draft-iab-identities-00.txt   draft-iab-identities-01.txt 
Internet Architecture Board P. Faltstrom Internet Architecture Board P. Faltstrom
Internet-Draft G. Huston, Eds. Internet-Draft G. Huston, Eds.
Expires: September 14, 2004 IAB Expires: October 27, 2004 IAB
March 16, 2004 April 28, 2004
A Survey of Internet Identities A Survey of Internet Identities
draft-iab-identities-00.txt draft-iab-identities-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with and any of which I become aware will be disclosed, in accordance with
RFC 3667. RFC 3667.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 14, 2004. This Internet-Draft will expire on October 27, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
This memo provides an overview of the various realms of This memo provides an overview of the various realms of
identification used within the Internet protocol suite, with specific identification used within the Internet protocol suite, with specific
observations on the role and purpose of the Domain Name System within observations on the role and purpose of the Domain Name System within
this environment. this environment.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Desirable properties of Internet Identities . . . . . . . . 3
2. A Hierarchy of Identities . . . . . . . . . . . . . . . . . 5
2.1 Media Access Addresses . . . . . . . . . . . . . . . . . . . 5
2.2 IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Service and Session Identities . . . . . . . . . . . . . . . 8
2.4 Routing and Forwarding Identities . . . . . . . . . . . . . 9
2.5 Mobile Identities . . . . . . . . . . . . . . . . . . . . . 10
2.6 Opportunistic Identities . . . . . . . . . . . . . . . . . . 11
2.7 Domain Names . . . . . . . . . . . . . . . . . . . . . . . . 12
2.8 Uniform Resource Identifiers . . . . . . . . . . . . . . . . 13
2.9 Uniform Resource Names . . . . . . . . . . . . . . . . . . . 15
2.10 Human Friendly Strings . . . . . . . . . . . . . . . . . . . 16
3. Issues with Identities . . . . . . . . . . . . . . . . . . . 16
3.1 Overloading the IP Address . . . . . . . . . . . . . . . . . 16
3.2 Dynamic DNS Updates and Nomadism . . . . . . . . . . . . . . 18
3.3 URLs and Persistent Identifiers . . . . . . . . . . . . . . 19
4. The DNS in Identity Spaces . . . . . . . . . . . . . . . . . 22
4.1 The role of the DNS . . . . . . . . . . . . . . . . . . . . 23
4.2 Changing the DNS . . . . . . . . . . . . . . . . . . . . . . 24
4.3 The DNS is a strict lookup service . . . . . . . . . . . . . 24
4.4 Coherency of the DNS . . . . . . . . . . . . . . . . . . . . 25
4.5 The DNS as an Identity Glue . . . . . . . . . . . . . . . . 26
5. Security Considerations . . . . . . . . . . . . . . . . . . 27
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
Informative References . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29
A. IAB Members . . . . . . . . . . . . . . . . . . . . . . . . 30
Intellectual Property and Copyright Statements . . . . . . . 31
1. Introduction 1. Introduction
In any communications domain where two parties wish to conduct a In any communications domain where two parties wish to conduct a
conversation across a network each party must specify to the network conversation across a network each party must specify to the network
sufficient information for the network to identify the other party. sufficient information for the network to identify the other party.
When the conversation refers to a resource or service that is When the conversation refers to a resource or service that is
accessible through the network, the only effective way to refer to accessible through the network, the only effective way to refer to
such a resource of service is to use an identifier that can such a resource of service is to use an identifier that can
subsequently be passed to the network to perform the access. subsequently be passed to the network to perform the access.
Some networks use a single externally visible identifier structure Some networks use a single identifier domain to identity all parties
for all parties and services, such as the numbering scheme used in and services. Other networks use a collection of discrete identifier
the Public Switched Telephone Network (PSTN). Other networks use a domains, where each identifier domain has a specific realm of
variety of identifier domains, where each domain has a specific realm discourse or application. The Internet is an example of a
of discourse or application. The Internet is an example of a multiple-identifier domain network, where there are a number of
multiple-identifier network, where there are a number of identity identity domains, each referring to a particular function or area of
realms, each referring to a particular function or area of
application. In terms of routing and forwarding IP packets the application. In terms of routing and forwarding IP packets the
identity realm used is that of IP addresses, while in terms of identity domain used is that of IP addresses, while in terms of
identifying particular services or resources the URI form of identity identifying particular services or resources the URI form of identity
is commonly used. In terms of human use of identities, the most is commonly used. In terms of human use of identities, the most
common form of identity in the Internet is based upon the domain common form of identity in the Internet is based upon the domain
name. name.
This document examines the role of identities and identifiers, This document examines the role of identities and identifiers,
together with an overview of the various realms of identity that are together with an overview of the various realms of identity that are
used in the Internet. The document then looks in more detail at the used in the Internet. The document then looks in more detail at the
Domain Name System (DNS) and examines its role in relation to these Domain Name System (DNS) and examines its role in relation to these
identity realms. identity realms.
skipping to change at page 2, line 44 skipping to change at page 3, line 48
identity system. The following list is of characteristics and some identity system. The following list is of characteristics and some
related questions related to properties of the identifier is proposed related questions related to properties of the identifier is proposed
as a useful, although not comprehensive, collection of identity as a useful, although not comprehensive, collection of identity
attributes: attributes:
Uniqueness: Uniqueness:
In what realm is the identifier unique? In what realm is the identifier unique?
Can the same identifier be associated with two or more distinct Can the same identifier be associated with two or more distinct
objects? objects within the domain of a single realm?
Can multiple identifiers be associated with the same object?
An identifier can only be used reliably within the realm in Can multiple identifiers in a single realm be associated with the
which it is unique, and uniqueness is most useful when the same object?
association between identities and objects is a strict 1:1 An identifier can only be used reliably and deterministically
relationship. when there is a unique association with an object. An identity
realm is generally useful when the association between
identities and objects is a relationship where each unique
identifier references a single unique object. Note that there
is no requirement in the reverse direction, in that it
typically makes little difference to the utility of an identity
realm if a unique object is associated with multiple
identities. In other words it can lead to ambiguities in
identity resolution if an identity is associated with two or
more distinct objects, but it generally is not as critical if
an object is associated with multiple identities (i.e. multiple
identity aliases for a unique object).
