swauth
10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="hCalendar@@ hCard@@ erdf@@">
<title>A look at emerging Web security architectures from a Semantic Web perspective</title>
<link rel="schema.foaf" href="@@foaf" />
</head>
<body>
<div class="nav"><a href="../../">W3C</a></div>
<h1>A look at emerging Web security architectures from a Semantic Web perspective</h1>
<h2><em>Comparing OpenID, SXIP/DIX, InfoCard, SAML to RDF, GRDDL, FOAF, P3P, XFN and hCard</em></h2>
<address>DRAFT in progress<br />
by <a href="http://www.w3.org/People/Connolly/">Dan Connolly</a>, March 2006<br />
Comments can be sent to <a href="http://lists.w3.org/Archives/Public/www-tag/">www-tag</a> or added to a <a href="http://dig.csail.mit.edu/breadcrumbs/node/97">weblog entry</a><br />
<small>$Revision: 1.7 $ of $Date: 2006/03/17 23:16:07 $</small>
</address>
<p>At the <span class="vevent" id="auth-workshop"><a class="url"
rel="foaf-homepage"
href="http://www.w3.org/2005/Security/usability-ws/">W3C security
workshop</a> <abbr class="dtstart" title="2006-03-15">this</abbr>
<abbr class="dtend" title="2006-03-17">week</abbr></span>, I finally
got to study <a href="http://www.sxip.org/">SXIP</a> in some detail
after hearing about it and wondering how it compares to <a
href="http://www.openid.net/">OpenID</a>, Yadis, and the other "Identity 2.0"
techniques brewing. And just in time, with a <a id="dix-bof"
class="vevent url" rel="foaf-homepage" href=
"http://www3.ietf.org/proceedings/06mar/agenda/dix.html">DIX/SXIP
BOF</a> at the Dallas IETF next week.</p>
<p>There was so much to soak in at the workshp that I didn't
manage to talk much with <span class="vcard fn">John Merrells</span>
in the breaks, and the slides[@@linkme] flew by pretty quickly in
his short 20 minute timeslot, but I get the impression that SXIP
has the essential architectural features that got me excited about
OpenID:</p>
<ul>
<li>single sign-on for people (personas)</li>
<li>relying parties can delegate password management</li>
</ul>
<p>The three-party topology is similar to Kerberos (and parts
of HTTP digest authentication that have probably never been
deployed); the interesting thing about these technologies
is the way they integrate with the deployed and emerging Web.</p>
<p>Both OpenID and DIX/SXIP use typed links to connect persona pages
to authentication services. In OpenID, it looks like:</p>
<pre>
| <link rel="openid.server" href="http://bob.com/openid-server.app">
</pre>
<p>Typed links are great, but they're even better when they're
grounded in URI space. (see TAG issue <a
href="http://www.w3.org/2001/tag/issues.html?type=1#standardizedFieldValues-51">standardizedFieldValues-51</a>).
DIX gets points for using URIs:</p>
<pre>
<LINK REL="dix:/homesite" HREF="http://www.sxip.net/homesite"/>
</pre>
<p>... but loses points for <a
href="http://esw.w3.org/topic/UriSpaceSquatting">squatting in URI
space</a>. <tt>dix:</tt> is unregistered, and to register it would be
a poor use of scarce community resources (URI scheme names). Besides,
we want to be able to look up <tt>homesite</tt> in the Web. <a
href="http://www.w3.org/TR/webarch/#pr-describe-resource">Available
representations</a> are good for the Web.</p>
<p>Also, values of the <tt>rel</tt> attribute aren't URIs; the way to
ground them in URI space is to use the <a
href="http://www.w3.org/TR/1999/REC-html401-19991224/struct/global.html#h-7.4.4.3">profile
attribute</a>. So my <a href="http://lists.w3.org/Archives/Public/public-ietf-w3c/2006Mar/0000.html">suggestion</a> is to use:</p>
<pre>
<head profile="http://dixs.org/terms#">
<link rel="homesite" href="http://www.sxip.net/homesite"/>
</pre>
<p>One of the benefits of using http URIs to ground the terms is that
we can then mix with all the existing HTTP-based goodies like GRDDL
(see TAG issue <a href="http://www.w3.org/2001/tag/issues.html?type=1#RDFinXHTML-35">RDFinXHTML-35</a>). With a suitable namespace document and XSLT
transformation, a persona page with the above markup looks like this
to Semantic Web agents:</p>
<pre>
@prefix dix: <http://dixs.org/terms#>.
<> dix:homesite <http://www.sxip.net/homesite>
</pre>
<p>This gets particularly interesting when you move
up the stack from DIX to the other parts of SXIP, i.e.
the data/claims exchange. SXIP defines a bunch of
properties for name, email address, etc. I hope to study
the overlap with P3P, FOAF, hCard/vCard, XFN, and the like.
