Transcript Security Aspects of the Handle System

CNRI Handle System and its
Applications
Sam X. Sun
CNRI
[email protected]
CNRI Handle System and its Applications
•
•
•
•
•
•
Handle System and its Background
Handle System Features
Handle System Data & Service Model
Handle System Applications
Handle System and IDF
Handle System and Identity Management
Handle System
• A global name service that provides unique
identifier for digital objects over the Internet
• Maintains persistent identifier that can be
persistent over location and attribute change
• An infrastructure service that promotes
interoperability for identity management &
digital rights management,
Background
• R. Kahn, & R. Wilensky, "A Framework for
Distributed Digital Object Services", 1995
• Information Layer Infrastructure:
- General-purpose global identifier service
- Repository for digital objects
- Access control & content management
• Research project sponsored by DARPA over
the past eight years.
Handle System Features
• Secured name resolution and data delivery, with
standard mechanism for credential validation
• Distributed administration via handle system
authentication protocol
• Ownership defined per handle, access control
defined per handle value – essential for privacy
protection
• International support via UTF-8 encoding
• Distributed service model that is both scalable
and extendable
Handle Namespace
Syntax Definition:
<handle> ::= <NA> / <Local-Name>
<NA>
::= *(<na_seg> ) <na segment>
<na_seg> ::= Any Unicode 2.0 character encoded in UTF8, except ‘/’ and ‘.’
<Local-Name> ::= Any Unicode 2.0 character
Naming authority (NA)
Examples:
10.123/456
cnri.dlib/july95-arms
Local-Name under NA
Handle System Data Model
Handle Administrator Record
defines handle administrator
(e.g. for handle “0.NA/10”)
Example: Handle and Handle Values
Handle
10.123/456
Index Data Type
Handle data
2
URL http:/srv1.pub.com/...
3
URL http:/srv2.pub.com/...
100
50
20
adm. 10.123/admin
md
http:/meta.pub.com/...
email [email protected]
Handle System Service Architecture
GHS
Client
LHS
LHS
LHS
LHS
LHS
Site 2
Site 1
Handle System
is a collection of
handle services,
each of which consists of one or more
replicated sites,
each of which may
have one or more
servers.
Site 3
#1
10.1000/123456
#2
... Site n
Site 2
#3#4#n
URL
URL
Site 1
#1
1
2
http://www.
doi.org/.....
http://meta.doi.org/.....
Handle System Protocol: Message Structure
Handle System Protocol: Message Structure (continued)
Envelop
Header
…<message body>…
Credentia
Handle System Documentations:
• Handle System Overview
http://www.handle.net/overview-current.html
• Handle System Namespace and Service
Definition
http://www.handle.net/namespace-current.html
• Handle System Protocol Specification
http://www.handle.net/protocol-spec-current.html
• The Digital Object Identifier
http://www.doi.org
Handle System Applications:
• International DOI Foundation
(http://www.doi.org)
• US Library of Congress and University
libraries
• US Learning Object Network
• Web-in-the-Box Project for US Navy
• Content ID Forum, Japan
• KPA/KDC, Korea
• Inventory management, ENPIA, Korea
Handle System Applications
(cont.)
• DARPA/NSF Secure Digital Information
System for secured information sharing
among different agencies
• AAMVA Driver Record Information
Verification System (DRIVerS)
• Financial Service Technical Consortium
(FSTC)
• MPEG-21 Standard Process
• IETF/IRTF Internet Digital Rights
Management
DOI and IDF (http://www.doi.org):
• International DOI Foundation: founded 1998
– following demonstration of prototype in 1997
• Not-for-profit; paid membership support
– similar principles to World Wide Web Consortium(W3C)
•
•
•
•
Open to all interested parties
Democratic: board elected from members
Full time staff (Director)
40+ organisations and growing
DOI and IDF:
• Establish a way of identifying content in the
digital environment via actionable identifier (e.g.
handles in the Handle System).
• Use that as the basis for digital rights
management in the future.
• Aim to maximise value of digital objects (e.g.
reduce copy infringement, increase accessibility,
help in content management).
• Facilitate mass production and mass
customisation via terms and conditions associated
with digital objects.
DOI and IDF and the Handle System:
• DOI registration and resolution service fully
implemented over the Handle System.
• Applications are being built on top of DOI
(e.g. CrossRef and Metadata registration).
• Commercial deployment: DOI registration
agencies (e.g. CrossRef and others).
• E-Book endorsement and DOI-EB prototype
(see http://www.doi.org).
Identity and Identity Management:
• Identity: Identity Reference + Set of Attributes
Examples:
Driver’s License
Public Key Certificate
Handle + Handle Attribute
• Different ways of identity reference determines how
identities are used or managed.
• Identity management is essential for all kinds of
security services, especially in areas such as
authentication/authorization, data confidentiality, as
well as service non-repudiation.
Identity Management using Handle System
• Persistent identity reference, separating identity
reference from any of its attributes.
• Separates transport security from credential
validation. Simplifies the authentication process.
• Automation of credential validation, such that no
intermediate Certificate Authority (CA) is
necessary, making identity validation process
more liable upon legal challenge.
Identity Management using Handle System
(cont)
• Real time identity validation can be carried out
via authorization agencies, thus avoiding
difficulties surrounding certificate revocation
process and making it more trustworthy
• Ownership of identity attributes are delegated to
identity subjects and authorization agencies, so
that changes can be made in a timely fashion
without dependency on third party
• Privacy and access control can be managed by
individual identity subject, protecting against
impersonation and/or identity theft
Handle System Goal…
• An infrastructure service that promotes interoperability among various information systems,
regardless of the computing platform.
• Enabling technology for better resource sharing,
with distributed administration/ownership defined
per named digital object, and secured data binding
over public network.