Consistency: Consistency:
Is the identity asserted within a consistent identifier space? Is the identity asserted within a consistent identifier space?
This avoids an assertion of identity being interpreted by This avoids an assertion of identity being interpreted by
another party in an unintended manner. another party in an unintended manner.
Persistence: Persistence:
skipping to change at page 3, line 26 skipping to change at page 4, line 39
Constantly changing identities are, at the very least, Constantly changing identities are, at the very least,
difficult to track. difficult to track.
Trust: Trust:
Can a particular identity withstand a challenge as to its Can a particular identity withstand a challenge as to its
validity? validity?
Other parties who would like to use this identity would like to Other parties who would like to use this identity would like to
be reassured that they are not being deceived. be reassured that they are not being deceived. 'Use' in this
context is a generic term that includes actions such as
resolution to the object identified by the identity value,
storage of the identity value for subsequent 'use', referral,
where the token is passed to another party for their 'use'.
Robustness: Robustness:
Is the identity realm capable of withstanding deliberate or Is the identity realm capable of withstanding deliberate or
unintentional attempts to corrupt it in various ways? unintentional attempts to corrupt it in various ways?
Withholding: Withholding:
If the identity is composed of a number of components, are only If the identity is composed of a number of components, are only
those components of the identity that are essential to support the those components of the identity that are essential to support the
communication exposed to other parties? communication exposed to other parties?
Referential Consistency: Referential Consistency:
If the identity is used in the context of a reference, then when If the identity is used in the context of a reference, then when
the referenced object is altered or relocated, does the identifier the referenced object is altered or relocated, does the identifier
skipping to change at page 4, line 25 skipping to change at page 5, line 45
and moving up a stack of layers through internetworking, end-to-end and moving up a stack of layers through internetworking, end-to-end
transport and application levels. Each one of these layers creates at transport and application levels. Each one of these layers creates at
least one context in which identifiers are used for the least one context in which identifiers are used for the
communication. It would appear that from this perspective an identity communication. It would appear that from this perspective an identity
within the Internet is not just a single identity, but an collection within the Internet is not just a single identity, but an collection
of various identities, used in a variety of contexts. of various identities, used in a variety of contexts.
2.1 Media Access Addresses 2.1 Media Access Addresses
There are two generic types of base media in this realm. One is a There are two generic types of base media in this realm. One is a
point- to-point media, a bilateral communications system where all point-to-point medium, a bilateral communications system where all
protocol data units (PDUs) generated by one party are passed to the protocol data units (PDUs) generated by one party are passed to the
other party. In such environments use of media access addresses are other party. In such environments use of media access addresses are
not strictly required. The other form of environment is a not strictly required. The other form of environment is a
multi-access environment, where a number of parties can communicate multi-access environment, where a number of parties can communicate
directly using a common media. In this environment the sender must directly using a common medium. In this environment the sender must
specify the intended recipient of the PDU, and to achieve this all specify the intended recipient of the Protocol Data Unit (PDU), and
connected entities use a unique media access address, and the PDU to achieve this all connected entities use a unique media access
contains the address of the intended recipient. The most common of address, and the PDU contains the address of the intended recipient.
these multi-access media are encompassed within the IEEE 802 The most common of these multi-access media are encompassed within
collection of media standards. the IEEE 802 collection of media standards.
These IEEE 802 technologies share a common structure of Media Access These IEEE 802 technologies share a common structure of Media Access
Control layer address (MAC address) to uniquely identity devices Control layer address (MAC address) to uniquely identity devices
connected within a LAN. There are two forms of this identity space, connected within a LAN. There are two forms of this identity space,
one using a 48 bit identity space (EUI-48 [10]), and the other a 64 one using a 48 bit identity space (EUI-48 [19]), and the other a 64
bit space (EUI-64 [11]). Both identity spaces can be considered as bit space (EUI-64 [20]). Both identity spaces can be considered as
partially-structured identity spaces, where a number of bits within partially-structured identity spaces, where a number of bits within
this MAC address determines whether the address has been globally or this MAC address determines whether the address has been globally or
locally assigned. Globally assigned values are globally unique, but locally assigned. Globally assigned values are globally unique, but
are structured in such a way that there is no imposed hierarchy are structured in such a way that there is no imposed hierarchy
within the address that could be used for efficient searching, in within the address that could be used for efficient searching, in
contexts such as, for example, a routing or forwarding application. contexts such as, for example, a routing or forwarding application.
A global MAC address identity certainly passes one of the more basic A global MAC address identity certainly passes one of the more basic
tests of an identity domain, that of uniqueness. Two parties cannot tests of an identity domain, that of uniqueness. Two parties cannot
assume the same MAC address value and use this same value as a unique assume the same MAC address value and use this same value as a unique
skipping to change at page 5, line 41 skipping to change at page 7, line 13
security discussions where it may not be the best possible approach security discussions where it may not be the best possible approach
to bind master session keys to MAC addresses, rather than some other to bind master session keys to MAC addresses, rather than some other
identity. Another example, in IEEE 802.11i it is possible for a host identity. Another example, in IEEE 802.11i it is possible for a host
to have multiple interfaces and therefore there is a significant to have multiple interfaces and therefore there is a significant
difference between binding an Master Session Key to a MAC address and difference between binding an Master Session Key to a MAC address and
binding to a host identity. binding to a host identity.
This lack of a direct association between an interface's MAC address This lack of a direct association between an interface's MAC address
and a host device has undesirable effects when it has been assumed and a host device has undesirable effects when it has been assumed
that a MAC address equates to a host identity. In "Authentication for that a MAC address equates to a host identity. In "Authentication for
DHCP Messages " [7] where the MAC address takes on the role of the DHCP Messages " [11] where the MAC address takes on the role of the
DHCP client-identifier, or in the administrative model of IEEE DHCP client-identifier, or in the administrative model of IEEE
802.11-1999 Wired Equivalent Privacy (WEP) [12] it can be an 802.11-1999 Wired Equivalent Privacy (WEP) [21] it can be an
administrative burden to keep track of all the network interface administrative burden to keep track of all the network interface
cards, their MAC addresses and their associated secrets. cards, their MAC addresses and their associated secrets.
