J. Merrells Internet Draft Sxip Identity Expires: July 2006 January 17, 2006 DIX: Digital Identity Exchange Protocol draft-merrells-dix-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on July 17, 2006. Abstract DIX is an Internet scale protocol for exchanging identity information between endpoints. The protocol architecture maintains a separation of control between all parties of the exchange and supports both compartmentalized and anonymous identities. Merrells Expires July 17, 2006 [Page 1] Internet-Draft Digital Identity Exchange Protocol January 2006 Conventions used in this document In examples, "C:" and "S:" indicate lines sent by the client and server respectively. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. Table of Contents 1. Introduction...................................................3 2. Definitions....................................................3 2.1. User......................................................3 2.2. Identity Data.............................................3 2.3. Persona...................................................3 2.4. Homesite..................................................3 2.5. Membersite................................................4 2.6. Dumb Client...............................................4 3. Overview.......................................................4 3.1. Transport Bindings........................................4 3.2. Names and Types...........................................4 3.2.1. URLs and URIs........................................5 3.2.2. Site Paths...........................................5 3.2.3. Site Endpoint URL....................................5 3.2.4. Persona URL..........................................6 3.2.5. Site Document........................................6 3.2.6. DIX URI Namespace....................................6 4. Information Model..............................................7 4.1. Definitions...............................................7 4.2. Properties................................................7 5. Capabilities...................................................8 5.1. Capability Definition.....................................8 5.2. Capability Families.......................................8 5.3. Capability URI............................................8 5.4. Service Capability........................................9 5.5. Property Capability.......................................9 5.6. Capability Discovery and Negotiation......................9 5.7. Capability Resolution.....................................9 5.8. Capability Revisions.....................................10 5.9. Defined Capability Families..............................10 5.9.1. DIX Capabilities....................................10 5.10. Protocol................................................10 5.10.1. Discovery Process..................................11 5.10.2. Exchange Process...................................14 5.10.3. Verification Process...............................24 Merrells Expires July 17, 2006 [Page 2] Internet-Draft Digital Identity Exchange Protocol January 2006 6. Security Considerations.......................................27 6.1.1. HTTP and HTTPS......................................27 6.1.2. Man in the Middle:..................................27 7. IANA Considerations...........................................28 8. Acknowledgments...............................................28 References.......................................................29 7.1. Normative References.....................................29 7.2. Informative References...................................29 Author's Addresses...............................................29 Intellectual Property Statement..................................29 Disclaimer of Validity...........................................30 Copyright Statement..............................................30 Acknowledgment...................................................30 1. Introduction This document specifies a protocol for the exchange of identity information. 2. Definitions 2.1. User A person with a digital identity who participates in DIX based identity information exchanges using their client software, typically a web browser. 2.2. Identity Data A property of a digital identity in which the Property Name and Property Value are represented as a name-value pair. 2.3. Persona A user can have multiple personas as part of their identity. For example, a user might have a work persona and a home persona. A persona is a subset of the user's identity data. 2.4. Homesite The User's agent (either a website or an application) responsible for authenticating and identifying the user, providing a repository for their identity data, and releasing that data (with user consent) to other sites via the user's client. Merrells Expires July 17, 2006 [Page 3] Internet-Draft Digital Identity Exchange Protocol January 2006 2.5. Membersite A site that requests identity data from a Homesite via the user's client. 