Let's see... how many of these look familiar?</p>
<pre>
property./sxip.net/namePerson/prefix=Prefix
property./sxip.net/namePerson/first=First Name
property./sxip.net/namePerson/last=Last Name
property./sxip.net/namePerson/middle=Middle Name
property./sxip.net/namePerson/suffix=Suffix
property./sxip.net/namePerson/friendly=Alias
property./sxip.net/birthDate/birthYear=Year of Birth
property./sxip.net/birthDate/birthMonth=Month of Birth
property./sxip.net/birthDate/birthDay=Day of Birth
property./sxip.net/contact/phone/default=Main Phone
property./sxip.net/contact/phone/home=Home Phone
property./sxip.net/contact/phone/business=Business Phone
property./sxip.net/contact/phone/cell=Cell Phone
property./sxip.net/contact/phone/fax=Fax
property./sxip.net/contact/IM/default=Main IM
property./sxip.net/contact/IM/AIM=AIM
property./sxip.net/contact/IM/ICQ=ICQ
property./sxip.net/contact/IM/MSN=MSN
property./sxip.net/contact/IM/Yahoo!=Yahoo!
property./sxip.net/contact/IM/Jabber=Jabber
</pre>
<p>Microsoft <a
href="http://msdn.microsoft.com/windowsvista/building/infocard/">InfoCard</a>,
another technology presented at the workshop, has some of the same
architectural features. It uses Web Services Endpoint References where
DIX and OpenID use plain old URIs. <em>Boo!</em> (see TAG issue <a
href="http://www.w3.org/2001/tag/issues.html?type=1#endPointRefs-47">endPointRefs-47</a>). It
uses ws-trust at some level; I'm not sure whether ws-trust is use just
at the DIX/OpenID level or whether it also includes claims
exchange. I'm also not quite clear how the Liberty/SAML stack
relates. There was a little discussion of that at the workshop, but
not much.</p>
<p>A couple examples show a big overlap in the relevant claims/properties:</p>
<pre>
<form name="ctl00" method="post"
action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
<center>
<img src='infocard.bmp' onClick='ctl00.submit()'/>
<input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
</center>
<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
<PARAM Name="issuer"
Value="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self">
<PARAM Name="requiredClaims"
Value="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress;http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname;http://schemas.microsoft.com/ws/2005/05/identity/cla ims/surname">
</OBJECT>
</form>
</pre>
<p>That's the OBJECT syntax, compatible with existing DTDs for
HTML. Then they have an XHTML syntax:</p>
<pre>
<html XMLNS:IC="http://www.identityselectors.org/2006/10">
<head>
<style>
IC\:informationCard {behavior:url(#default#informationCard);}
</style>
<title>Welcome to Fabrikam</title>
</head>
<body>
<img src='fabrikam.jpg'/>
<form name="ctl00" method="post"
action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
<IC:informationCard
issuer="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"
tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
<IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress"
optional="false" />
<IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname"
optional="false" />
<IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"
optional="false" />
</IC:informationCard>
<center>
<input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
</center>
</form>
</body>
</html>
</pre>
<p>Anybody up for compare and contrast using OWL?</p>
<pre>
@prefix infocard: <http://schemas.microsoft.com/ws/2005/05/identity/claims/>.
<tt>iclaims:emailaddress owl:samePropertyAs foaf:mbox</tt>
</pre>
<p>Phil Archer of ICRA presented the RDF-based work that's now a W3C
XG; his main use case is safe browsing for children, but he discussed
the applicability to "mobileOK" labels, and somebody asked a question
about using these labels to connect digital signature cerficate
authorities. <em>Aha! Exactly!</em> I showed him TimBL's <a
href="http://www.w3.org/2000/10/swap/doc/Trust">Semantic Web Trust</a>
approach. I hope we get to follow up on that.</p>
<h2>Philosophy, Terminology, and WikiConsensus</h2>
<p>Some of the technical presentations evoked criticism about
confusing terminology. On the one hand, "what is identity?" looks like
a philosophical problem that no self-respecting engineer should touch
with a 10-foot pole, but on the other hand, wording and consistency
seems to have an important impact on usability. I had a number of
criticism about 'puns' in my <a
href="http://lists.w3.org/Archives/Public/www-archive/2005Jul/0002.html">Jun
2005 review of OpenID</a>. And there's the issue of specialist
terminology like <em>relying party</em> vs words that grandma
understands.</p>
<p>This looks like a pattern language, to me; i.e. just the sort of
thing that WikiWikiWeb is good for.</p>
<p>The <a href="http://identitygang.org/Lexicon">Identity Gang
Lexicon</a> seems to be a pattern language developed in a wiki, but it
doesn't seem to be open to all comers, so it only represents the
consensus of that group. I have noodled on using <a
href="http://www.wikipedia.org/">wikipedia</a> for TAG work on
terminology.</p>
<div>tags: <a rel="tag" href="http://del.icio.us/connolly/architecture">architecture</a>, <a rel="tag" href="http://del.icio.us/connolly/security">security</a></div>
</body>
</html>