The use of a MAC address in the context of IP is when one node wants
to send a packet to another local node (with a given IP address). The
node uses a broadcast query packet with an enclosed address request
(an ARP request). This query can be interpreted as "Would the device
that has this particular IP address please respond so that I can
learn its MAC address". The resulting association of IP address to
MAC address can be cached for a short period of time, and for
communication over the LAN, using the MAC address is used. In other
words resolution of a MAC identity is via local dynamic discovery.
Even despite these limitations, the MAC address is regarded as a Even despite these limitations, the MAC address is regarded as a
useful identity mechanism in the context of an identity space. The useful identity mechanism in the context of an identity space. The
original 48 bit identity specification has been augmented with 16 original 48 bit identity specification has been augmented with 16
padding bits in order to be incorporated into the IEEE 64-bit EUI-64 padding bits in order to be incorporated into the IEEE 64-bit EUI-64
global identifier structure, which in turn has been incorporated into global identifier structure, which in turn has been incorporated into
the IPv6 address architecture as the interface identifier component the IPv6 address architecture as the interface identifier component
of the unicast address [4]. of the unicast address [7].
It should be noted that this latter action of embedding one identity It should be noted that this latter action of embedding one identity
(a MAC address) in another (the IPv6 address) lifts the original (a MAC address) in another (the IPv6 address) lifts the original
identity outside its original context. There have been some concerns identity outside its original context. There have been some concerns
noted where public disclosure of the MAC address within every IPv6 noted where public disclosure of the MAC address within every IPv6
address also discloses both the unique identifier and, potentially, address also discloses both the unique identifier and, potentially,
the role of the device. For example, a device manufactured by a the role of the device. For example, a device manufactured by a
specialized storage manufacturer is more likely to be a very specialized storage manufacturer is more likely to be a very
expensive storage subsystem housing mission-critical data. This may expensive storage subsystem housing mission-critical data. This may
not be information that is intended to be made public, and a not be information that is intended to be made public, and a
follow-up proposal advocated the ability for the interface identifier follow-up proposal advocated the ability for the interface identifier
within an IPv6 address to be a temporary randomized value [6]. within an IPv6 address to be a temporary randomized value [10].
2.2 IP Addresses 2.2 IP Addresses
Moving up one level in the protocol stack model provides an identity Moving up one level in the protocol stack model provides an identity
based on the internetworking layer, namely the IP address. The IPv4 based on the internetworking layer, namely the IP address. The IPv4
address is a 32 bit field providing each Internet-connected interface address is a 32 bit field providing each Internet-connected interface
with a unique value. IPv6 uses effectively the same construct, using with a unique value. IPv6 uses effectively the same construct, using
a 128 bit identity domain rather than a 32 bit domain. In both cases a 128 bit identity domain rather than a 32 bit domain. In both cases
the IP address is a structured identity space where there is a the IP address is a structured identity space where there is a
globally significant prefix that is used in the context of routing globally significant prefix that is used in the context of routing
and forwarding outside to a particular local domain, and a local part and forwarding outside of a particular local domain, and a local part
that is used to deliver the packet to the correct interface of the that is used to deliver the packet to the correct interface of the
associated device within the local network. The fact that the associated device within the local network. The fact that the
structure of the address is based on the requirements of routing and structure of the address is based on the requirements of routing, and
is therefore topologically sensitive implies that the underlying is therefore topologically sensitive, implies that the underlying
semantics of the IP identity can be most reasonably assumed to be semantics of the IP identity can be most reasonably assumed to be
temporal rather than persistent. temporal rather than persistent.
As an identity token, an IP address should be unique. It is As an identity token, an IP address should be unique. It is
structured to be useful to forward packets to the addressed device, structured to be useful to forward packets to the addressed device,
and it's well known, in that it's not a secret value. and it's well known, in that it's not a secret value.
An IP address is not everything one could hope for in an identity. An IP address is not everything one could hope for in an identity.
The IP address identifies an interface, not a device or its user. A The IP address identifies an interface, not a device or its user. A
device with multiple active interfaces has multiple IP addresses, and device with multiple active interfaces has multiple IP addresses, and
skipping to change at page 7, line 29 skipping to change at page 8, line 39
This is a specific example of the more generic observation about IP This is a specific example of the more generic observation about IP
addresses, namely that the IP address carries both the identity of addresses, namely that the IP address carries both the identity of
the endpoint in the IP realm and the location of the endpoint in the the endpoint in the IP realm and the location of the endpoint in the
IP network. It is a matter of longstanding study that continues today IP network. It is a matter of longstanding study that continues today
as to the merits of delineating these two roles of identity at the IP as to the merits of delineating these two roles of identity at the IP
level, creating one identity realm as a means of uniquely identifying level, creating one identity realm as a means of uniquely identifying
an instance of a protocol stack within an end device (variously an instance of a protocol stack within an end device (variously
called a " stack identifier" or "endpoint identifier" in previous called a " stack identifier" or "endpoint identifier" in previous
studies) and a second identity realm that is used to identify the studies) and a second identity realm that is used to identify the
current location of the identity element within the network current location of the identity element within the network
(typically called a "locator" identity) [1][13]. (typically called a "locator" identity) [1][23].
