Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "R-Card"
(→R-Card Functionality) |
|||
| Line 5: | Line 5: | ||
== Introduction == | == Introduction == | ||
| − | + | All [[I-Card]]s are are representations of digital identities. They are XML files whose format is defined by the [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=imi OASIS IMI] specifications. For more information about [[I-Card]]s refer to this OASIS IMI TC or to the [http://informationcard.net Information Card Foundation]. This page assumes that the reader is familiar with personal and managed [[I-Card]]s. | |
| + | |||
| + | To review, an [[I-Card]] can be thought of at a high level as either "holding" a [[digital identity]], as in the case of personal [[I-Card]]s or holding a "pointer" to a [[digital identity]]. When imported into a [[Card Selector]] the user can "send" these (personal or managed) cards to a [[relying party]] (RP). This has the effect of sending a security token containing claims about the [[digital identity]] to the RP. In this user-managed manner, the RP requests a set of claims and the user releases a matching set and conveys them to the RP. | ||
| + | |||
| + | The same process of releasing claims about a [[digital identity]] can be performed using an [[R-Card]]. However, if the RP requests the special "r-card" claim, called "resource-udr", and if the user consents to release, the RP will gain the value of the resource-udr claim. What's special about the resource-udr claim is that in a sense it isn't a regular claim at all. It is a kind of "meta" claim. It operates at a different level. | ||
| + | |||
| + | The value of this meta claim is a "pointer" (so to speak) to an [[Entity]] that is associated with the [[digital identity]] of the card. An [[Entity]] is a data object described by the Higgins [[Context Data Model]]. The values of the attributes of this Entity are the same, at least initially, as the values of the claims being made about the [[digital identity]]. This meta claim references an [[Entity]] object, analogously to how a URL references an HTML document in the Web. | ||
| + | |||
| + | '''Dynamic values.''' By providing a reference to this Entity to the RP, the card issuer is creating a durable connection from the RP to the [[Entity]] such that the RP can request at any time the latest values of these attributes. Although it is true that this connection can be severed either by the user or the card issuer at any time, while it has not been severed, the RP can request the most up-to-date values of the claim. | ||
| + | |||
| + | '''Read/write access.''' A second characteristic provided by [[R-Card]]s is that the RP can not only read the latest values, but it may be able to write some or all of these attribute values. Compare this to regular (non "R") cards wherein all claim values are strictly read-only. | ||
| + | |||
| + | ===The resource-udr "meta" claim=== | ||
| + | |||
| + | From a file format point of view, any [[I-Card]] that supports the http://schemas.informationcard.net/@ics/resource-udr/2009-03 claim is an [[R-Card]]. See [https://wiki.informationcard.net/index.php/Claim_Catalog#2009 ICF Claim Catalog] for more information about this claim type. | ||
The value of the resource-udr claim is either: | The value of the resource-udr claim is either: | ||
| − | * an [[Entity UDI]] | + | * an [[Entity UDI]] |
* an "inline" XRDS document | * an "inline" XRDS document | ||
| − | + | If the resource-udr claim value is an [[Entity UDI]] then the UDI resolution is performed as defined []here and as implemented in [[IdAS UDI Resolution]] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | in a data context (called a [[Context]]). This Entity object has a set of attributes. The ability to read (and potentially write) these attributes is subject to the access control policy of the data service holding and managing the [[Entity]]. | |
== Claim and Attribute Schema == | == Claim and Attribute Schema == | ||
Revision as of 22:15, 6 July 2009
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Contents
Version
This page provides the Higgins definition of an R-Card ("relationship card") as used in Higgins 1.1.
Introduction
All I-Cards are are representations of digital identities. They are XML files whose format is defined by the OASIS IMI specifications. For more information about I-Cards refer to this OASIS IMI TC or to the Information Card Foundation. This page assumes that the reader is familiar with personal and managed I-Cards.
To review, an I-Card can be thought of at a high level as either "holding" a digital identity, as in the case of personal I-Cards or holding a "pointer" to a digital identity. When imported into a Card Selector the user can "send" these (personal or managed) cards to a relying party (RP). This has the effect of sending a security token containing claims about the digital identity to the RP. In this user-managed manner, the RP requests a set of claims and the user releases a matching set and conveys them to the RP.
The same process of releasing claims about a digital identity can be performed using an R-Card. However, if the RP requests the special "r-card" claim, called "resource-udr", and if the user consents to release, the RP will gain the value of the resource-udr claim. What's special about the resource-udr claim is that in a sense it isn't a regular claim at all. It is a kind of "meta" claim. It operates at a different level.
The value of this meta claim is a "pointer" (so to speak) to an Entity that is associated with the digital identity of the card. An Entity is a data object described by the Higgins Context Data Model. The values of the attributes of this Entity are the same, at least initially, as the values of the claims being made about the digital identity. This meta claim references an Entity object, analogously to how a URL references an HTML document in the Web.
