swauth 10.1 KB
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="hCalendar@@ hCard@@ erdf@@">
  <title>A look at emerging Web security architectures from a Semantic Web perspective</title>
  <link rel="schema.foaf" href="@@foaf" />
</head>
<body>
<div class="nav"><a href="../../">W3C</a></div>

<h1>A look at emerging Web security architectures from a Semantic Web perspective</h1>
<h2><em>Comparing OpenID, SXIP/DIX, InfoCard, SAML to RDF, GRDDL, FOAF, P3P, XFN and hCard</em></h2>

<address>DRAFT in progress<br />
by <a href="http://www.w3.org/People/Connolly/">Dan Connolly</a>, March 2006<br />
Comments can be sent to <a href="http://lists.w3.org/Archives/Public/www-tag/">www-tag</a> or added to a <a href="http://dig.csail.mit.edu/breadcrumbs/node/97">weblog entry</a><br />
<small>$Revision: 1.7 $ of $Date: 2006/03/17 23:16:07 $</small>
</address>

<p>At the <span class="vevent" id="auth-workshop"><a class="url"
rel="foaf-homepage"
href="http://www.w3.org/2005/Security/usability-ws/">W3C security
workshop</a> <abbr class="dtstart" title="2006-03-15">this</abbr>
<abbr class="dtend" title="2006-03-17">week</abbr></span>, I finally
got to study <a href="http://www.sxip.org/">SXIP</a> in some detail
after hearing about it and wondering how it compares to <a
href="http://www.openid.net/">OpenID</a>, Yadis, and the other "Identity 2.0"
techniques brewing. And just in time, with a <a id="dix-bof"
class="vevent url" rel="foaf-homepage" href=
"http://www3.ietf.org/proceedings/06mar/agenda/dix.html">DIX/SXIP
BOF</a> at the Dallas IETF next week.</p>

<p>There was so much to soak in at the workshp that I didn't
manage to talk much with <span class="vcard fn">John Merrells</span>
in the breaks, and the slides[@@linkme] flew by pretty quickly in
his short 20 minute timeslot, but I get the impression that SXIP
has the essential architectural features that got me excited about
OpenID:</p>
<ul>
  <li>single sign-on for people (personas)</li>
  <li>relying parties can delegate password management</li>
</ul>

<p>The three-party topology is similar to Kerberos (and parts
of HTTP digest authentication that have probably never been
deployed); the interesting thing about these technologies
is the way they integrate with the deployed and emerging Web.</p>

<p>Both OpenID and DIX/SXIP use typed links to connect persona pages
to authentication services. In OpenID, it looks like:</p>

<pre>
| &lt;link rel="openid.server" href="http://bob.com/openid-server.app">
</pre>

<p>Typed links are great, but they're even better when they're
grounded in URI space. (see TAG issue <a
href="http://www.w3.org/2001/tag/issues.html?type=1#standardizedFieldValues-51">standardizedFieldValues-51</a>).
DIX gets points for using URIs:</p>

<pre>
   &lt;LINK REL="dix:/homesite" HREF="http://www.sxip.net/homesite"/>
</pre>

<p>... but loses points for <a
href="http://esw.w3.org/topic/UriSpaceSquatting">squatting in URI
space</a>. <tt>dix:</tt> is unregistered, and to register it would be
a poor use of scarce community resources (URI scheme names). Besides,
we want to be able to look up <tt>homesite</tt> in the Web.  <a
href="http://www.w3.org/TR/webarch/#pr-describe-resource">Available
representations</a> are good for the Web.</p>

<p>Also, values of the <tt>rel</tt> attribute aren't URIs; the way to
ground them in URI space is to use the <a
href="http://www.w3.org/TR/1999/REC-html401-19991224/struct/global.html#h-7.4.4.3">profile
attribute</a>. So my <a href="http://lists.w3.org/Archives/Public/public-ietf-w3c/2006Mar/0000.html">suggestion</a> is to use:</p>

<pre>
  &lt;head profile="http://dixs.org/terms#">
   &lt;link rel="homesite" href="http://www.sxip.net/homesite"/>
</pre>

<p>One of the benefits of using http URIs to ground the terms is that
we can then mix with all the existing HTTP-based goodies like GRDDL
(see TAG issue <a href="http://www.w3.org/2001/tag/issues.html?type=1#RDFinXHTML-35">RDFinXHTML-35</a>). With a suitable namespace document and XSLT
transformation, a persona page with the above markup looks like this
to Semantic Web agents:</p>

<pre>
@prefix dix: &lt;http://dixs.org/terms#>.
&lt;> dix:homesite &lt;http://www.sxip.net/homesite>
</pre>

<p>This gets particularly interesting when you move
up the stack from DIX to the other parts of SXIP, i.e.
the data/claims exchange. SXIP defines a bunch of
properties for name, email address, etc. I hope to study
the overlap with P3P, FOAF, hCard/vCard, XFN, and the like.
Let's see... how many of these look familiar?</p>