2.3 Service and Session Identities 2.3 Service and Session Identities
In the TCP/IP protocol suite the next level of identity is that of In the TCP/IP protocol suite the next level of identity is that of
the transport session. In order for a system to advertise a the transport session. In order for a system to advertise a
particular service that is a point of attachment for clients it particular service that is a point of attachment for clients it
combines three fields: IP server address, transport protocol combines three fields: IP server address, transport protocol
identity, and the address of the local service identity (port number) identity, and the address of the local service identity (port number)
into a compound identity that describes a particular service port on into a compound identity that describes a particular service port on
a particular device. a particular device.
skipping to change at page 8, line 15 skipping to change at page 9, line 25
and send each packet to the correct local instance of the and send each packet to the correct local instance of the
application, the session identity can also be used within the network application, the session identity can also be used within the network
to recognize a 'flow' of packets that require identical forwarding to recognize a 'flow' of packets that require identical forwarding
treatment and may require identical service treatment, if so treatment and may require identical service treatment, if so
configured. In the latter case the session identity is being used to configured. In the latter case the session identity is being used to
trigger a particular service response within the network, and the trigger a particular service response within the network, and the
assumption being made within such contexts is that this 5-tuple is assumption being made within such contexts is that this 5-tuple is
sufficiently unique to identify particular sessions to the relevant sufficiently unique to identify particular sessions to the relevant
network elements. (SCTP also has a port address, but uses a set of IP network elements. (SCTP also has a port address, but uses a set of IP
addresses to identify the remote end. At the network level a 'flow' addresses to identify the remote end. At the network level a 'flow'
or 'stream' is identified as a collection of 5-tuples, rathar than as or 'stream' is identified as a collection of 5-tuples, rather than as
a single 5-tuple.) a single 5-tuple.) There are circumstances where the complete 5-tuple
is not visible to the network, such as in the use of IPSEC [6]. If
the IPv6 Flow Label is in use, a 3-tuple consisting of (Source IP
address, Destination IP address, Flow Label) may serve as a session
identifier. The flow label is not obscured by IPSEC.
Session identities are intended to be unique at any point in time, in Session identities are intended to be unique at any point in time, in
that two distinct sessions will not share a common session identity. that two distinct sessions will not share a common session identity.
But their association over time is not unique, in that at a But their association over time is not unique, in that at a
subsequent time a different session may use the same 5-tuple. As well subsequent time a different session may use the same 5-tuple. As well
as impermanence, session level identifiers exhibit a very fine level as impermanence, session level identifiers exhibit a very fine level
of granularity, and as such are often at a level of detail which is of granularity, and as such are often at a level of detail which is
too fine to be a useful general identity token across the entire too fine to be a useful general identity token across the entire
Internet realm. One use is to allow a session to construct an Internet realm. One use is to allow a session to construct an
identity that refers to itself or its correspondant that can then be identity that refers to itself or its correspondent that can then be
handed into a quality of service policy controller to request a handed into a quality of service policy controller to request a
specialized service response for the session. Other uses of session specialized service response for the session. Other uses of session
identities can be found in filters, firewalls and network address identities can be found in filters, firewalls and network address
translators, as well as various forms of middleware applications. translators, as well as various forms of middleware applications.
2.4 Routing and Forwarding Identities 2.4 Routing and Forwarding Identities
As mentioned above, IP addresses provide information required by As mentioned above, IP addresses provide information required by
routing and forwarding systems. Forwarding is undertaken using the routing and forwarding systems. Forwarding is undertaken using the
entire address as the lookup function into a forwarding table, using entire address as the lookup function into a forwarding table, using
skipping to change at page 10, line 23 skipping to change at page 11, line 37
location. location.
2.6 Opportunistic Identities 2.6 Opportunistic Identities
This concept of maintaining some form of identity association in the This concept of maintaining some form of identity association in the
face of a communicating within a potentially hostile environment has face of a communicating within a potentially hostile environment has
lead to a proposal for an identity token that has its roots in the lead to a proposal for an identity token that has its roots in the
public / private key pairs. In this approach the identity token is public / private key pairs. In this approach the identity token is
associated with the public key value of a public / private key pair. associated with the public key value of a public / private key pair.
A message encrypted with a private key can be passed to the other A message encrypted with a private key can be passed to the other
party where only the originating party's asserted identity (or public party where only the originating party's publicly asserted identity
key) can decrypt the message. (or public key) can decrypt the message.
Such identity realms can serve to support a reliable assertion that Such identity realms can serve to support a reliable assertion that
the received message originated from the same party that originated the received message originated from the same party that originated
the communication and that the message has not been tampered with the communication and that the message has not been tampered with
while in transit. The identity systems are opportunistic in that they while in transit. The identity systems are opportunistic in that they
are self- generated identities, and have no external structure. The are self- generated identities, and have no external structure. The
implication is that such identities have no particular structure and implication is that such identities have no particular structure and
may not be completely unique. For this reason their utility in other may not be completely unique. For this reason their utility in other
identity applications where persistence or referential integrity is identity applications where persistence or referential integrity is
required, such as acting as a persistent reference to other required, such as acting as a persistent reference to other
skipping to change at page 10, line 47 skipping to change at page 12, line 15
2.7 Domain Names 2.7 Domain Names
The set of identities described so far have no particular The set of identities described so far have no particular
human-visible aspects of their function. The identity tokens are human-visible aspects of their function. The identity tokens are
structured to meet a particular purpose, and are not intended, as structured to meet a particular purpose, and are not intended, as
their primary purpose, to be manipulated by humans nor are they their primary purpose, to be manipulated by humans nor are they
intended to be used primarily within the realm of human discourse. By intended to be used primarily within the realm of human discourse. By
contrast, the Domain Name System (DNS) was specifically intended to contrast, the Domain Name System (DNS) was specifically intended to
be a name realm that is suitable to be included in human discourse, be a name realm that is suitable to be included in human discourse,
yet at the same time to admit enough structure to be manipulated by yet at the same time to admit enough structure to be manipulated by
computer applications in a deterministic fashion. In its original computer applications in a deterministic fashion.
incarnation the DNS was a simple replacement for the earlier '
hosts.txt' file, a single replicated host file which was used in the
early Internet to map a every name in use to its associated IP
address.
The DNS is essentially a hierarchical name space, where the The DNS is essentially a hierarchical name space, where the
hierarchical name structure allows the space to be efficiently hierarchical name structure allows the space to be efficiently
searched and managed in a distributed fashion, but also supports one searched and managed in a distributed fashion, but also supports one
of the most desirable attributes for an identity space. The explicit of the most desirable attributes for an identity space, namely
hierarchy also assists in ensuring uniqueness, as DNS names are uniqueness. The explicit hierarchy also assists in ensuring
intended to be unique across the entire name string rather than just uniqueness, as DNS names are intended to be unique across the entire
at the first component, so that "a.b.c" is a different identifier to name string rather than just at the first component, so that "a.b.c"
"a.d.e " even though the first token in the domain names, "a", is the is a different identifier to "a.d.e " even though the first token in
same in both cases. the domain names, "a", is the same in both cases.
