Identity Centric Computing for the Enterprise
Download
Report
Transcript Identity Centric Computing for the Enterprise
Extensible Resource
Identifiers (XRIs)
XDI Face to Face
28 April 2004
Copyright © 2004, Epok, Inc.
What are XRIs
• Extensible Resource Identifier (XRIs) are
abstract identifiers - broadly useful but include
features especially well suited to identity and
web services
• Based on URIs as defined by RFC2396 and can
be downcast into conventional URIs
• Resolvable to concrete endpoints via standard
resolution protocol defined by XRI
Specification.
Copyright © 2004, Epok, Inc.
XRIs: True Unified Identifiers
• XRIs can provide a uniform layer of abstract
identifiers for any resource on any network
XRIs
DNS Names
Phone Numbers
IP Address
Email Address
Future
Addresses
The Web
Copyright © 2004, Epok, Inc.
XRI Goals
• A unified syntax for abstract identifiers
providing
– Abstraction and independence
– Persistence and reassignability
– Human-friendliness and machine-friendliness
– Internationalization
– Cross-context identification
• A standard Internet-based resolution protocol,
including support for trusted resolution
Copyright © 2004, Epok, Inc.
Absolute and relative persistent identifiers
• URNs require absolute persistent identifiers
– The entire identifier is persistent
– It will never be reassigned for all time
• This can be difficult to meet operationally
– Requires a persistent ID for all higher-level domains
• Many uses require only relative persistence
– Only part of the identifier is persistent
– This portion is persistent for a relative period (i.e.
the lifetime of its potentially reassignable id space)
Copyright © 2004, Epok, Inc.
Examples of relative and absolute
persistence
• Absolute persistent URNs
urn:isbn:0-395-36341-1
urn:ietf:rfc:2141
urn:us:gov:usdoj:ins:somedata
• Note that this is now “broken” because the DOJ has transitioned to
Department of Homeland Security and INS now has a new title of
BCIS. To be semantically accurate this should therefore be changed to
urn:us:gov:bcis:someschema). Example of the problem of “semantic
reflection” in persistent identifiers.
• Absolute persistent XRIs
xri://:isbn:0-395-36341-1
xri://:ietf:rfc:2141
xri://:us:gov:bcis/:somedata
xri://:34F2:A98E:B8FC/:somedata
• Relative persistent XRIs
xri://www.bookstore.com/:isbn:0-395-36341-1
xri://ietf.org/rfc/:2141
xri://www.bcis.gov/:somedata
Copyright © 2004, Epok, Inc.
Human-friendly identifiers
• A longtime goal of computing in general
– Character-based interfaces GUIs
– 8 char DOS filenames Macintosh file names
• Providing HFIs for machine-friendly IP
addresses was a key motivation for DNS
Human-friendly Identifier
i.e., epok.com
DNS Names
Machine-friendly Identifier
i.e., 192.168.10.134
IP Addresses
Copyright © 2004, Epok, Inc.
XRI Naming
• XRIs supports a layer of
reassignable names that
resolve (potentially) to
persistent identifiers
• Global Context Symbols
– “=” indicates a natural person
– “@” indicates any legal entity
other than a natural person
– “+” indicates a generic noun,
concept or name
E Names
E Numbers
DNS Names
IP Addresses
Physical Network
Copyright © 2004, Epok, Inc.
XRI Naming Examples
• Individual Human Friendly Identifiers (any natural person)
xri:=JohnDoe
xri:=MaryVincentSmith
• Organizational Human Friendly Identifiers (any legal mark)
xri:@BarnesAndNoble
xri:@bcis
Zri:@gsa
• General Human Friendly Identifiers (any generic term)
xri:+us
xri:+books
xri:+music/rock
xri:+geology/rock
xri:+someschema
xri:+someschema/FirstName
Copyright © 2004, Epok, Inc.
Cross-context identifiers
• A cross-context identifier identifies the same
logical resource in different physical contexts
• English-language example:
– John’s car
– Mary’s car
• HTTP URI example:
– http://www.wines.com/index.html
– http://www.books.com/index.html
Copyright © 2004, Epok, Inc.
Cross-context Example
• The same publication
xri://www.bcis.gov/(xri://gsa.gov/:somepublication)
xri://www.dod.gov/(xri://gsa.gov/:somepublication)
xri://www.gsa.gov/(xri://gsa.gov/:somespublication)
xri:@gsa/(xri://gsa.gov/:somepublication)
• The same type of web page
xri://www.bcis.gov/(+faq)
xri://www.gsa.com/(+faq)
• The same type of directory attribute
xri:=JohnSmith/(+email)
xri:@gsa/(=JohnSmith)/(+email)
Copyright © 2004, Epok, Inc.
Attribute and version identifiers
• Standardizing cross-context data exchange
requires more than just object-level identifiers
• Attributes must be addressable relative to a
containing object
– Must support nested attributes
• Versions must be addressable relative to an
object or attribute
– Must support nested versions
Copyright © 2004, Epok, Inc.
