Mark Wahl, CISA

System and method for ontology-based translation between directory schemas

STAR-106 - Intermediate
ESS-108 - Advanced
SPO-202 - Intermediate
www.peertopatent.org
GEO
ADR
IMG_nnnn.jpg
/john
/john
ldap_open()
ldap_search()
ldap_bind()
danbri's foaf stories
Alice and Bob are now married. Congratulations!
you do not have any friends!
label
comment
seeAlso
 <?xml version="1.0"?>
 <html xmlns="http://www.w3.org/1999/xhtml"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
       xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
       xmlns:dc="http://purl.org/dc/elements/1.1/"
       xmlns:owl="http://www.w3.org/2002/07/owl#"
       xmlns:higgins="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#">
 <head about="">
  <title property="rdfs:label">Example schema containing two attribute types.</title>
  <meta property="rdfs:comment" xml:lang="en" content="This schema has two attribute type definitions: patronymic and age." />
  <meta property="owl:versionInfo" xml:lang="en" content="$1.1$" />
  <link rel="rdf:type" href="http://www.w3.org/2002/07/owl#Ontology" />
  <link rel="owl:imports" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl" />
 </head>
 <body>
  <ul about="#patronymic">
   <li><span property="rdfs:label">Patryonymic</span></li>
   <li>This is an <a rel="rdf:type" href="http://www.w3.org/2002/07/owl#ObjectProperty">OWL ObjectProperty</a>.</li>
   <li>This is a sub-property of a
    <a rel="rdfs:subPropertyOf" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#attribute">Higgins attribute</a>.</li>
   </ul>

  <ul about="#age">
   <li><span property="rdfs:label">Age</span></li>
   <li><span property="rdfs:label" lang="de">Alter</span> (German)</li>
   <li><span property="rdfs:label" lang="fr">&#xC2;ge</span> (French)</li>
   <li>Comment: <span property="rdfs:comment">How old a person is (in years)</span></li>
   <li>This is an <a rel="rdf:type" href="http://www.w3.org/2002/07/owl#ObjectProperty">OWL ObjectProperty</a>.</li>
   <li>This is a sub-property of a
    <a rel="rdfs:subPropertyOf" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#attribute">Higgins attribute</a>.</li>
   </ul>
 </body>
 </html>

findDomainsByContact
friend
One day when I was walking through the forest, searching for mandrake and the rare mushroom of everlasting love, I happened upon a big book buried deep in the ground.
I had to leave the forest.
I realised the book was not merely recounting what I did, it was telling me what I should do. It was time I left my house and started exploring the world.
inetOrgPerson
photo
jpegPhoto
nihJpegPhotoDate
jpegPhoto
thumbnailPhoto
jpegPhoto
jpegPhoto
thumbnailPhoto
jpegPhoto
thumbnailPhoto
foaf:depiction
foaf:img
foaf:Person
foaf:thumbnail
    <div about="#me" class="foaf:Person">
       <img rel="foaf:img" src="my-picture.jpg" />
    </div>

default
[A-Za-z0-9]
    "Hello!\0NAIRealms=example.com;example.org"
draft-maques-ddp-00
stolenipods.com
 <http://www.ldap.com/1/commentary/wahl/> <http://www.w3.org/2000/01/rdf-schema#seeAlso> <urn:oid:1.3.6.1.4.1.1466> .

 <http://www.ldap.com/1/commentary/wahl/> <http://www.ldap.com/1/schema/rfc4524.owl#AttributeType_0.9.2342.19200300.100.1.5> "cider" .

 <http://www.ldap.com/1/commentary/wahl/> <http://www.w3.org/2002/07/owl#differentFrom> <http://www.markwahl.com/> .

www.whitehouse.gov/president/
 <http://www.ldap.com/1/commentary/wahl/> <...#shookHandsWith> <http://web.archive.org/web/19990429005552/www.whitehouse.gov/WH/EOP/OP/html/OP_Bio.html> .

 <http://www.ldap.com/1/commentary/wahl/> <...#helpedWithSetAndPropConstructionOn> <http://www.rudemechs.com/shows/history/requiem_03.htm> .

rdf:Bag
6079 SMITH W
(sn=FALL*)
A
rel=
rel=
<a rel="friend met" href="
">
</a>
span
about
a
rel
    <span about="
"><a rel="
" href="
">
</a></span>

xml:base
html
<span about="">
span
foaf:holdsAccount
foaf:weblog
=Alice
http://bob.example.com/
http://bob.example.com/blog/rss.xml
foaf:knows
foaf:weblog
foaf:openid
xfn;friend
 <html xmlns="http://www.w3.org/1999/xhtml" 
       xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
       xmlns:foaf="http://xmlns.com/foaf/0.1/"
       xmlns:xfn="
">

    <link rel="xfn:me rdfs:seeAlso" href="xri://=alice">

    <span about="xri://=alice">
       <a rel="foaf:knows xfn:friend" href="http://bob.example.com/">Bob</a>
    </span>
    <span about="http://bob.example.com/">
       <a rel="foaf:openid" href="http://bob.example.com/"></a>
       <a rel="foaf:weblog" href="http://bob.example.com/blog/rss.xml">blogs</a>
     </span>