The most common use of the DNS is to map domain names to IP The most common use of the DNS is to map domain names to IP
addresses, but other uses are possible via mapping a name to a number addresses, but other uses are possible via mapping a name to a number
of other defined 'resources'. The core of the DNS is a unique name of other defined 'resources'. The core functionality of the DNS is
space and a mapping capability that allows a query to be performed to that of a unique, structured, name space and a mapping capability
retrieve the mapping information for a DNS name for a particular that allows a query to be performed to retrieve the mapping
class of resource mapping. information for a DNS name for a particular class of resource
mapping.
The Domain Name System is more than a set of syntactic rules for The Domain Name System is more than a set of syntactic rules for
constructing a well-formed DNS name. The resultant name, if well constructing a well-formed DNS name. The resultant name, if well
constructed and properly implemented, can be used as a referral token constructed and properly implemented, can be used as a referral token
to a service environment. In this fashion the DNS encompasses a to a service environment. In this fashion the DNS encompasses a
translation service that maps from domain names to defined resources, translation service that maps from domain names to defined resources,
including IP addresses. For example, given a well formed DNS name, a including IP addresses. For example, given a well formed DNS name, a
DNS lookup can query for a corresponding IP address. The DNS DNS lookup can query for a corresponding IP address. The DNS
describes a data model, a set of relationships between data objects describes a data model, a set of relationships between data objects
as well as a protocol used to send queries and receive answers. as well as a protocol used to send queries and receive answers.
skipping to change at page 12, line 17 skipping to change at page 13, line 31
their primary access mechanism. Other forms of URIs provide resource their primary access mechanism. Other forms of URIs provide resource
identification through a name scheme or by other attributes of the identification through a name scheme or by other attributes of the
resource. resource.
There are few syntax rules to the Universal Resource Identifier There are few syntax rules to the Universal Resource Identifier
space, and only a small amount of common semantic structure. The space, and only a small amount of common semantic structure. The
original IETF documentation, RFC 1630 [2], refers quite simply to a original IETF documentation, RFC 1630 [2], refers quite simply to a
syntax of a prefix word, a colon, and a following string. Where there syntax of a prefix word, a colon, and a following string. Where there
is hierarchy in the following string, slashes are used to delineate is hierarchy in the following string, slashes are used to delineate
the hierarchical levels, and the hierarchy runs from left to right. the hierarchical levels, and the hierarchy runs from left to right.
The current generic syntax of URIs is described in RFC 2396 [3], and The current generic syntax of URIs is described in RFC 2396 [5], and
the only change to this generic syntax is to refer to 'schemes', as the only change to this generic syntax is to refer to 'schemes', as
in "<scheme>:<scheme-specific-part>". in "<scheme>:<scheme-specific-part>".
The common usage of URIs has been more structured than this general The common usage of URIs has been more structured than this general
specification, and most URI schemes do not provide a single string specification, and most URI schemes do not provide a single string
that is an alias for an identity, but instead form an identity from that is an alias for an identity, but instead form an identity from
the instructions that specify how to access the resource, in the same the instructions that specify how to access the resource, in the same
way as a postal address is often constructed from the instructions as way as a postal address is often constructed from the instructions as
to how to deliver a postal letter to you. This form of a URI, which to how to deliver a postal letter to you. This form of a URI, which
can be viewed as a location specification, is the basis of the URL can be viewed as a location specification, is the basis of the URL
skipping to change at page 13, line 9 skipping to change at page 14, line 22
directory/hierarchy/index.html" for a specific web page uses "http" directory/hierarchy/index.html" for a specific web page uses "http"
as a scheme identifier for TCP, port 80, protocol HTTP, the initial as a scheme identifier for TCP, port 80, protocol HTTP, the initial
part of the following string to reference the server (a DNS lookup part of the following string to reference the server (a DNS lookup
for an A or AAAA resource record for "www.example.com") and an HTTP for an A or AAAA resource record for "www.example.com") and an HTTP
protocol request for "www.example.com/directory/hierarchy/ protocol request for "www.example.com/directory/hierarchy/
index.html". index.html".
In this form of the URL identity system uniqueness is keyed from the In this form of the URL identity system uniqueness is keyed from the
general use of a DNS name within the URL, and the wrapping around the general use of a DNS name within the URL, and the wrapping around the
DNS string is taking the general form of the DNS as an alias for an DNS string is taking the general form of the DNS as an alias for an
IP address, and specifying a service point, and then arguments that IP address, and, additionally, specifying a service point, and then
are needed to provide to this service point to retrieve the arguments that are needed to provide to this service point in order
referenced resource. In that way a protocol-scheme URL is closer to a to retrieve the referenced resource. In that way a protocol-scheme
description of an algorithm than to an identifier whose structure of URL is closer to a description of an algorithm than to an identifier
the identifier is adapted to tasks such as sorting, searching or whose structure of the identifier is adapted to tasks such as
equivalence operations. There are issues with consistency here in sorting, searching or equivalence operations. There are issues with
that while the hierarchically structured string set makes sense to consistency here in that while the hierarchically structured string
one application it may not make any sense in the context of a set makes sense to one application it may not make any sense in the
different application. context of a different application.