2.6. Dumb Client A regular web browser without any knowledge of the DIX protocol. 3. Overview The core of the DIX protocol is a set of procedures for discovery of a Homesite, exchange of identity information, and verification of that exchange. Without drilling into too many details, this is a general description of the DIX protocol. The User browses to a Membersite. The Membersite discovers the User's Homesite and its capabilities. The Membersite then sends a request for identity information to the Homesite through the User's client. The Homesite processes the request, prompting the User for consent and returns a response, again through the User's client. The Membersite then checks integrity of the response and verifies it with the Homesite. 3.1. Transport Bindings The protocol messages could be moved over many alternative transport mechanisms. For example, HTTP, SMTP, or XMPP. Even within a single transport layer messages could be moved in alternative ways. This document only details a binding for HTTP. The messages are moved via HTTP POST. [RFC2616] For the simple usage profile discussed here we're interested in moving messages over HTTP(S). In this document, wherever HTTP is mentioned HTTPS can be used as an alternative to provide greater confidentiality and integrity. 3.2. Names and Types Some aspects of the protocol, the names and types of things, are important enough that they need to be discussed ahead of the protocol. Merrells Expires July 17, 2006 [Page 4] Internet-Draft Digital Identity Exchange Protocol January 2006 3.2.1. URLs and URIs Throughout this protocol specification there are many things of type URI. These must all be normalized to ensure they can be easily compared. RFC 2396bis describes URI normalization. [RFC2396BIS] 3.2.2. Site Paths A Membersite or Homesite is referred to via its Path, which is a domain name and path. Since the Path is anchored within the domain name system we are assured that the name has the property of being unique. 3.2.2.1. Membersite Path This is the unique identifier for the Membersite, and must contain a domain name. The Homesite uses this to provide a more seamless experience to the user on subsequent visits to the Membersite, and is the ID used in Membersite identity verification. For example: membersite.com/, or membersite.com/shopping/. 3.2.2.2. Homesite Path A unique name for a Homesite that a user can remember so they can type it in. The Homesite Path is used to discover the Endpoint URL and Capabilities of a Homesite. For convenience, when a user presents their Homesite Path, the software should make every effort to transform the Homesite Path into a canonical URL. Termed the Homesite URL. For example, the user should be able to type in google.com, amazon.com, yahoo.com, sxip.com, ford.com, or whatever and have the system discover the rest. For example: homesite.com/, or homesite.com/~dick/. 3.2.3. Site Endpoint URL Membersites and Homesites provide endpoints for protocol messages to be sent to. These are specified as URLs, and over HTTP the messages are received via HTTP POST 3.2.3.1. Membersite Endpoint URL A Membersite may have multiple Endpoint URLs, as such the Membersite Endpoint URL must not be used as a unique identifier for a Merrells Expires July 17, 2006 [Page 5] Internet-Draft Digital Identity Exchange Protocol January 2006 Membersite. The Membersite Endpoint URL must contain the Membersite Path. 3.2.3.2. Homesite Endpoint URL As well as specifying an endpoint, this is used as a unique identifier for the Homesite. 3.2.4. Persona URL A Persona URL is the identifier for a persona. In the simple profile the Persona URL is a URL that can be resolved to a web page owned by the User. We term this the Persona URL. 3.2.5. Site Document The Homesite URL and the Persona URL reference Documents that contain marked up data for inspection by Membersites. 3.2.5.1. Persona Document The Persona Document delegates authority for the Persona URL to a Homesite. [See Delegation Tag] 3.2.5.2. Homesite Document The Homesite Document advertises the Endpoint URL and Capabilities of the Homesite. [See Homesite Tag] 3.2.6. DIX URI Namespace To ensure protocol extensibility we reuse the same naming scheme throughout the protocol for multiple purposes. All names are URIs. The generic URI syntax is as follows. uri = scheme ":" hier-part [ "?" query ] [ "#" fragment ] hier-part = "//" authority path-abempty / path-absolute / path-rootless / path-empty Merrells Expires July 17, 2006 [Page 6] Internet-Draft Digital Identity Exchange Protocol January 2006 For a DIX URI, the protocol scheme used is 'dix'. (Note that this has not been registered with IANA, but we will resolve this during the IETF standardization process.) dix-uri = "dix" ":" hier-part [ "?" query ] [ "#" fragment ] Extensibility stems from the authority. Anyone with a registered domain name can create DIX URI Names using their own domain name as the authority in the URI. The DIX protocol uses DIX URI Names for: o Capability Names o Property References o Message Parameters o Constant Values 4. Information Model 4.1. Definitions A homesite has a set of user accounts. An account has a set of personas. A persona has a set of properties. A property has a property name and property value. A property name is a path. A property value is a UTF-8 string. A path is of the form 1*( "/" 1*ALPHA ). For example: '/sxip.net/contact/name/first'. 