    <span about="http://bob.example.com/">Bob has pictures on 
       <a rel="foaf:holdsAccount" href="http://www.flickr.com/bob">Flickr</a>.
    </span>

    <span about="http://bob.example.com/">Bob's 
       <a rel="xfpn:blogpost" href="http://bob.example.com/blog/post?id=3">third post</a>.
    </span>

    RupertPupkin FriendOf JerryLangford    
    JerryLangford ShouldBeFriendOf RupertPupkin    
myspace.com
/rupertpupkin
/masha
myspace.com
/masha
/rupertpupkin
myspace.com
/jerrylangford
/lizaminelli 
http://www.myspace.com/jerrylangford
myspace.com
/jerrylangford
myspace.com
/jerrylangford
/rupertpupkin
myspace.com
/jerrylangford
/masha
myspace.com
/jerrylangford
myclaimspace.com
/#rupertpupkin
foaf:friend
/#masha
myclaimspace.com
/#rupertpupkin
foaf:friend
myspace.com/jerrylangford
myclaimspace.com
myclaimspace.com
nbc.com legalese:issuesContractTo /#rupertpupkin
nbc.com?
issuesContractTo
rupertpupkin
myclaimspace.com
myclaimspace.com/#rupertpupkin
    button .b -text "Hello world"
    pack .b

    <embed src="helloworld.tcl" />

 % wish helloworld.tcl

    interp create -safe untrusted

file extension
file open
    proc Interp_File {operation args} {
        switch -- $operation {
              extension -
              dirname -
              rootname -
              tail {
                  return [file $operation [lindex $args 0]]
              }
              default {
                  error "Unsupported file operation: $operation"
              }
        }
    }

    interp alias untrusted file {} Interp_File

http
https
http
https
example.com
:8080
/x.cgi
?foo=bar
#section2
http://joebloggs.example.com
http://openid.example.com/joebloggs
a-z0-9-
/
/./
/../
openid_identifier

Issues with internationalizing domain names (20070729)
mark.wahl@informed-control.com — Sun, 29 Jul 2007 17:05:00 GMT
Commentary by Mark Wahl, CISA
  Organizing principles for identity systems:
 Issues with internationalizing domain names (20070729) 
   In the OpenID authentication 1.1 protocol, an end user provides their identifier URL (in either the http or https scheme) to a relying party web site they are visiting, by typing their identifier into a field the relying party site's web form.   The OpenID authentication 2.0 protocol is similar, but currently also allows the end user's identifier to be an XRI.  
  A HTTP or HTTPS URL is typically expressed with the components 
   the scheme name http or https
 a host id example.com
 an optional port number :8080
 an optional path /x.cgi
 an optional query ?foo=bar
 an optional fragment #section2

    Currently the two most common representation choices of OpenID URLs, for a user with a userid at a identity provider organization, are 
   the host id is a domain name that holds a domain component for the userid followed by the domain name for an identity provider organization; the path, query and fragment components are absent;
  http://joebloggs.example.com 

 the host id contains the domain name for an identity provider organization; the path contains a userid at that identity provider; the query and fragment components are absent; 
  http://openid.example.com/joebloggs 

   There are some significant differences between representing a userid as a domain name component and in a path, including 
   domain name component HTTP URI path

