XNS service definition formats to
    evolve as Web services standards evolve (e.g.,
    SOAP, WSDL, XML Schemas, etc.)

24
The XNS base services
AttributeManagementServices
CredentialManagementServices
Exchange LinkingServices
Reputation
Introduction
Directory
Higher-level services
Folder
Certification
Data
Negotiation
Session
Hosting
Discovery
Authentication
Core
Name
URNServices
ID
Foundation services
Location
Not in XNS 1.0 specifications
25
XNS serves a function parallel to DNS
XNS is an iden-tity service for the endpoints of
web services (SOAP actors)
WSDL-based Web Services
Higher-level protocols
XNS
Baseprotocol
SOAP
Application-to-Application Layer (XML Messages)
DNS is a name service for the endpoints of TCP/IP
protocols (domains hosts)
Telnet, FTP, SMTP, HTTP, etc.
Higher-level protocols
DNS
Baseprotocol
TCP/IP
Machine-to-Machine Layer (Packets)
26
The SOAP stack with XNS
WSCL
ebXML
XLANG
WSFL
BTP
Service Interaction Orchestration
ebXML RR
UDDI
Business Registry
XKMS
XRML
XML Encryption
XML Signature
SAML
Security
WS-Security
?
Security Protocols
WS-Inspection
WSDL
Service Description
WS-Routing
Intermediary and Endpoint Services
XNS
DIME
WS-Reliability
HTTPR
BXXP
ebXML TRP
Transport Services Encapsulation Reliability
SOAP v1.1
SOAP v1.2
DIME SOAP
SOAP w/Attachs
Messaging Protocols
HTTP
HTTPS
IIOP/S
FTP
SMTP
UDP
MQ
JMS
Transport Protocol
Source IONA SOAP Interop website
(http//www.xmlbus.com/interop/img/SoapBuildersInt
eropRoadmap.gif)
27
Summary XNS provides a common model for
identity, security, and privacy
Principal
UnifiedIdentity
Unified, lifetime Web identity
Authentication, SSO, authorization, PKI
interoperability, reputation
Strong Security
Digitally signed contracts, privacy permissions
Strong Privacy
Intelligent forms, automatic negotiation, digital
receipts
Smart Transactions
Lifetime relationships auto-updates
Persistent Links
28
XNS the ISTPA Privacy Framework
  • XNS directly implements two of the Capabilities
    (Agent and Access)
  • XNS provides a strong foundation for the third
    Capability (Usage)
  • XNS directly implements three of the seven
    Services (Interaction, Negotiation, Control)
  • XNS provides an infrastructure supporting all
    four Assurance Services (Validation,
    Certification, Audit, and Enforcement)
Write a Comment
User Comments (0)
About PowerShow.com