Identity Naming
From Bandit-project.org
Contents |
The Problems
A Digital Identity must be uniquely identifyable
"Digital identity fundamentally requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.). Identifiers are the key used by the parties to an identification relationship to agree on the entity being represented. Identifiers may be classified as omnidirectional and unidirectional laws of identity. Omnidirectional identifiers are intended to be public and easily discoverable, while unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship." Quoted from : wikipedia
Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers, such as a domain name or e-mail address, may be dereferenced into the entity they represent. Non-resolvable identifiers, such as a person's real-world name, or a subject or topic name, can be compared for equivalence but are not otherwise machine-understandable. Quoted from : wikipedia
From an application perspective, the application doesn't care what complex system makes up the identity, it just needs to enforce an identity (authorization), and then enforce policies on it (authorization and compliance), and query some identity properties (display name). The application often desires a single token (usually represented internally as a string) which encapsulates all the information needed to get to the correct Identity Provider. That token is then acted on to understand the significant informational pieces of data which are associated with the name such as the authority for issuing that name, how and whom to contact for additional attributes, short or alternate names, etc.
Exisiting Solutions
Formats
There are currently a plethora of existing formats and schemes for representining digital identities. Directories used X500 Names, Light-Weight Identity (LID), YADIS and others use either Uniform Resource Identifiers or Uniform Resource Locators, currently some of identity systems are exploring eXtensible Resource Identifiers or XRI Data Interchange.
Mapping
Virtual directories and meta directories tend to map all disparate namespaces into a single namespace, and just expose that namespace. This allows for omnidirectional resolvable identifiers.
Possible Solutions
- Require all names being integrated be of a common namespace. - While this might be the simplest solution it would severely limit the usefulness of the framework, and doesn't meet real world requirements.
- Like a metadirectory or virtual directory map all names in and out of the context provider into a single namespace. All entity or identity references returned not just the primary identifier would require mapping.
- Allow names to pass through the context provider untouched, this allows direct accessing of all resolvable names which do not conflict among the identity sources consumed within a context provider. Applications might receive a mixture of name styles.
Problem Map
Join Policy
Control Criteria
1. Action
- Search, Add, Modify, Delete
- Action Realm Order: <List of Realms by ID, First to Last to Contact>
- Action Realm Filter: <See Realm Filters>
- Data: <Attributes and Values in Associated Action>
2. Name
- <String or Name Object Representation of Identity>
- Name Form Type: X.500, RFC 822, etc.
- Resolve Realm Order: <List of Realms by ID, First to Last to Contact>
- Parameters - Name, Name Type, Action
- Resolve Realm Filter: <See Realm Filters>
- Data: <Attributes and Values in Associated Action>
3. Dependant Realms
- List of Realms by ID
- Dependant Data <Must Be Processed Before Independant Realms are Queried>
Realm Filters
1. Realm Filters
- All, All Applicable, First, First non-error, Continue Until Error, Set Based, etc.
- Parameters: Action, Name, Name Type, Data
- Types: Action, Resolve
Name Resolution