The persistence of protocol-scheme URLs is also an issue, in that the The persistence of protocol-scheme URLs is also an issue, in that the
resource may change location over time, and the corresponding resource may change location over time, and the corresponding
algorithm to locate the resource, or URL, must necessarily change as algorithm to locate the resource, or URL, must necessarily change as
well. The other major difference between a structured identifier well. The other major difference between a structured identifier
space and the protocol-scheme URL approach is that the structured space and the protocol-scheme URL approach is that the structured
identifier space requires some form of lookup to apply the identity identifier space requires some form of lookup to apply the identity
into a retrieval system. By changing the outcomes from the lookup into a retrieval system. By changing the outcomes from the lookup
operation, the identity owner can track changes in the location of operation, the identity owner can track changes in the location of
the resource. In the protocol-scheme URL approach there is no way to the resource. In the protocol-scheme URL approach there is no way to
understand how widely the identity has circulated, and it is not understand how widely the identity has circulated, and it is not
possible to update the in-circulation copies of the URL. The property possible to update the in-circulation copies of the URL. The property
of the DNS is that in itself, the DNS identities are simple of the DNS is that in itself, the DNS identities are simple
structured tokens, and they require a lookup operation to be structured tokens, and they require a lookup operation to be
performed in order to produce an algorithm that allows an application performed in order to produce an algorithm that allows an application
to refer to a particular object. While such protocol-scheme URLs are to refer to a particular object. While such protocol-scheme URLs are
widely used as service and resource identities, they pale in widely used as service and resource identities, they pale in
significance, persistence and utility when compared with DNS names. significance, persistence and utility when compared with DNS names.
In other words URLs specify "how" to access a service, while generic In other words URLs specify "how" to access a service, while generic
DNS names can be interpreted as identity tokens that can be used to DNS names can be interpreted as identity tokens that can be used to
identify a resource (or "who"). identify a resource that may host a service (or "who").
It is also not surprising from this perspective to see the emergence It is also not surprising from this perspective to see the emergence
of DNS resource records that refer to URLs, such as NAPTR records of DNS resource records that refer to URLs, as in NAPTR records [8].
[RFC2915]. In this approach the first DNS lookup retrieves one or In this approach the first DNS lookup retrieves one or more URLs that
more URLs that have been associated with the DNS name, and a second have been associated with the DNS name, and a second lookup is used
lookup is used to resolve any DNS names as may be referenced in the to resolve any DNS names as may be referenced in the URL strings. In
URL strings. In this framework a service may change its location, or this framework a service may change its location, or the access
the access algorithm may be altered (and by necessity, the URL algorithm may be altered (and by necessity, the URL changed), but the
changed), but the DNS identity that maps to this URL remains DNS identity that maps to this URL remains constant. This is one of
constant. This is one of the clearer forms of delineating identity the clearer forms of delineating identity from access mechanisms.
from access mechanisms.
This mapping can also be used for service discovery. Given the name This mapping can also be used for service discovery. Given the name
of a domain it is possible to look up NAPTR records to discover what of a domain it is possible to look up NAPTR records to discover what
URLs can be used for communication with that domain. This is for URLs can be used for communication with that domain. This is for
example used in the ENUM specification [5]. In ENUM a lookup in DNS example used in the ENUM specification [9]. In ENUM a lookup in DNS
of NAPTR records for a domain name created from an E.164 number is of NAPTR records for a domain name created from an E.164 number is
via transformation turned into a list of URLs. This give an ability via transformation turned into a list of URLs. This give an ability
to know what URLs one can use in order to contact the entity referred to know what URLs one can use in order to contact the entity referred
to by a given E.164 number. The more general form of this approach to by a given E.164 number. The more general form of this approach
can use NAPTR resource records to associate a DNS name with one or can use NAPTR resource records to associate a DNS name with one or
more resources. The name that has the NAPTR records can be considered more resources. The name that has the NAPTR records can be considered
as an identity token, while the associated NAPTR records provide a as an identity token, while the associated NAPTR records provide a
mapping from this identity to the instantiation of the identified mapping from this identity to the instantiation of the identified
service. This approach has been used in the Archive Resource Key service. This approach has been used in the Archive Resource Key
(ARK) proposal [14]. (ARK) proposal [24].
Of course not all URIs are protocol-scheme URLs of the form outlined Of course not all URIs are protocol-scheme URLs of the form outlined
above. URIs are a very general construct where the initial "scheme" above. URIs are a very general construct where the initial "scheme"
part of the URI determines the structure and semantics of the part of the URI determines the structure and semantics of the
remainder of the URI string. The next section examines that class of remainder of the URI string. The next section examines that class of
URIs where persistence of the identity is a specific feature of the URIs where persistence of the identity is a specific feature of the
identity realm, the Uniform Resource Name. identity realm, the Uniform Resource Name.
2.9 Uniform Resource Names 2.9 Uniform Resource Names
To solve the problem of lack of long term stability for references, To solve the problem of lack of long term stability for references,
URNs can be used as an alternative to recursive references into the URNs can be used as an alternative to recursive references into the
DNS. URNs are generally considered not to be entirely within a human DNS. URNs are generally considered not to be entirely within a human
realm as they often include what would appear to be long random realm as they often include what would appear to be long random
combination of characters. URNs are intended to be globally unique, combination of characters. URNs are intended to be globally unique,
and never reused. As long as a named object exists, it retains that and never reused. As long as a named object exists, it retains that
name. An object can have many names. The object may cease to exist, name. An object can have many names. The object may cease to exist,
in which case the URN can no longer be resolved, because the in which case the URN can no longer be resolved, because the
resolution service (from URN to URI) is no longer working, but, as resolution service (from URN to URI) is no longer working, but, as
the name exists (virtually), a new service can be created and the the name exists (virtually), a new service can be created and the
object re-established if there is need for it. RFC 3305 [8] talks in object re-established if there is need for it. RFC 3305 [12] talks in
more detail about the different views which exists on the more detail about the different views which exists on the
relationship between URIs, URLs and URNs. relationship between URIs, URLs and URNs.
2.10 Human Friendly Strings 2.10 Human Friendly Strings
URIs have a problem that URNs didn't solve, and that is the ability URIs have a problem that URNs didn't solve, and that is the ability
for humans to remember them. Humans act in a context, so global for humans to remember them. Humans act in a context, so global
uniqueness is not important at this level of abstraction. Instead, uniqueness is not important at this level of abstraction. Instead,
when a human uses a name, they normally want a resolution service when a human uses a name, they normally want a resolution service
that "does what they want". In this realm the context of the name is that "does what they want". In this realm the context of the name is
skipping to change at page 15, line 14 skipping to change at page 16, line 26
possible goal for a working system is to be able to handle the possible goal for a working system is to be able to handle the
so-called "side of the bus" problem. A human sees something in an so-called "side of the bus" problem. A human sees something in an
advertisement on the side of a bus, remembers it (or remembers part advertisement on the side of a bus, remembers it (or remembers part
of it), and when they come to a computer they try to get more of it), and when they come to a computer they try to get more
information about what they have seen. This involves complex language information about what they have seen. This involves complex language
and localization (and internationalization) problems. and localization (and internationalization) problems.