4.2. Properties The property name is used for both referring to a property in a query expression [See Fetch Request Message], and for referring to the associated type information. [See Fetch Request][See Capabilities] Merrells Expires July 17, 2006 [Page 7] Internet-Draft Digital Identity Exchange Protocol January 2006 5. Capabilities 5.1. Capability Definition A capability is a service or a property: a service offered by a site to other sites, or a property supported by a site. Sites advertise their capabilities to enable capability discovery and negotiation with other sites. 5.2. Capability Families A capability family is a set of capabilities. The capability family mechanism is provided to reduce the number of capabilities that a site needs to advertise. Otherwise, over time, as the number of capabilities supported increases, the number of capabilities advertised could become unmanageable; the solution offered here is to roll a set of them into a family. 5.3. Capability URI A capability is represented as a Capability URI, which is a DIX URI Name, with some restrictions. capability_uri = "dix:/" [ "/" authority "/" ] capability "#" revision capability = 1*ALPHA revision = 1*DIGIT The Capability URI is restricted in that after the optional authority, the path contains a single step, which is the capability name, and always includes a fragment, which is the capability revision number. The optional authority denotes whether the capability is a DIX, or Non-DIX capability. DIX capabilities have no domain name. For example, 'dix:/core#1'. Non-DIX capabilities do have a domain name. For example, 'dix://sxip.net/simple#1'. The revision number encoded as the URI fragment allows a recipient to determine if a particular revision of a capability is supported. [See Capability Revisions.] Merrells Expires July 17, 2006 [Page 8] Internet-Draft Digital Identity Exchange Protocol January 2006 5.4. Service Capability Service capabilities represent a service provided by the site. Example: dix://crypto-doodes.com/dongle#5'. (This was invented for this example, but hopefully you get the idea.) 5.5. Property Capability Property capabilities represent a property supported by a site. Example: dix://sxip.net/namePerson/first 5.6. Capability Discovery and Negotiation Homesites advertise their capabilities in the Homesite Tag of their Homesite Document. [See Homesite Document][See Homesite Tag]. Membersites read this document to discover the capabilities of the Homesite. A Membersite treats the Homesite capabilities as a hint of the services offered and the properties supported. Membersite may provide its capabilities to a Homesite within a request message. The Homesite treats the Membersite capabilities as a hint. 5.7. Capability Resolution A Capability URI can be converted into a resolvable URL. The document fragment referenced describes the capability. There are two anticipated use cases for resolving capabilities. Firstly, it is expected that programming tools will resolve capabilities to aid programmers in development of sites. Secondly, Homesites could use this mechanism for automatic update of capability revisions. The Capability URI is converted to a URL by replacing the 'dix' protocol scheme with the 'http' protocol scheme. The document fragment retrieved contains a list of capabilities. For example, the capability URI 'dix://sxip.net/simple#1' can be converted to the URL 'http://sxip.net/simple#1' and resolved. In the case of a DIX capability, where there is no domain name provided, the domain name used is a well-known, standards body name. Currently it is 'dixs.org'. So, for example, the DIX capability 'dix:/core#1', would become the resolvable URL, 'http://dixs.org/core#1'. Note that 'dixs.org' is currently operated by Sxip Identity. Once DIX has progressed further within the IETF it is anticipated that this Merrells Expires July 17, 2006 [Page 9] Internet-Draft Digital Identity Exchange Protocol January 2006 resolution service will most likely be changed to some well-known community owned naming registry. The URL references a document fragment. That schema of that fragment is not currently defined. 