OASIS, AMD Push Open Identity Management Standard
Trusted identity management just got a new complement: trusted asset management. While commonly viewed as two distinct but overlapping disciplines, new technology promises to usher in an alternative to proprietary identity and data management systems by lassoing both together into a single solution.
This breakthrough enables rich software and hardware scenarios - specifically in the realms of rights management and trusted computing. By being an open standard, these solutions are delivered to the masses all while skirting corporate patent portfolios.
OASIS (Organization for the Advancement of Structured Information Standards), a not-for-profit consortium that seeks to drive and converge the adoption of e-business standards, has announced plans for a new open standard for the sharing, linking and synchronizing of digital assets over the Internet.
This interconnectivity is accomplished through coupling together XML documents with new distributed identity and data sharing schemes respectively named Extensible Resource Identifiers (XRIs) and XRI Data Interchange (XDI).
Some of the examples OASIS provided of potential applications include: Exchange, linking, and lifetime synchronization of electronic business cards, public keys and other common identity attributes across dynamic address books; Internet calendar sharing; trusted searches that need to cross multiple private websites; auto-configuration and intelligent data synchronization across multiple user devices; automated Web site registration, form-fill, and e-commerce transactions; and cross-domain security and privacy management.
The XRI and XDI framework is designed such that companies and organizations no longer need to represent individuals through identity management solutions such as America Online's Screen Name or Microsoft's Passport. Instead, XRI permits recognition of identity in both a personal and generic context, without requiring a user to be federated with an organization.
An upcoming release of Passport focusing on satisfying many of these same issues is code-named TrustBridge.
Cordance's Drummond Reed, co-chair of the OASIS XRI and XDI Technical Committees, told BetaNews that the XRI and XDI standards were not trying to compete with or circumvent other open identity solutions such as Liberty Alliance, saying the two have different goals.
Reed believes Liberty is primarily focused on identity in an enterprise context and not designed to address identity in a personal or general context. In addition, the current Liberty specifications are not designed to be a generalized XML data sharing service that can be applied to any type of data in any type of context. Reed sees the XRI/XDI combination as, "a much more generalized solution to a lower-level set of architectural problems around persistent identity and long-term trusted data sharing relationships."
Since the OASIS standard is open, Liberty, or anyone else who respects the group's terms and conditions can use XRI and XDI as a central component of any online identity solution.
New Solutions to Old Problems
XDI builds upon existing and emerging XML standards to solve the problems long associated with data sharing. Many of these problems are, in fact, fundamental.
Jamie Lewis, CEO and Research Chair of the Burton Group, sat down with BetaNews to discuss and break down the challenges posed by distributing identity and controlling data exchange.
"Today, we use a wide variety of different mechanisms for identification, including e-mail addresses, IP addresses, phone numbers, and object identifiers. But most of these are specific to one specific means of interaction. None of them is persistent across the many different ways that people, applications, and devices can communicate, and so they don't function well as identifiers in the long run."
Lewis continued, "In the future, for example, a variety of factors may determine where you would like to receive in-bound communications; you may want to receive e-mail when using your laptop, a phone call when all you have is your mobile device, and a text message when in a meeting. But how do people (or applications or devices) know when and how to communicate with you if they identify you by one of the addressing schemes used by these different communication services? In such a case, it would be better to have a persistent, unique identifier, and then use a current email address, phone number, and IM screen name as attributes of that identifier. Thus, a simple change in a preference setting could effectively route incoming communications to the appropriate service, or tell people who want to communicate with you how best to do so at a given time. Also, if your e-mail address or phone number changes, the persistence of the underlying identifier makes maintaining consistency through such changes much easier.”
"Likewise, the trusted computing initiative requires nodes on a network to be uniquely identified. While the goals are somewhat different than the communications example above, the issues are nearly identical. IP addresses can change, so they aren't a fully persistent means of identifying a node. Having that persistent, unique identifier is an important predicate for any trusted relationship between nodes. Without it, the trust is much more difficult, if not impossible, to achieve. The XRI/XDI specification is an attempt to solve this problem by creating a standard for unique identifiers." said Lewis.
Managing Digital Assets
According to OASIS, "XDI will address interoperable, automated data interchange across distributed applications and trust domains."
Data sharing is managed by XDI. Simple XML documents that use the XDI schema -- called "link contracts" -- determine whether or not a file, application, or service is controlled or needs rights management applied. From a technical standpoint, these link contracts are how the XDI data owner can control the authority, security, privacy, and rights of shared data.
