A look at emerging Web security architectures from a Semantic Web perspective

Comparing OpenID, SXIP/DIX, InfoCard, SAML to RDF, GRDDL, FOAF, P3P, XFN and hCard

DRAFT in progress
by Dan Connolly, March 2006
Comments can be sent to www-tag or added to a weblog entry
$Revision: 1.7 $ of $Date: 2006/03/17 23:16:07 $

At the W3C security workshop this week, I finally got to study SXIP in some detail after hearing about it and wondering how it compares to OpenID, Yadis, and the other "Identity 2.0" techniques brewing. And just in time, with a DIX/SXIP BOF at the Dallas IETF next week.

There was so much to soak in at the workshp that I didn't manage to talk much with John Merrells in the breaks, and the slides[@@linkme] flew by pretty quickly in his short 20 minute timeslot, but I get the impression that SXIP has the essential architectural features that got me excited about OpenID:

The three-party topology is similar to Kerberos (and parts of HTTP digest authentication that have probably never been deployed); the interesting thing about these technologies is the way they integrate with the deployed and emerging Web.

Both OpenID and DIX/SXIP use typed links to connect persona pages to authentication services. In OpenID, it looks like:

| <link rel="openid.server" href="http://bob.com/openid-server.app">

Typed links are great, but they're even better when they're grounded in URI space. (see TAG issue standardizedFieldValues-51). DIX gets points for using URIs:

   <LINK REL="dix:/homesite" HREF="http://www.sxip.net/homesite"/>

... but loses points for squatting in URI space. dix: is unregistered, and to register it would be a poor use of scarce community resources (URI scheme names). Besides, we want to be able to look up homesite in the Web. Available representations are good for the Web.

Also, values of the rel attribute aren't URIs; the way to ground them in URI space is to use the profile attribute. So my suggestion is to use:

  <head profile="http://dixs.org/terms#">
   <link rel="homesite" href="http://www.sxip.net/homesite"/>

One of the benefits of using http URIs to ground the terms is that we can then mix with all the existing HTTP-based goodies like GRDDL (see TAG issue RDFinXHTML-35). With a suitable namespace document and XSLT transformation, a persona page with the above markup looks like this to Semantic Web agents:

@prefix dix: <http://dixs.org/terms#>.
<> dix:homesite <http://www.sxip.net/homesite>

This gets particularly interesting when you move up the stack from DIX to the other parts of SXIP, i.e. the data/claims exchange. SXIP defines a bunch of properties for name, email address, etc. I hope to study the overlap with P3P, FOAF, hCard/vCard, XFN, and the like. Let's see... how many of these look familiar?

property./sxip.net/namePerson/prefix=Prefix
property./sxip.net/namePerson/first=First Name
property./sxip.net/namePerson/last=Last Name
property./sxip.net/namePerson/middle=Middle Name
property./sxip.net/namePerson/suffix=Suffix
property./sxip.net/namePerson/friendly=Alias
property./sxip.net/birthDate/birthYear=Year of Birth
property./sxip.net/birthDate/birthMonth=Month of Birth
property./sxip.net/birthDate/birthDay=Day of Birth
property./sxip.net/contact/phone/default=Main Phone
property./sxip.net/contact/phone/home=Home Phone
property./sxip.net/contact/phone/business=Business Phone
property./sxip.net/contact/phone/cell=Cell Phone
property./sxip.net/contact/phone/fax=Fax
property./sxip.net/contact/IM/default=Main IM
property./sxip.net/contact/IM/AIM=AIM
property./sxip.net/contact/IM/ICQ=ICQ
property./sxip.net/contact/IM/MSN=MSN
property./sxip.net/contact/IM/Yahoo!=Yahoo!
property./sxip.net/contact/IM/Jabber=Jabber

Microsoft InfoCard, another technology presented at the workshop, has some of the same architectural features. It uses Web Services Endpoint References where DIX and OpenID use plain old URIs. Boo! (see TAG issue endPointRefs-47). It uses ws-trust at some level; I'm not sure whether ws-trust is use just at the DIX/OpenID level or whether it also includes claims exchange. I'm also not quite clear how the Liberty/SAML stack relates. There was a little discussion of that at the workshop, but not much.

A couple examples show a big overlap in the relevant claims/properties:

      <form name="ctl00" method="post"
          action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
        <center>
          <img src='infocard.bmp' onClick='ctl00.submit()'/>
          <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
        </center>
        <OBJECT type="application/x-informationCard" name="xmlToken">
          <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
          <PARAM Name="issuer"
              Value="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self">
          <PARAM Name="requiredClaims"
  Value="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress;http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname;http://schemas.microsoft.com/ws/2005/05/identity/cla ims/surname">
        </OBJECT>
      </form>

That's the OBJECT syntax, compatible with existing DTDs for HTML. Then they have an XHTML syntax:

<html XMLNS:IC="http://www.identityselectors.org/2006/10">
    <head>
      <style>
        IC\:informationCard {behavior:url(#default#informationCard);}
      </style>
      <title>Welcome to Fabrikam</title>
    </head>
    <body>
      <img src='fabrikam.jpg'/>
      <form name="ctl00" method="post"
            action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx" id="ctl00">
        <IC:informationCard
            issuer="urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"
            tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
          <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress"
              optional="false" />
          <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname"
              optional="false" />
          <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"
              optional="false" />
        </IC:informationCard>
        <center>
          <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" />
        </center>
      </form>
    </body>
  </html>  

Anybody up for compare and contrast using OWL?

@prefix infocard: <http://schemas.microsoft.com/ws/2005/05/identity/claims/>.
iclaims:emailaddress owl:samePropertyAs foaf:mbox

Phil Archer of ICRA presented the RDF-based work that's now a W3C XG; his main use case is safe browsing for children, but he discussed the applicability to "mobileOK" labels, and somebody asked a question about using these labels to connect digital signature cerficate authorities. Aha! Exactly! I showed him TimBL's Semantic Web Trust approach. I hope we get to follow up on that.

Philosophy, Terminology, and WikiConsensus

Some of the technical presentations evoked criticism about confusing terminology. On the one hand, "what is identity?" looks like a philosophical problem that no self-respecting engineer should touch with a 10-foot pole, but on the other hand, wording and consistency seems to have an important impact on usability. I had a number of criticism about 'puns' in my Jun 2005 review of OpenID. And there's the issue of specialist terminology like relying party vs words that grandma understands.

This looks like a pattern language, to me; i.e. just the sort of thing that WikiWikiWeb is good for.

The Identity Gang Lexicon seems to be a pattern language developed in a wiki, but it doesn't seem to be open to all comers, so it only represents the consensus of that group. I have noodled on using wikipedia for TAG work on terminology.

tags: ,