5.8. Capability Revisions A capability revision is a positive integer value that always increases when there is a revision of a capability; as such capabilities are always backwardly compatible. This allows capability definitions to be accretive so functionality can be extended without breaking existing functionality. For example, the capability URL 'http://sxip.net/simple#34' would reference where revision '34' of the 'simple' capability is defined. From that point in the document onwards is what is included in 'dix://sxip.net/simple#34'. Capability revisions are always added to the top of the capability definition file, so that everything from that fragment onwards is what defines that revision of the capability. The revision fragment allows families of capabilities to be rapidly extended without breaking existing applications. 5.9. Defined Capability Families The following DIX capability families are currently defined. A DIX capability family is represented by a DIX URI. Third-party authorities are able to define their own capability families if they wish. 5.9.1. DIX Capabilities 5.9.1.1. dix:/core#1 Core DIX protocol capabilities. The simple usage profile. Our assumptions are: low security, low risk identity transaction, data is moving over HTTP(S), low risk from replay attack. Supports: Homesite, Membersite, and Persona URL. 5.10. Protocol In the simple usage profile the participants in the protocol are: the User's Client, a Homesite, a Membersite, and the site that hosts the Persona URL. Merrells Expires July 17, 2006 [Page 10] Internet-Draft Digital Identity Exchange Protocol January 2006 The protocol proceeds in three stages: Discovery, Exchange, and Verification. We walk through each in turn. 5.10.1. Discovery Process The goal of the discovery process is to determine the capabilities of the user's Homesite. A dumb client can use a cookie. 5.10.1.1. Membersite Cookie (Dumb Client) Once a user has visited a Membersite and identified the name of their Homesite that Membersite can cookie the user with their choice of Homesite, so that it can be filled in automatically for them in the future. Also, the name of the text control used by the Membersite to collect the user's Homesite Path should be the consistent and well-known name 'dix:/homesite'. The name of the text control is defined to ensure the benefit to the user of a browser's automated form filling functionality. 5.10.1.2. User Prompt The Membersite first attempts to determine the Homesite Path from a Membersite cookie. It then returns a web page to the user's client. The web page contains a form that includes a text control named 'dix:/homesite' for the Homesite Path and an adjacent 'login' button. If known the Homsite Path is provided as the value of the text control. The form also includes the parameters for a fetch-request message. The parameters include the request message parameters and queries for any identity data the Membersite requires. [See Request Message for details.] The attributes of the FORM tag are: o CLASS attribute must contain 'DIX', which denotes to a smart client that the form was generated by a DIX aware Membersite. o ACTION attribute is the Membersite Endpoint URL. o METHOD attribute is 'POST'. The value of the FORM tag includes at least two INPUT tags, one a text control, the other a button control. Merrells Expires July 17, 2006 [Page 11] Internet-Draft Digital Identity Exchange Protocol January 2006 The attributes of the text control INPUT tag are: o TYPE attribute is 'TEXT'. o NAME attribute is 'dix:/homesite'. o VALUE attribute is the user's Homesite Path, if known by the Membersite. The attribute of the button control INPUT tag are: o TYPE attribute is 'SUBMIT'. o VALUE attribute is 'login'. The attributes of the hidden INPUT tags for the message parameters are: o TYPE attribute is 'HIDDEN'. o NAME attribute is the message parameter name. o VALUE attribute is the message parameter value. Here's an example:
Processing of the form by the client differs between smart and dumb clients. Merrells Expires July 17, 2006 [Page 12] Internet-Draft Digital Identity Exchange Protocol January 2006 5.10.1.3. Dumb Client Form Processing When a dumb client receives a page containing this form the user is presented with a text control with an adjacent 'sxip in' button. If the user has previously visited the Membersite, and the Membersite has stored the user's Homesite Path in a cookie, then the Membersite can suggest a value for the text control. Otherwise, the user will have to type in their Homesite Path, and potentially their browser will auto-complete it after a few key strokes. When the user clicks on the 'sxip in' button the form is posted to the Membersite Endpoint URL. The Membersite should accept a shortened form of URL from the user and make every effort to transform it into a canonical URL. The Membersite then performs the Homesite Inspection process. 