<pre>
property./sxip.net/namePerson/prefix=Prefix
property./sxip.net/namePerson/first=First Name
property./sxip.net/namePerson/last=Last Name
property./sxip.net/namePerson/middle=Middle Name
property./sxip.net/namePerson/suffix=Suffix
property./sxip.net/namePerson/friendly=Alias
property./sxip.net/birthDate/birthYear=Year of Birth
property./sxip.net/birthDate/birthMonth=Month of Birth
property./sxip.net/birthDate/birthDay=Day of Birth
property./sxip.net/contact/phone/default=Main Phone
property./sxip.net/contact/phone/home=Home Phone
property./sxip.net/contact/phone/business=Business Phone
property./sxip.net/contact/phone/cell=Cell Phone
property./sxip.net/contact/phone/fax=Fax
property./sxip.net/contact/IM/default=Main IM
property./sxip.net/contact/IM/AIM=AIM
property./sxip.net/contact/IM/ICQ=ICQ
property./sxip.net/contact/IM/MSN=MSN
property./sxip.net/contact/IM/Yahoo!=Yahoo!
property./sxip.net/contact/IM/Jabber=Jabber
</pre>

<p>Microsoft <a
href="http://msdn.microsoft.com/windowsvista/building/infocard/">InfoCard</a>,
another technology presented at the workshop, has some of the same
architectural features. It uses Web Services Endpoint References where
DIX and OpenID use plain old URIs. <em>Boo!</em> (see TAG issue <a
href="http://www.w3.org/2001/tag/issues.html?type=1#endPointRefs-47">endPointRefs-47</a>). It
uses ws-trust at some level; I'm not sure whether ws-trust is use just
at the DIX/OpenID level or whether it also includes claims
exchange. I'm also not quite clear how the Liberty/SAML stack
relates. There was a little discussion of that at the workshop, but
not much.</p>


<p>A couple examples show a big overlap in the relevant claims/properties:</p>

<pre>
      &lt;form name="ctl00" method="post"
          action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
        &lt;center>
          &lt;img src='infocard.bmp' onClick='ctl00.submit()'/>
          &lt;input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
        &lt;/center>
        &lt;OBJECT type="application/x-informationCard" name="xmlToken">
          &lt;PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
          &lt;PARAM Name="issuer"
              Value="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self">
          &lt;PARAM Name="requiredClaims"
  Value="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress;http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname;http://schemas.microsoft.com/ws/2005/05/identity/cla ims/surname">
        &lt;/OBJECT>
      &lt;/form>
</pre>

<p>That's the OBJECT syntax, compatible with existing DTDs for
HTML. Then they have an XHTML syntax:</p>

<pre>
&lt;html XMLNS:IC="http://www.identityselectors.org/2006/10">
    &lt;head>
      &lt;style>
        IC\:informationCard {behavior:url(#default#informationCard);}
      &lt;/style>
      &lt;title>Welcome to Fabrikam&lt;/title>
    &lt;/head>
    &lt;body>
      &lt;img src='fabrikam.jpg'/>
      &lt;form name="ctl00" method="post"
            action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
        &lt;IC:informationCard
            issuer="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"
            tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
          &lt;IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress"
              optional="false" />
          &lt;IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname"
              optional="false" />
          &lt;IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"
              optional="false" />
        &lt;/IC:informationCard>
        &lt;center>
          &lt;input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
        &lt;/center>
      &lt;/form>
    &lt;/body>
  &lt;/html>  
</pre>

<p>Anybody up for compare and contrast using OWL?</p>

<pre>
@prefix infocard: &lt;http://schemas.microsoft.com/ws/2005/05/identity/claims/>.
<tt>iclaims:emailaddress owl:samePropertyAs foaf:mbox</tt>
</pre>

<p>Phil Archer of ICRA presented the RDF-based work that's now a W3C
XG; his main use case is safe browsing for children, but he discussed
the applicability to "mobileOK" labels, and somebody asked a question
about using these labels to connect digital signature cerficate
authorities. <em>Aha! Exactly!</em> I showed him TimBL's <a
href="http://www.w3.org/2000/10/swap/doc/Trust">Semantic Web Trust</a>
approach. I hope we get to follow up on that.</p>


<h2>Philosophy, Terminology, and WikiConsensus</h2>

<p>Some of the technical presentations evoked criticism about
confusing terminology. On the one hand, "what is identity?" looks like
a philosophical problem that no self-respecting engineer should touch
with a 10-foot pole, but on the other hand, wording and consistency
seems to have an important impact on usability.  I had a number of
criticism about 'puns' in my <a
href="http://lists.w3.org/Archives/Public/www-archive/2005Jul/0002.html">Jun
2005 review of OpenID</a>. And there's the issue of specialist
terminology like <em>relying party</em> vs words that grandma
understands.</p>

<p>This looks like a pattern language, to me; i.e. just the sort of
thing that WikiWikiWeb is good for.</p>

<p>The <a href="http://identitygang.org/Lexicon">Identity Gang
Lexicon</a> seems to be a pattern language developed in a wiki, but it
doesn't seem to be open to all comers, so it only represents the
consensus of that group. I have noodled on using <a
href="http://www.wikipedia.org/">wikipedia</a> for TAG work on
terminology.</p>

<div>tags: <a rel="tag" href="http://del.icio.us/connolly/architecture">architecture</a>, <a rel="tag" href="http://del.icio.us/connolly/security">security</a></div>

</body>
</html>