 case-insensitive case-sensitive
 length limited to 255 characters (by RFC 1123) length not limited by HTTP 
   either an ASCII alphanumeric string [a-z0-9-]  (RFC 1034 section 3.5), or 
 an  international domain name component that is  UTF-8 encoded and with its octets percent-encoded.   must begin with a /; the strings  /./ and /../ have special significance;  some characters must be percent-encoded.  
   The proposed standard definition of international domain names in IDNA  (RFC 3490) defines an internationalized domain name, and the components can be  internationalized labels, which contain encoded Unicode characters from outside of the ASCII range.  Out of the Unicode 3.2 charset only a few characters cannot be used, e.g. Unicode "dots" U+3002 (ideographic full stop), U+FF0E (fullwidth full stop), U+FF61 (halfwidth ideographic full stop), space characters, control characters, private use characters, non-character code points, surrogate characters, characters inappropriate for plain text or canonical represntation, display property characters and language tag characters.  IDNA performs a conversion on non-ASCII characters using the "nameprep" (RFC 3491) profile of "stringprep" (RFC 3454), to map upper case characters to lower case.  
  The internet draft "Proposed Issues and Changes for IDNA - An overview" by John Klensin of July 2007 discusses some of the issues that have been found with the model.
  One observation in that draft is that  
 "Historically, many, perhaps most, of the 'names' in the DNS have just    been mnemonics to identify some particular concept, object, or    organization.  They are typically derived from, or rooted in, some    language because most people think in language-based ways.  But,    because they are mnemonics, they need not obey the orthographic    conventions of any language: it is not a requirement that it be    possible for them to be 'words'." 
   Another consideration is display order of the components of a domain name (left-to-right vs right-to-left), which may be different from the order in which the components are transmitted. 
      "Questions remain about protocol constraints implying that the overall    direction of these strings will always be left-to-right (or right-to-    left) for an IRI or email address, or if they even should conform to    such rules.  These questions also have several possible answers.    Should a domain name abc.def, in which both labels are represented in    scripts that are written right-to-left, be displayed as fed.cba or    cba.fed?  An IRI for clear text web access would, in network order,    begin with 'http://' and the characters will appear as    'http://abc.def' -- but what does this suggest about the display    order?  When entering a URI to many browsers, it may be possible to    provide only the domain name and leave the 'http://' to be filled in    by default, assuming no tail (an approach that does not work for    other protocols).  The natural display order for the typed domain    name on a right-to-left system is fed.cba.  Does this change if a    protocol identifier, tail, and the corresponding delimiters are    specified?" 
  An important issue with OpenID in web browser interactions as it relates to international domain names is that the user does not type in their OpenID identifier URL in the 'address bar' of the web browser, where URLs are typically typed in, but instead they enter their URL in a form field of a web page. 
   Any assistance the user's web browser may provide for typing in an international domain name in the address bar doesn't apply to form fields. 
 There is no HTML 4 form INPUT attribute to indicate to the web browser that the value of an attribute should be a URI or URL. Thus, the web browser cannot provide any assistance in entering an international domain name properly.  The OpenID 2.0 authentication document states that The form field's "name" attribute SHOULD have the value "openid_identifier", but this is not generalizable: other services which use URIs in form fields cannot re-use openid_identifier without confusing OpenID-aware applications.
  Some elements of international domain name processing are subject to 'local policy'. In this context, however, the 'local' is the software running the relying party, not the end user's web browser.  As the user has not yet logged in to the relying party, the relying party doesn't know the locale of the user to be able to perform locale-specific aspects of domain name processing on the user's supplied OpenID in accordance with the user's locale. 

  Addressing these limitations would require changes such as  

     <form>
       <label for="openid_identifier">OpenID</label>
       <input type="uri" name="openid_identifier" title="OpenID">
       <label for="openid_locale">Your language</label>
       <select name="openid_locale" title="Your Language" size="1">
          <option value="en" label="English" />
          <option value="fr" label="French" />
           ...

       </select>
    </form>

java.home/lib/security/cacerts
draft-wallace-ta-mgmt-problem-statement-01
http://www.ldap.com/1/commentary/wahl/
bold
italics
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
       xmlns:sioc="http://rdfs.org/sioc/ns#"
       xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
       xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
       xmlns:this="http://www.ldap.com/1/commentary/wahl/"
       xmlns:dc="http://purl.org/dc/elements/1.1/"
       xmlns:dcterms="http://purl.org/dc/terms/">

ul
http://www.ldap.com/1/commentary/wahl
Container
date
2007-07-25
 <ul class="sioc:Container" about="http://www.ldap.com/1/commentary/wahl/">
  <li>Last updated <span property="dc:date" content="2007-07-25">2007 July 25</span>

http://www.ldap.com/1/commentary/wahl/20070724_01.shtml
Post
title
created
 <p class="sioc:Post" id="post_20070724_01" about="http://www.ldap.com/1/commentary/wahl/20070724_01.shtml">
  <a href="http://www.ldap.com/1/commentary/wahl/20070724_01.shtml">
   <span property="dc:title">OpenID and 20 years of distributed systems</span>, 
   <span property="dcterms:created" content="2007-07-24T00:00:01Z">2007/7/24</span>
  </a>
  <a href="http://www.ldap.com/1/commentary/wahl/" rel="sioc:has_container"></a>
 </p>

A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable.
The current electrical problem in the machine room 
 is not the culprit--it just highlights a situation that has been getting progressively worse.  It seems that each new version of the nub makes my FF more dependent upon programs that run elsewhere.
xanga.com
Xanga.com
uid
Read
ou=People

(&(objectClass=person)
)
fooPerson
extensibleObject

passwordExpiry
inetOrgPerson
wOrlds
firstName
John
prenom
firstName
prenom
foaf:firstname = frenchfoaf:prenom .
<http://eg.com/joe#p> a foaf:Agent .
       <http://bblfish.net/people/henry/card#me> foaf:knows <http://eg.com/joe#p> .
http://openid.sun.com/bblfish
 <link rel="openid.server" href="https://openid.sun.com/openid/service" />

 <link rel="openid.server" href="https://openid.sun.com/openid/service" />
 <link rel="meta" type="application/rdf+xml" title="FOAF" href="http://bblfish.net/people/henry/card"/>