5.10.1.4. Homesite Inspection The Membersite must now determine the Endpoint URL and the Capabilities of the User's Homesite. The Membersite uses the Homesite Tag Inspection Algorithm to discover the Homesite Tag. The Membersite uses the Homesite URL to fetch the Homesite Document to inspect it for the Homesite Tag to discover the Endpoint URL and Capabilities of the Homesite. The Membersite constructs a URL, based on the Homesite URL, to the well-known file 'dix.html' in the site's root directory. If the file is not found then the Membersite resolves the URL of the site's root document, '/'. Note that the Membersite must follow any redirects. If found the document retrieved is examined for the Homesite Tag. The Homesite Tag is used to specify the Endpoint URL and Capabilities of a Homesite. The HTML LINK tag is used for this. The LINK tag is appropriate because it is a document reference that is not to be traversed by an end user. The requirements are: o Use the LINK tag, which MUST occur in the HEAD section of the returned document. o The LINK REL attribute MUST have value 'dix:/homesite'. o The LINK HREF attribute MUST have value of the Homesite's Endpoint URL. Merrells Expires July 17, 2006 [Page 13] Internet-Draft Digital Identity Exchange Protocol January 2006 o The LINK CLASS attribute contains the capabilities of the Homesite, space separated. Here's an example The reason there are options for where the Homesite Tag is located is that the User may or may not have access rights to one of these files. 5.10.1.5. Membersite's Discovery Algorithm To discover the Homesite Endpoint URL and Capabilities the Membersite follows the following procedure. 1. Prompt user to enter the Homesite Path. 2. Look in Homesite root for dix.html and extract Endpoint URL and capabilities. 3. If not found, then look in Homesite root page and extract Endpoint URL and capabilities. Upon failure the Membersite should inform the user and jump to step 1 to prompt the user. If successful the Membersite has now determined the Endpoint URL and capabilities of the user's Homesite. The Membersite uses the Homesite capabilities to determine if the Homesite supports the requisite capabilities for the identity data exchange. For example, a financial Membersite might require that the Homesite use a specific two-factor device to authenticate the User. In this case the Membersite would check that the Homesite capabilities discovered included the capability named 'dix://crypto- doodes.com/dongle#5'. (Invented for this example.) 5.10.2. Exchange Process The exchange process occurs once the MS has discovered the Endpoint URL and the capabilities of the Homesite. Messages are exchanged between the Membersite and the Homesite via the User's client. This section describes the protocol flow that occurs and the messages that are transferred between the participants. Merrells Expires July 17, 2006 [Page 14] Internet-Draft Digital Identity Exchange Protocol January 2006 5.10.2.1. Protocol Flow To set the context for the following description, the user's client sends a HTTP GET to a Membersite, and the Membersite performs the Homesite discovery procedure. The Membersite sends a fetch-request message to the Homesite through the User's client via a redirected HTTP POST to their Homesite Endpoint URL using JavaScript to autosubmit the form. The Homesite checks the integrity of the fetch-request message by checking that the Membersite Endpoint URL contains the Membersite Path. The Homesite creates a fetch-response message. A Signature is included that is generated from a Digest of the message. Membersite receives the fetch-response message and verifies the message. 5.10.2.2. Digest Generation The digest function is used to generate a digest for a message. It takes as input a canonicalized representation of the message. Digest = D ( C ( M ) ) Where, M is the fetch-response message excluding th'dix:/signature' message parameter, C is the canonicalization function (defined below), and D is the digest function. Since the Homesite and Membersite must be able to generate interchangeable digests they both must implement the same digest function. We specify that both must implement the SHA-1 algorithm. [SHA] 5.10.2.3. Signature Generation The signature function is used to generate a signature for a message. Since the signature generation function need only be known by the Homesite, and not the Membersite, the nature of this function is implementation defined. It should however have the properties of protecting the message from alteration. A suggested implementation of a signature function would be to use the SHA1 algorithm, which takes as input a digest of the message and a secret known only to the Homesite. Merrells Expires July 17, 2006 [Page 15] Internet-Draft Digital Identity Exchange Protocol January 2006 Signature = T ( S + Digest ) Where, Digest is message digest (defined above), S is the Homesite Secret, T is the signature generation function, and '+' means string concatentation. A suggested secret would be a random sequence of bytes. For the SHA1 algorithm an appropriate length would be 80 to 160 bits. 5.10.2.4. FORM Auto Submission Form submission could be automated in the following way: Merrells Expires July 17, 2006 [Page 16] Internet-Draft Digital Identity Exchange Protocol January 2006 5.10.2.5. Messages A message is a list of name-value pairs, which are represented here as '