Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
the two camps of attribute types (20070627)
Some of the issues regarding schema definition when developing a new protocol or data format for exchanging identity information are:
- is there a single canonical schema tied to the protocol/format?
- how can existing schemas for other protocols be leveraged in this new protocol?
- can two parties bilaterally choose to use other schema definitions besides "the standard" in this protocol?
- under what process can additional schemas, or changes to schemas, be developed?
One design decision is how an attribute type (or a claim) is specified. There seem to be two camps:
- those protocols and formats that have a model in which there is a small set of well-known types defined alongside the protocol/format itself, and
- those which leave it open by making it relatively easy for any organization to define their own types, by allowing an identifier for that organization (a domain name or Object Identifier) to be embedded in the attribute type identifier.
Those protocols and formats which don't have an organization indicator in their attribute types include
| Protocol/Format | Attribute Types are | Example | Extensibility Model |
|---|---|---|---|
| DNS | small numbers 1-65535 | 16 for TXT | IETF process |
| LDAP | short letter/number string, or more rarely, OBJECT IDENTIFIER | cn | IETF process, or bilateral (as typically LDAP does not cross organizational boundaries) |
| vCard |
short letter/number string, defined in RFC 2426 | FN | IETF process |
| DSML | short letter/number string, same as LDAP | cn | same as LDAP |
| SPML 2.0 | XML element or attribute name (XSD profile) short letter/number string, same as LDAP (DSML profile) |
fullName (XSD) or cn (DSML) | bilateral agreement between sender and receiver |
| hCard | short letter/number string |
fn | microformats process |
| jCard | short letter/number string, a JSON object member name | given (within a name object) | potentially same as hCard? |
Those protocols and formats using organization identifiers in their attribute types include
| Protocol/Format | Attribute Types are | Example |
|---|---|---|
| X.500 | OBJECT IDENTIFIER delegated by ITU/ISO | 2.5.4.3 |
| FOAF | RDF predicate URI | http://xmlns.com/foaf/0.1/name |
| SAML 2.0 | URN (NameFormat) and string (Name) OBJECT IDENTIFIER in the case of the LDAP/X.500 profile |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" |
| WS-Trust for CardSpace | URI for claim types |
http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname |
| OpenID 2.0 AX | URI (http/https, resolvable to a schema defn of that attribute) |
http://schema.openid.net/types/email |