Dynamic values. By providing a reference to this Entity to the RP, the card issuer is creating a durable connection from the RP to the Entity such that the RP can request at any time the latest values of these attributes. Although it is true that this connection can be severed either by the user or the card issuer at any time, while it has not been severed, the RP can request the most up-to-date values of the claim.
Read/write access. A second characteristic provided by R-Cards is that the RP can not only read the latest values, but it may be able to write some or all of these attribute values. Compare this to regular (non "R") cards wherein all claim values are strictly read-only.
The resource-udr "meta" claim
From a file format point of view, any I-Card that supports the http://schemas.informationcard.net/@ics/resource-udr/2009-03 claim is an R-Card. See ICF Claim Catalog for more information about this claim type.
The value of the resource-udr claim is either:
- an Entity UDI
- an "inline" XRDS document
If the resource-udr claim value is an Entity UDI then the UDI resolution is performed as defined []here and as implemented in IdAS UDI Resolution
in a data context (called a Context). This Entity object has a set of attributes. The ability to read (and potentially write) these attributes is subject to the access control policy of the data service holding and managing the Entity.
Claim and Attribute Schema
Definitions
- An R-Card inherits from its managed card basis a linear set, S1, of claim type URIs supported by the STS. The semantics of these claims are unchanged from normal managed cards: the issuer defines the maximal set of supported claims; the actual set of claims encoded in a security token is some or all of this maximal set of claims.
- The target Entity to which the R-Card's resource-udi claim points has a schema consisting of a linear set, S2, of attribute type URIs. To reduce confusion we call S2 attributes as opposed to the S1 claims
- The S2 schema may be retrieved by dereferencing the Entity UDI (e.g. using IdAS) and querying the schema of the Context containing the Entity.
Axioms
- Every member (claim/attribute type URI) of S1 is also member of S2. [The converse isn't necessarily true. That is, S2 may be a superset of S1].
- For any member of S2 that is also a member of S1, the data type of the value(s) of the attribute must be restricted to the set of allowed claim value types defined by the managed card specifications.
- The data type of attributes in S2 that are not also a member of the S2 set of claims, are not limited to those defined by the managed card specifications. [For example, these S2-only attributes may have complex, structured values.]
Claim vs. Attribute values
The value(s) of a claim in S1 (as returned in a security token) is not guaranteed to be the same as the value(s) of the corresponding attribute in S2. This is due to the fact that S2 attributes are dynamic and thus may vary over time. Best practice is that at any given point in time the values SHOULD be the same.
Authentication
Because an R-Card sets up a data sharing relationship that extends outside the boundaries of the exchange of a security token associated with the card (i.e., the current M-Card functionality), this raises the question of how the RP receiving the R-Card will authenticate to the data service hosting the target entity. The issues include:
- How does the RP discover the available authentication schemes?
- What authentication schemes should be supported? How can they be extended?
- How should the authentication credentials be serialized in the data sharing protocol?
Authentication Scheme Discovery
The options under discussion include:
- Specifying the scheme(s) with an additional element directly in the R-Card XML.
- Specifying the schemes(s) using an XRD (which itself is an XML document) that is included within the R-Card itself. The options for including it are:
- Include it within the R-Card XML the same way as the r-card target.
- As a claim within the R-Card claim payload. A possible downside is that if there is no STS involved, there is no source for this claim. On the 2009-02-26 Higgins telecon, it was discussed that perhaps R-Cards should require an STS, which would eliminate this concern.
- Discovering the methods via UDI resolution to an XRDS document. This requires that the target Higgins Context has an XRD that describes it.
Authentication Scheme Types
Just as an R-Card is a superset of an M-Card, the proposal is that:
- R-Card authentication schemes be identified with URIs just like M-Card authentication schemes.
- R-Card authentication schemes be a superset of M-Card authentication schemes.
- One new option in this superset is to use an M-Card, especially because the R-Card functions as an M-Card.
- Other options proposed include:
- "anonymous user"
- "least priviledged user"
- username and password
- SAML2 assertion
- p-card token
- X509 certificate
- SSO (for when the RP knows the user is already authenticated to the RP, so the R-Card client can reuse the same authentication token)
Authentication Credential Serialization
This issue lives at two levels:
IdAS Layer
How will authentication credentials be serialized at the IdAS layer?
2009-02-26 – TODO - Markus to post a proposal.
Data Sharing Protocol Layer
How will authentication credentials be serialized in the data sharing protocol used to access the Entity UDI?
2009-02-26 – proposal from Drummond:
This should be covered by the data sharing protocol specifications and if necessary the schema/dictionary specifications used by that protocol for the specific authentication schemes.
To use XDI as an example, the overall serialization formats for XDI are being defined in the XDI Serialization specification. Then the encoding of the specific XDI data types involved with a particular authentication scheme is specified in the XDI dictionary defining those data types. (XDI dictionaries semantics is being defined in the XDI Dictionary specification.)
Open Issues
- Need to explore the advantages of SAML 2.0's ability to individually sign attributes --e.g. allow the STS to indicate on a per-attribute level what it is authoritative for.