 PREFIX foaf: <http://xmlns.com/foaf/0.1/>
 SELECT ?mbox ?logo ?nick
 WHERE {
         ?p foaf:openid <http://openid.sun.com/bblfish>.
      OPTIONAL { ?p foaf:mbox ?mbox } .
      OPTIONAL { ?p foaf:logo ?logo } .
      OPTIONAL { ?p foaf:nick ?nick } .
 }

phpbb.cc
            country-name                           
            administration-domain-name  
            network-address                        
            terminal-identifier         
            private-domain-name         
            organization-name           
            numeric-user-identifier     
            personal-name               
            organizational-unit-names   

organizationalPerson
account
wpSchema
inetOrgPerson
User
http://www.crookedtimber.org/archives/001435.html
favoriteDrink
x500standard.com
 dn: uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: person
 objectClass: inetOrgPerson
 uid: jbloggs
 telephoneNumber: 1 213 555 1212
 telephoneNumber: 1 408 555 1212
 postalAddress: 1 Foo Street $ San Jose, CA $ 94087 $ USA
 postalAddress: 1 Bar Street $ Los Angeles, CA $ 90210 $ USA

 dn: uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: person
 objectClass: inetOrgPerson
 objectClass: mobileDeviceUser
 uid: jbloggs
 telephoneNumber: 1 213 555 1212
 telephoneNumber: 1 408 555 1212
 mobileTelephoneNumber: 1 213 555 9999
 mobileTelephoneNumber: 1 408 555 9999
 postalAddress: 1 Foo Street $ San Jose, CA $ 94087 $ USA
 postalAddress: 1 Bar Street $ Los Angeles, CA $ 90210 $ USA
 mobileDeviceCapabilities: <cameraphone/>
 mobileDeviceCapabilities: <java/>

mobileTelephoneNumber
cameraphone
java
child
parent
child
person
location
personalComputingDevice
 dn: uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: person
 objectClass: inetOrgPerson
 objectClass: mobileDeviceUser
 objectClass: parent     #

 uid: jbloggs

 dn: cn=office-Northern, uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: location
 objectClass: child      #

 cn: office-Northern
 telephoneNumber: 1 408 555 1212
 postalAddress: 1 Foo Street $ San Jose, CA $ 94087 $ USA

 dn: cn=office-Southern, uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: location
 objectClass: child      #

 cn: office-Southern
 telephoneNumber: 1 213 555 1212
 postalAddress: 1 Bar Street $ Los Angeles, CA $ 90210 $ USA

 dn: cn=mobilePhone-ATTWS, uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: personalComputingDevice
 objectClass: child      #

 cn: mobilePhone-ATTWS
 mobileTelephoneNumber: 1 213 555 9999
 mobileDeviceCapabilities: <cameraphone/>

 dn: cn=mobilePhone-Cingular, uid=jbloggs, dc=example, dc=com
 objectClass: top
 objectClass: personalComputingDevice
 objectClass: child      #

 cn: mobilePhone-Cingular
 mobileTelephoneNumber: 1 408 555 9999
 mobileDeviceCapabilities: <java/>

uid=jbloggs,dc=example,dc=com
cn=office-Northern,uid=jbloggs,dc=example,dc=com
uid=jbloggs,dc=example,dc=com
cn=office-Southern,uid=jbloggs,dc=example,dc=com
uid=jbloggs,dc=example,dc=com
cn=mobilePhone-ATTWS,uid=jbloggs,dc=example,dc=com
uid=jbloggs,dc=example,dc=com
cn=mobilePhone-Cingular,uid=jbloggs,dc=example,dc=com
FamilyGrouping
FamilyGrouping
entryOnly
notAllowedOnNonLeaf
compoundEntry
FamilyGrouping
entryOnly
compoundEntry
strands
multiStrand
strands
multiStrand
familyReturn
contributingEntriesOnly
participatingEntriesOnly
compoundEntry
(&(uid=jbloggs)(telephoneNumber=1 213*))
entryOnly
FamilyGrouping
contributingEntriesOnly
familyReturn
(&(uid=jbloggs)(telephoneNumber=1 213*))
strands
FamilyGrouping
participatingEntriesOnly
familyReturn
uid=jbloggs,dc=example,dc=com
cn=office-Southern,uid=jbloggs,dc=example,dc=com
uid=jbloggs,dc=example,dc=com
cn=mobilePhone-ATTWS,uid=jbloggs,dc=example,dc=com
uid=jbloggs,dc=example,dc=com
cn=office-Southern,uid=jbloggs,dc=example,dc=com
cn=mobilePhone-ATTWS,uid=jbloggs,dc=example,dc=com
 TITLE: Destitute pea pickers in California. Mother of seven children. Age thirty-two. Nipomo, California.
 AUTHOR: Lange, Dorothea, photographer.
 OTHER TITLES: Migrant mother.
 CREATED/PUBLISHED: 1936 Feb.
 SUMMARY: Portrait shows Florence Thompson with several of her children in a photograph known as "Migrant Mother."
 SUBJECT: Migrant agricultural laborers.
 SUBJECT: Mothers & children.
 SUBJECT: Poor persons.
 SUBJECT: Migrants--California
 SUBJECT: Nitrate negatives.
 SUBJECT: Portrait photographs.
 SUBJECT: Group portraits.
 SUBJECT: United States--California--San Luis Obispo County--Nipomo.
 MEDIUM: 1 negative : nitrate ; 4 x 5 in.
 PART OF: Farm Security Administration - Office of War Information Photograph Collection
 REPOSITORY: Library of Congress Prints and Photographs Division Washington, DC 20540
 DIGITAL ID: (b&w digital file from nitrate neg.) fsa 8b29516
 DIGITAL ID: (digital file from print) ppmsca 12883 http://hdl.loc.gov/loc.pnp/ppmsca.12883 