Attribute and version Examples
• Attributes
xri:=John Smith/(+email)/work
xri:@gsa/(=JohnSmith)/(+email)/work
xri:@gsa/:someschema/FirstName
• Versions
xri:=JohnSmith/(+email)/work/($v/3)
xri:=JohnSmith/(+email)/work/($d/2001-06-21T07:33:48Z)
xri:@gsa/:someschema/($v/1)/FirstName
Copyright © 2004, Epok, Inc.
Forms of an XRI
Well defined transforms for various “normal
forms”
– XRI normal form – Native XRI
– IRI normal form – Identifier in the form expected by
the IRI draft. Primarily involves obfuscation of crossreferences.
– anyURI normal form – Appropriate for anyURI as
defined by XML schema. Transforms URI-authority
component into legal DNS name.
– URI normal form – Pure 2396-style URI. Mainly
normalizes international characters.
Copyright © 2004, Epok, Inc.
XRI Resolution
• Spec defines resolution for GCS-based XRI Authorities
•
•
•
•
•
– Local Path resolution is not defined
Resolution is based on HTTP Gets.
– Series of HTTP Gets to subsequent XRIAuthorities
– Last subsegment points to a Local Access or AlternativeXRI
Returns XML as an XRIDescriptor element
XRIDescriptor has well defined elements for XRIAuthority,
LocalAccess, Mapping and AlternativeXRI
Benefit: Extensible via XML, but server doesn’t have to parse XML
during resolution.
Each XRI Authority is considered to be unaware of what other
subsegments are pointing to it.
– Extremely flexible
– Makes sanity checking difficult
Copyright © 2004, Epok, Inc.
XRI Resolution (cont.)
• Describes the result of resolving an XRI subsegment
• XRIAuthority element indicates URI for resolving an additional
subsegment
• LocalAccess element indicates URIs to use for various MIME types
• Resolved element indicates what subsegment was resolved
• Nothing indicates what authority resolved it
– Client is responsible for keeping XRI Descriptors in context
• Sample descriptor
<XRIDescriptor>
<Resolved>:3</Resolved>
<XRIAuthority>
<URI>http://x.customer.com/xri/resolve?ns=hostid</URI>
</XRIAuthority>
<LocalAccess>
<Type>application/vnd.epok.xns</Type>
<URI>http://x.customer.com/eis/XNSRequest</URI>
<URI>https://x.customer.com/eis/XNSRequest</URI>
</LocalAccess>
<XRIDescriptor>
Copyright © 2004, Epok, Inc.
Example of Resolution
• Client wants to resolve “xri:@:1010:3/:6”
• Client disregards everything after the first “/”. This part
(Local Path) is not globally resolvable.
• Client knows URI for “@” beforehand.
– http://gcs.xriroot.com/xri/resolve?ns=at
• Client asks “@” about “:1010”
– http://gcs.xriroot.com/xri/resolve/:1010?ns=at
– Client parses XRIDescriptor for XRIAuthority
• http://xns.epok.com/xri/resolve?ns=hostid
• Client asks “@:1010” about “:3”
– http://xns.epok.com/xri/resolve/:3?ns=hostid
– Client parses XRIDescriptor for appropriate local access
• Client can now interact with resource :6 in the context
of @:1010:3 via local access protocol identified in XRID
Copyright © 2004, Epok, Inc.
Trusted Resolution
•
•
•
•
XRID is signed by the providing XRI Authority
Moves metadata like TTL out of HTTP headers so they can be included in the signed data
Backward compatible with standard resolution
Contains a SAML assertion with a new kind of attribute statement that points back to the
enclosing XRID (like an enveloped signature)
<XRIDescriptor>
<Resolved>:3</Resolved>
<XRIAuthority>
<URI>http://x.customer.com/xri/resolve?ns=hostid</URI>
</XRIAuthority>
<LocalAccess>
<Type>application/vnd.epok.xns</Type>
<URI>http://x.customer.com/eis/XNSRequest</URI>
<URI>https://x.customer.com/eis/XNSRequest</URI>
</LocalAccess>
<ds:Signature>
.
.
.
</ds:Signature>
<saml:Assertion>
.
.
.
</saml:Assertion>
<XRIDescriptor>
Copyright © 2004, Epok, Inc.
Misconceptions about XRIs
• Spaces are legal in XRIs
– xri:=john smith – The XRI is =john
– xri:=john%20smith – legal
– xri:=(john.smith) – legal (though not equivalent to previous)
• The spec allows multiple @ and = authorities
• xri:@example/=dave is equivalent to @example/(=dave)
• Resolution requires HTTP / HTTPS
• eNames resolve to eNumbers
• / has implied semantics
– Do . and : imply delegated authority, while / implies organization within the
same authority? No
– =john/addresses/work/city
– =john/addresses.work/city
• XRIs must be rooted on @, =, + or //
• XRIs have a canonical form
• There is an authority for +
Copyright © 2004, Epok, Inc.