No real human friendly naming system exists today on the Internet. No real human friendly naming system exists today on the Internet.
There has been various ideas connected to "layers above DNS", for There has been various ideas connected to "layers above DNS", for
example mentioned in RFC 3467 [9] (subject of the SIREN Research example mentioned in RFC 3467 [17] (subject of the SIREN Research
Group in the IRTF). This topic encompasses an effort to decouple the Group in the IRTF). This topic encompasses an effort to decouple the
naming realms that makes sense to humans, with their various forms of naming realms that makes sense to humans, with their various forms of
implied context for resolution, from the naming realms that work for implied context for resolution, from the naming realms that work for
computers, with the implication of explicit specification of computers, with the implication of explicit specification of
resolution, and define a mapping between them. The DNS can't handle resolution, and define a mapping between them. The DNS can't handle
the types of names that often make sense to people, because people the types of names that often make sense to people, because people
always work in a context (such as a geographical context of ' always work in a context (such as a geographical context of
locality'), and it's no longer sufficient for people to fit their 'locality'), and it's no longer sufficient for people to fit their
needs into what DNS can handle. For a long time, it was considered needs into what DNS can handle. For a some time it was considered
possible to overload the semantics of the DNS label possible to overload the semantics of the DNS label
(machine-parseable, vaguely human- recognizable) but it is becoming (machine-parseable, vaguely human- recognizable) but it is becoming
evident that this is not a tenable approach, and some distinction evident that this is not a tenable approach, and some distinction
needs to be drawn between DNS names and context-sensitive needs to be drawn between DNS names and context-sensitive
human-friendly strings. human-friendly strings.
3. Issues with Identities 3. Issues with Identities
3.1 Overloading the IP Address 3.1 Overloading the IP Address
skipping to change at page 17, line 11 skipping to change at page 18, line 23
identifier could remain constant while the routing prefix may have identifier could remain constant while the routing prefix may have
changed. There was also some potential applications in the area of changed. There was also some potential applications in the area of
supporting multi-homed networks, where a local network could be seen supporting multi-homed networks, where a local network could be seen
via different routing prefixes. At present these aspects of IPv6 via different routing prefixes. At present these aspects of IPv6
address architecture are the topic of ongoing work in the IETF. One address architecture are the topic of ongoing work in the IETF. One
of the fundamental issues with this form of approach is management of of the fundamental issues with this form of approach is management of
an interface identifier space that is globally unique and persistent, an interface identifier space that is globally unique and persistent,
as well as being adequately robust. Current directions of activity as well as being adequately robust. Current directions of activity
in this area indicate that the self- assertion of identity using this in this area indicate that the self- assertion of identity using this
field within IPv6 are insufficiently robust to prevent various forms field within IPv6 are insufficiently robust to prevent various forms
of redirection attacks. Mechanisms currently being investigated are of redirection attacks. Approaches currently being investigated are
looking deeper into various aspects of mechanisms to provide looking deeper into various aspects of mechanisms that are intended
corroboration of identity assertion in the face of locator change and to provide corroboration of identity assertion in the face of locator
additional protocol mechanisms appear to be a common feature of the change and additional protocol mechanisms appear to be a common
current proposals relating to multi-homing and aspects of mobility. feature of the current proposals relating to multi-homing and aspects
of mobility.
3.2 Dynamic DNS Updates and Nomadism 3.2 Dynamic DNS Updates and Nomadism
An alternative mechanism to revising the semantics of the IP address An alternative mechanism to revising the semantics of the IP address
is looking at the concept of moving the role of completing the is looking at the concept of moving the role of completing the
transition of persistent identity into the DNS. Here the constant transition of persistent identity into the DNS. Here the constant
identity of the device is its DNS name. In a mobile context, as the identity of the device is its DNS name. In a mobile context, as the
device or network it roams across the network, and by using a device or network it roams across the network, and by using a
sequence of secure dynamic incremental updates to the DNS, update the sequence of secure dynamic incremental updates to the DNS, update the
association of the constant DNS name to the new local IP address. association of the constant DNS name to the new local IP address.
skipping to change at page 18, line 29 skipping to change at page 19, line 41
persist across the change. Despite the almost universal use of the persist across the change. Despite the almost universal use of the
URL within web browsers, URLs are not an ideal candidate for a URL within web browsers, URLs are not an ideal candidate for a
persistent identity. persistent identity.
This weakness in the URL scheme has lead to the consideration of many This weakness in the URL scheme has lead to the consideration of many
alternate naming schemes, although the underlying requirements for alternate naming schemes, although the underlying requirements for
any candidate naming scheme is that it is cleanly mappable into a any candidate naming scheme is that it is cleanly mappable into a
URI-styled format and that there is a robust resolution system URI-styled format and that there is a robust resolution system
associated with the name scheme. Resolution is a critical factor associated with the name scheme. Resolution is a critical factor
here, as without the ability operate in a predictable, robust, here, as without the ability operate in a predictable, robust,
scaleable, trustable and reliable manner when translating an scalable, trustable and reliable manner when translating an
identifier into a resource, entity or service access description, the identifier into a resource, entity or service access description, the
identifier scheme is of dubious value. identifier scheme is of dubious value.
The requirement for persistent identifiers is not to dispense with The requirement for persistent identifiers is not intended to
URLs, or similar forms of locators and service descriptors, but to dispense with URLs, or similar forms of locators and service
separate the notions of identification and location, and to use descriptors, but to separate the notions of identification and
distinct label space for each concept, and to use a resolution location, and to use distinct label space for each concept, and to
mechanism to map from the identifier to the location descriptor. use a resolution mechanism to map from the identifier to the location
descriptor.