  <credential:X.509Certificate rdf:ID="X.509">
   <credential:issuer rdf:resource="Verisign" />
 </credential:X.509Certificate>

 <securityMain:SAML rdf:ID="Capability1">
   <securitymain:reqCredentials rdf:resource="&credential;X.509" />
 </securityMain:SAML>

 <agent:Agent rdf:about="#BookRequest">
   <securityCapability rdf:resource="#Capability1"/>

 </agent:Agent>

  <securityMain:SAML rdf:ID="Requirement">
   <securityMain:reqCredentials rdf:resource="&credential;X.509" />
 </securityMain:SAML>

  <profile:Profile rdf:about="#BookSeller">

   <securityRequirement rdf:resource="#Requirement1"/>
 </profile:Profile>

build.xml
schemat-src-20070716.zip
http://www.ldap.com/1/commentary/wahl/
a href
The Location Object MUST support use       of Unlinked Pseudonyms in the corresponding identification fields       of Rule Maker, Target, Device, and Location Recipient.  Since       Unlinked Pseudonyms are simply bit strings that are not linked       initially to a well-known identity, this requirement boils down to       saying that the name space for Identifiers used in the LO has to       be large enough to contain many unused strings.
The protocol SHOULD allow a bypass if authentication       fails in an emergency call.
    <conditions>
       <identity>
           <one id="sip:alice@example.com"/>
           <one id="tel:+1-212-555-1234" />
           <one id="mailto:bob@example.net" />
       </identity>
    </conditions>

   <conditions>
         <sphere value="work"/>
         <identity>
             <many>
                 <except domain="example.com"/>
                 <except domain="example.org"/>
                 <except id="sip:alice@bad.example.net"/>
                 <except id="sip:bob@good.example.net"/>
                 <except id="tel:+1-212-555-1234" />
                 <except id="sip:alice@example.com"/>
             </many>
         </identity>
         <validity>
             <from>2003-12-24T17:00:00+01:00</from>
             <until>2003-12-24T19:00:00+01:00</until>
         </validity>
     </conditions>

                               full
       {<country>, <A1>, <A2>, <A3>, <A4>, <A5>, <A6>, <PRD>, <POD>,
        <STS>, <HNO>, <HNS>, <LMK>, <LOC>, <PC>, <NAM>, <FLR>,
        <BLD>,<UNIT>,<ROOM>,<PLC>, <PCN>, <POBOX>, <ADDCODE>, <SEAT>
        <RD>, <RDSEC>, <RDBR>, <RDSUBBR> <PRM>, <POM>}
                                |
                                |
                             building
          {<country>, <A1>, <A2>, <A3>, <A4>, <A5>, <A6>, <PRD>
          <POD>, <STS>, <HNO>, <HNS>, <LMK>, <PC>,
          <RD>, <RDSEC>, <RDBR>, <RDSUBBR> <PRM>, <POM>}
                                |
                                |
                              city
                      {<country>, <A1>, <A2>, <A3>}
                                |
                                |
                              region
                         {<country>, <A1>}
                                |
                                |
                             country
                           {<country>}
                                |
                                |
                               none

houseIdentifier
street
feature.xsd
    <gml:location>
      <gml:Point gml:id="point1" srsName="epsg:4326">
        <gml:coordinates>37:46:30N 122:25:10W</gml:coordinates>
      </gml:Point>
    </gml:location>

country
A1
A2
A3
A4
A5
A6
PRM
PRD
RD
STS
POD
POM
RDSEC
RDBR
RDSUBBR
HNO
HNS
LMK
LOC
FLR
NAM
PC
BLD
UNIT
ROOM
SEAT
PLC
PCN
POBOX
ADDCODE
   <civicAddress xml:lang="en-AU"
     xmlns="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr">
     <country>AU</country>
     <A1>NSW</A1><A3>Wollongong</A3><A4>North Wollongong</A4>
     <RD>Flinders</RD><STS>Street</STS>
     <RDBR>Campbell Street</RDBR>
     <LMK>Gilligan's Island</LMK> <LOC>Corner</LOC>
     <NAM>Video Rental Store</NAM>
     <PC>2500</PC>
     <ROOM>Westerns and Classics</ROOM>
     <PLC>store</PLC>
     <POBOX>Private Box 15</POBOX>
   </civicAddress>