"The goal of XDI is to do for controlled data sharing what the Web did for open content sharing," said Cordance's Reed. "XDI does not displace any specialized XML vocabulary designed to support specific applications or Web services. Rather, it augments them by providing a standard, generalized way to identify, describe, exchange, link, and synchronize other XML documents encoded in any XML language or schema - tying them all into one global 'Dataweb.'”
Early Industry Support for XDI
The OASIS charter for the new XDI Technical Committee indicated that there was early interest in forming liaisons with other industry standards groups, including: the Trusted Computing Group (TCG), the TeleManagement Forum (TM Forum) and the International Security Trust and Privacy Alliance (ISTPA). However, co-conveners Drummond Reed and Geoffrey Strongin pointed out that none of these liaisons could be formalized until after the start of the Technical Committee's work.
The Trusted Computing Group's (TCG) membership includes industry heavyweights such as Microsoft, AMD, HP, Intel, Sony, Sun, and IBM.
There is not yet any "official" relationship between XDI and TCG, however TCG member Advanced Micro Devices (AMD) is eying XDI as the protocol it will support in future trusted computing devices such as motherboards. AMD sponsored some of the early XDI groundwork, and holds a seat on the TCG steering committee.
Geoffrey Strongin, AMD's point man for XDI, elaborated on the chipmaker's position relative to XDI saying, "AMD has been developing technology that supports Trustworthy Computing since 1999. This work led us to look at the infrastructure requirements associated with hooking up the isolated nodes that have attestable trustworthy capabilities into open networks. It turns out this is a very complex problem with many constraints. Both security and privacy must be addressed along with scalability and ease of use."
"It is our view that building an open infrastructure that allows for the seamless easy use of a computing platforms trustworthy capabilities will be far easier to do on top of XDI," explained Strongin. "So one motivation for supporting XRI and XDI is the realization that if the Internet can become more capable it will make it easier to build the kind of easy to use, open, scaleable, and privacy protecting trust infrastructure that AMD would like to see come into existence."
At this stage, it is not unknown whether or not additional TCG members are backing the XDI standard.
Like its TCG brethren, Microsoft is busying readying its own framework harden PC architecture. Redmond's Next-Generation Secure Computing Base (NGSCB) -- formerly code-named Palladium -- is a unique blend of redesigned hardware and software architecture intended to produce new types of security and privacy protections for computers. It remains to be seen whether or not Microsoft embraces XDI as part of its vision for trustworthy computing.
Microsoft did not respond to requests for comment by press time.
To extend beyond the desktop and leverage portability, the OASIS XDI Technical Committee may also work with the TeleManagement Forum to consider fusing XDI into next generation mobile operating system designs and backend telecommunications infrastructure. The Forum currently touts 340 members, and was chartered over 15 years ago.
Due to the privacy implications posed by an Internet data sharing standard, the OASIS XDI Technical Committee also intends to work closely with the International Security Trust and Privacy Alliance to ensure that XDI enables full implementation of the privacy controls and services defined in the ISTPA Privacy Framework.
Burton Group's Lewis summed up OASIS's efforts to court vendors, saying, "In the telecommunications space, for example, major mobile carriers could, in theory, adopt XDI/XRI as a means of managing presence and communication preference information per my earlier example. Likewise, the Trusted Computing Group could, in theory, use XRI/XDI as a basis for their specifications. AMD is involved in the creation of the spec, which is somewhat encouraging. But neither Microsoft nor IBM, two major players in the trusted computing arena, have even hinted that they will adopt the specification in their trusted computing work."
"Like many standards, XRI/XDI will prove to be either an interesting but ultimately academic exercise or a transformative milestone in the development of distributed systems," said Lewis.
The XRI and XDI standards grew out of XNS, originally the brain-child of OneName Corporation. In 2000 OneName helped established a non-profit corporation dubbed, XNSORG to govern the XNS specifications. XNSORG subsequently contributed the XNS 1.0 specifications to OASIS which it then broke up into two separate Technical Committees: XRI and XDI.
The OASIS XDI Technical Committee includes industry representatives from AMD, AmSoft Systems, Booz Allen Hamilton, Cordance, Epok, Neustar, and NRI. Participation is open to all groups and individuals, and a dedicated mailing list will be hosted to solicit feedback from the public.