    <gp:location-info>
      <gml:Point srsName="urn:ogc:def:crs:EPSG::4326"
         <gml:pos>-43.5723 153.21760</gml:pos>
      </gml:Point>
      <cl:civicAddress>
        <cl:FLR>2</cl:FLR>
      </cl:civicAddress>
    </gp:location-info>

pres:
username@domain
pres:someone@example.com
09012345678
    <?xml version="1.0" encoding="UTF-8"?>
    <impp:presence xmlns:impp="urn:ietf:params:xml:ns:pidf"
        entity="pres:someone@example.com">
      <impp:tuple id="sg89ae">
        <impp:status>
          <impp:basic>open</impp:basic>
        </impp:status>
        <impp:contact priority="0.8">tel:+09012345678</impp:contact>
      </impp:tuple>
    </impp:presence>

    <?xml version="1.0" encoding="UTF-8"?>
    <presence xmlns="urn:ietf:params:xml:ns:pidf"
       xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10"
       xmlns:cl="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr"
       xmlns:gml="http://www.opengis.net/gml"
       entity="pres:mike@seattle.example.com">
      <tuple id="sg89ab">
        <status>
          <gp:geopriv>
            <gp:location-info>
              <gml:Point srsName="urn:ogc:def:crs:EPSG::4326"
                 <gml:pos>-43.5723 153.21760</gml:pos>
              </gml:Point>
              <cl:civicAddress>
                <cl:FLR>2</cl:FLR>
              </cl:civicAddress>
            </gp:location-info>
            <gp:usage-rules>
              <gp:retransmission-allowed>yes</gp:retransmission-allowed>
              <gp:retention-expiry>2003-06-23T04:57:29Z</gp:retention-expiry>
            </gp:usage-rules>
          </gp:geopriv>
        </status>
        <timestamp>2003-06-22T20:57:29Z</timestamp>
      </tuple>
    </presence>

retransmission-allowed
retention-expired
ruleset-reference
xml:lang
xml:lang
DisplayTokenText
MimeType
DisplayClaim
DisplayClaim
Uri
DisplayTag
Description
DisplayValue
Description
 java -jar schemat_selector.jar --initialize-home keystore password: secret 
 java -jar schemat_selector.jar --import-persona \  --import-file file:///tmp/me.rdf#me /tmp/me.rdf \  --persona personal 
labeledURI
inetOrgPerson
top
person
 java -jar schemat_selector.jar --import-persona \  --import-file file:///tmp/me.ldif#uid=me /tmp/me.ldif \  --persona work 
 java -jar schemat_selector.jar --login --persona work \  --uri https://rp.example.com/relyingparty/ 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
owl:equivalentProperty
schemas.xmlsoap.org
selfissued.rdf
givenname
surname
emailaddress
streetaddress
locality
stateorprovince
postalcode
country
primaryphone
webpage
homephone
mobilephone
 <rdf:Description   rdf:about="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
   <rdfs:isDefinedBy 
    rdf:resource="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/" />
   <owl:equivalentProperty rdf:resource="http://xmlns.com/foaf/0.1/surname" />
   <owl:equivalentProperty rdf:resource="http://www.ldap.com/1/schema/rfc4519.owl#2.5.4.4" />
 </rdf:Description>  
surname
surname
sn
schemat_selector-jar-20070706.zip
schemat-src-20070706.zip

Inventors:	Gadbois; David Gregory (Austin, TX), Wahl; Mark (Austin, TX)
Assignee:	Sun Microsystems, Inc. (Santa Clara, CA)
Filed:	June 28, 2002

static claims	for traditional attribute types
relationship claims	indicating connections between entities
derived claims	less "leaky" than static claims
capability claims	claims for authorization
meta-claims	claims about the subject

the book is published and becomes a bestseller;	it's turned into a performance,

but the media frenzy (captured in the text itself)	causes the story to unravel.

1.	Babs Jensen from the U-M Directory
	Babs is a big sailing fan, and travels extensively in search of perfect sailing conditions.
2.	Tyrone Slothrop from Gravity's Rainbow
	Tyrone Slothrop is an anagram for "Sloth or Entropy".
3.	`6079 SMITH W` from 1984
	...I have guided Eurasian rocket bombs to targets on Airstrip One by means of coded radio signals.
4.	The Prisoner from The Prisoner
	For instance, do you remember that time you arrived back from Singapore? Change of climate, feeling a bit shaky. You were sickening for a... cold. Sneezed yourself out of our camera. Deciding to take a vacation. Now, where can you go? Ireland? Bit too cold that time of the year. Paris! Maybe not. "What was that? Sounded like a click! Something in the mirror? Or was it over there? Yes - over there, too!" You see, there's not much we don't know about you, but one likes to know everything.
5.	Agatha from Minority Report
	In 2054, the six-year Precrime experiment was abandoned. All prisoners were unconditionally pardoned and released, though police departments kept watch on many of them for years to come. Agatha and the twins were transferred to an undisclosed location, a place where they could find relief from their gifts. A place where they could live out their lives in peace.
6.	James Cole from Twelve Monkeys
	They wanted identification. I don't have any identification.
7.	The land surveyor K from The Castle
	K. listened intently. So the Castle had appointed him land surveyor. On one hand, this was unfavorable, for it showed that the Castle had all necessary information about him, had assessed the opposing forces, and was taking up the struggle with a smile. On the other hand, it was favorable, for it proved to his mind that they underestimated him and that he would enjoy greater freedom than he could have hoped for at the beginning.
8.	Individuals matching the pattern `(sn=FALL)` from The Falls*
	It was said that if the VUE had not happened, then Leasting Fallvo could have invented it.

Site	Page	Relation	To
`myspace.com`	`/rupertpupkin`	friend	`/masha`
`myspace.com`	`/masha`	friend	`/rupertpupkin`

Site	Page	Relation	To
`myspace.com`	`/jerrylangford`	friend	...
`myspace.com`	`/jerrylangford`	friend	`/rupertpupkin`
`myspace.com`	`/jerrylangford`	friend	`/masha`
`myspace.com`	`/jerrylangford`	friend	...

Site	Subject	Predicate	Object
`myclaimspace.com`	`/#rupertpupkin`	`foaf:friend`	`/#masha`
`myclaimspace.com`	`/#rupertpupkin`	`foaf:friend`	`myspace.com/jerrylangford`

the scheme name	`http` or `https`
a host id	`example.com`
an optional port number	`:8080`
an optional path	`/x.cgi`
an optional query	`?foo=bar`
an optional fragment	`#section2`

domain name component	HTTP URI path
case-insensitive	case-sensitive
length limited to 255 characters (by RFC 1123)	length not limited by HTTP
either an ASCII alphanumeric string [`a-z0-9-`] (RFC 1034 section 3.5), or an international domain name component that is UTF-8 encoded and with its octets percent-encoded.	must begin with a `/`; the strings `/./` and `/../` have special significance; some characters must be percent-encoded.

Not duck typed		Duck typed
The `Read` operation		Subtree searching
`ou=People` branch		Searching from the base of the naming context
families of entries

Not duck typed		Duck typed
Searching for `(&(objectClass=person)`...`)`		Only having auxiliary classes (if at all) in search filters
Application-specific object classes (e.g., `fooPerson`)		`extensibleObject`

Not duck typed		Duck typed
OIDs in search filters or in requested attribute lists		Using string names for attribute types
Application specific attribute types

Schema Assumption	Invalidated by
individuals only have 3-4 naming attributes	"A fully evolved nomenclature consists of (in this order) laqab, kunya, ism, patronymic (with or without further nasab), nisba(s)..." from Arabic Nomenclature: a summary guide for beginners
everyone has a given name and surname	for cultures which do not make use of a surname or family name, e.g., Icelandic or Malay
everyone has a single full name or nickname that is what everyone else refers to them as	Even in the US, Dr. Robert Smith would expect to be called "Dr. Smith" by a patient and "Bob" by a family member.
everyone in a culture has the same 'display order' for their name	"I've found that name order in Chinese persons is a marginally reliable indicator of attitudes towards the West.", quoted from `http://www.crookedtimber.org/archives/001435.html`

the RP?	But could this lead to phishing attacks?
an identity selector plugin developer?	Personalization and themability are popular in both open source UI platforms and hosted web applications
a metasystem "master of ceremonies"?	Are there categories of interactions for which there is an existing well-defined ceremony that should be used instead?
the user's local administrator?	What aspects of the interaction should be affected by Group Policy or similar mechanisms?
a claim schema creator?	If I define a favoriteDrink claim type, can I include icons for displaying values of "beer"/"wine"/"soda"?
a claim schema commentator?	If I declare favoriteBeverage and favoriteDrink to be effectively the same claim type, can I cause the favoriteBeverage UI aspects to affect the favoriteDrink claim presentation?
the RP's CA?	Can an CA limit what claims are appropriate for sending to RPs it certifies?
advertisers?	Inline advertisements are a hallmark of many free hosted services and are a possibility on the desktop as well

`Uri`	the unique identifier URI of the claim type (this is required)
`DisplayTag`	a "friendly" name of the claim
`Description`	a "description of the semantics" for the claim
`DisplayValue`	the displayable value of the claim to be sent to the RP, currently a short string

Mark Wahl, CISA

RSA Conference 2010 (20100227)

RSA Conference 2010 (20100227)

Recent publication on ontology-based translation between directory schemas (20090706)

Recent publication on ontology-based translation between directory schemas (20090706)

Recent publications on anomalous directory client activity detection (20090417)

Recent publications on anomalous directory client activity detection (20090417)

Security, identity and access sessions at the 2009 RSA Conference (20090417)

Security, identity and access sessions at the 2009 RSA Conference (20090417)

2009 TEC (20090326)

2009 TEC (20090326)

2009 TEC starts in a week (20090313)

2009 TEC starts in a week (20090313)

NIST draft SP 800-122 comment period ending (20090307)

NIST draft SP 800-122 comment period ending (20090307)

2009 TEC Directory and Identity keynote (20090306)

2009 TEC Directory and Identity keynote (20090306)

Some Microsoft-led sessions on the metasystem scheduled for the 2009 RSA Conference (20090223)

Some Microsoft-led sessions on the metasystem scheduled for the 2009 RSA Conference (20090223)

New NIST list of security controls (20090211)

New NIST list of security controls (20090211)

Recent publications on network authentication, or how can you be in two places at once? (20081003)

Recent publications on network authentication, or how can you be in two places at once? (20081003)

Recent publication on validation of middleware failover behavior (20080903)

Recent publication on validation of middleware failover behavior (20080903)

Wikidentity provider? (20080903)

Wikidentity provider? (20080903)

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

Trust vs the Distancing Effect (20080418)

Trust vs the Distancing Effect (20080418)

RSA Conference 2008 US (20080414)

RSA Conference 2008 US (20080414)

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

Documenting microformats processes (20080203)

Documenting microformats processes (20080203)

Metadata in Personal Content Experience (20080128)

Metadata in Personal Content Experience (20080128)

Information Assurance for CS undergrads at UT Austin (20080104)

Information Assurance for CS undergrads at UT Austin (20080104)

digital identity book recommendation for 2007 (20080102)

digital identity book recommendation for 2007 (20080102)

(fwd) i-card hero ROCKS!!!! (20071230)

(fwd) i-card hero ROCKS!!!! (20071230)

Assimilation (20071128)

Assimilation (20071128)

7,302,439 (20071127)

7,302,439 (20071127)

Bob Blakley on outsourcing to the identity oracle (20071122)

Bob Blakley on outsourcing to the identity oracle (20071122)

Closing ICANN Comment Period on WHOIS (20071027)

Closing ICANN Comment Period on WHOIS (20071027)

52 What-ifs of Identity Science Fiction (20071004)

52 What-ifs of Identity Science Fiction (20071004)

OT Frivolous Blog and Clothing Store (20071003)

OT Frivolous Blog and Clothing Store (20071003)

Gartner Magic Quadrants for User Provisioning (20071002)

Organizing principles for identity systems: Gartner Magic Quadrants for User Provisioning (20071002)

Digital ID World presentation on CardSpace in credit card txns (20070925)

Organizing principles for identity systems: Digital ID World presentation on CardSpace in credit card txns (20070925)

Digital ID World presentation on LDAP in media asset metadata management (20070925)

Organizing principles for identity systems: Digital ID World presentation on LDAP in media asset metadata management (20070925)

Digital ID World keynote by Jamie Lewis (20070925)

Organizing principles for identity systems: Digital ID World keynote by Jamie Lewis (20070925)

Digital ID World Liberty Alliance IDDY Awards (20070925)

Organizing principles for identity systems: Digital ID World Liberty Alliance IDDY Awards (20070925)

Digital ID World and OpenID URLs (20070925)

Organizing principles for identity systems: Digital ID World and OpenID URLs (20070925)

Digital ID World and an EAP-SIM PoC (20070925)

Organizing principles for identity systems: Digital ID World and an EAP-SIM PoC (20070925)

Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Organizing principles for identity systems: Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Organizing principles for identity systems: Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Digital ID World keynote: Kim Cameron on claims (20070924)

Organizing principles for identity systems: Digital ID World keynote: Kim Cameron on claims (20070924)

Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Organizing principles for identity systems: Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Digital ID World opening keynote (20070924)

Organizing principles for identity systems:
Gartner Magic Quadrants for User Provisioning (20071002)

Organizing principles for identity systems:
Digital ID World presentation on CardSpace in credit card txns (20070925)

Organizing principles for identity systems:
Digital ID World presentation on LDAP in media asset metadata management (20070925)

Organizing principles for identity systems:
Digital ID World keynote by Jamie Lewis (20070925)

Organizing principles for identity systems:
Digital ID World Liberty Alliance IDDY Awards (20070925)

Organizing principles for identity systems:
Digital ID World and OpenID URLs (20070925)

Organizing principles for identity systems:
Digital ID World and an EAP-SIM PoC (20070925)

Organizing principles for identity systems:
Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Organizing principles for identity systems:
Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Organizing principles for identity systems:
Digital ID World keynote: Kim Cameron on claims (20070924)

Organizing principles for identity systems:
Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Organizing principles for identity systems:
Digital ID World opening keynote (20070924)

Organizing principles for identity systems:
Anti-utopian social networking #3 - the real world and its online representation (20070917)

Organizing principles for identity systems:
Data Sharing and fault tolerance (20070909)

Organizing principles for identity systems:
Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

Organizing principles for identity systems:
Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

Organizing principles for identity systems:
Identity schema element metadata in RDFa (20070906)

Organizing principles for identity systems:
Timeline of WHOIS, the original Internet social network service (20070824)

Organizing principles for identity systems:
Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

Organizing principles for identity systems:
Anti-utopian social networking #2 (20070811)

Organizing principles for identity systems:
Report on the state of the art in software security assurance (20070810)