Work on the development of a unique permanent identifier space has Work on the development of a unique permanent identifier space has
proceeded concurrently with the formalization of URL schemes, using proceeded concurrently with the formalization of URL schemes, using
the name of URN (Uniform Resource Name) schemes. A specification the name of URN (Uniform Resource Name) schemes. A specification
outlining the minimum requirements of the URN can be found at [RFC outlining the minimum requirements of the URN can be found at [3].
1737]. The syntax of the URN as expressed in RFC 2141 is as follows: The syntax of the URN as expressed in [4] is as follows:
urn:<Namespace Identifier (NID)>:<Namespace Specific String (NSS)> urn:<Namespace Identifier (NID)>:<Namespace Specific String (NSS)>
The NID ensures the global uniqueness of the identifier. The NSS The NID ensures the global uniqueness of the identifier. The NSS
can take any form specified by the naming authority provided that can take any form specified by the naming authority provided that
it is unique within that namespace. it is unique within that namespace.
The simple structure of the identifier reflects recognition of the The simple structure of the identifier reflects recognition of the
need to accommodate different requirements and different schemes. need to accommodate different requirements and different schemes.
Because the local, or namespace specific, string can be in any form, Because the local, or namespace specific, string can be in any form,
the identifier structure allows maximum flexibility in the identifier the identifier structure allows maximum flexibility in the identifier
while providing a mechanism to assure global uniqueness and while providing a mechanism to assure global uniqueness and
facilitating interoperability between discrete systems. facilitating interoperability between discrete systems.
skipping to change at page 19, line 23 skipping to change at page 20, line 40
any given name scheme. any given name scheme.
This objective is consistent with the intentions behind the This objective is consistent with the intentions behind the
development of the URN. A persistent identifier, especially when used development of the URN. A persistent identifier, especially when used
for archival data must of necessity be capable of outlasting any for archival data must of necessity be capable of outlasting any
systems and protocols that are currently in use. However the lack of systems and protocols that are currently in use. However the lack of
a commonly agreed upon resolution system is also a major obstacle to a commonly agreed upon resolution system is also a major obstacle to
the wide deployment of URNs. the wide deployment of URNs.
A variety of solutions have been proposed, including the NAPTR A variety of solutions have been proposed, including the NAPTR
(Naming Authority PoinTeR) DNS resource record [RFC 2915], that (Naming Authority PoinTeR) DNS resource record [8], that provides
provides rules for mapping parts of URIs to domain names and then rules for mapping parts of URIs to domain names and then using these
using these domain names as DNS lookup queries to find mapped URIs. domain names as DNS lookup queries to find mapped URIs. This was
This was specification has been further refined as the Dynamic specification has been further refined as the Dynamic Delegation
Delegation Discovery System (DDDS) [ RFC3401, RFC3402, RFC3403, Discovery System (DDDS) [13][14][15][16]. As noted in RFC3404 [16]:
RFC3404]. As noted in [RFC3404], " For the short term, the Domain
Name System (DNS) is the obvious candidate for the resolution "For the short term, the Domain Name System (DNS) is the obvious
framework, since it is widely deployed and understood. However, it is candidate for the resolution framework, since it is widely
not appropriate to use DNS to maintain information on a per-resource deployed and understood. However, it is not appropriate to use DNS
basis. First of all, DNS was never intended to handle that many to maintain information on a per-resource basis. First of all,
records. Second, the limited record size is inappropriate for DNS was never intended to handle that many records. Second, the
catalogue information. Third, domain names are not appropriate as limited record size is inappropriate for catalogue information.
URNs. Therefore our approach is to use the DDDS to locate "resolvers" Third, domain names are not appropriate as URNs. Therefore our
that can provide information on individual resources, potentially approach is to use the DDDS to locate "resolvers" that can provide
including the resource itself." information on individual resources, potentially including the
resource itself."
There appears to be some residual issues over the status of URNs. For There appears to be some residual issues over the status of URNs. For
URNs to achieve widespread deployment, not only is consensus on URNs to achieve widespread deployment, not only is consensus on
functional requirements and syntax needed, but the ability to functional requirements and syntax needed, but the ability to
recognise and resolve URNs should be incorporated into the recognize and resolve URNs should be incorporated into the
application realm. For example, it would be a reasonable objective to application realm. For example, it would be a reasonable objective to
incorporate URN support in standard Web browsers. However a incorporate URN support in standard Web browsers. However a
pre-requisite for this step is the definition and construction of the pre-requisite for this step is the definition and construction of the
necessary resolving infrastructure, developed either by leveraging necessary resolving infrastructure, developed either by leveraging
off the existing Domain Name System or by some other route. As long off the existing Domain Name System or by some other route. As long
as application developers are uncertain of what is to be accepted as as application developers are uncertain of what is to be accepted as
a standard resolution mechanism, and while naming scheme developers a standard resolution mechanism, and while naming scheme developers
are uncertain of how to register their name and resolution schemes are uncertain of how to register their name and resolution schemes
these issues will not be fully resolved. these issues will not be fully resolved.
Until the resolution issues are clarified and there is clear Until the resolution issues are clarified and there is clear
consensus to adopt a particular specification, implementation of URN consensus to adopt a particular specification, implementation of URN
systems will require some form of application level assistance by way systems will require some form of application level assistance by way
of proxy servers. The implication is that use of URNs will require of proxy servers. The implication is that use of URNs will require
encapsulation in a URL in order to specify the appropriate proxy encapsulation in a URL in order to specify the appropriate proxy
server address. server address.
This approach has already been undertaken in the specification of This approach has already been undertaken in the specification of
PURLS [PURLS], which is a naming scheme that incorporates within the PURLS [22], which is a naming scheme that incorporates within the
PURL a conventional URL reference to a resolver to specify a PURL PURL a conventional URL reference to a resolver to specify a PURL
resolution service and a name part of the URL that the resolution resolution service and a name part of the URL that the resolution
service translates to the resource URL. In a web-based context this service translates to the resource URL. In a web-based context this
is handed back to the client as an HTTP redirect. is handed back to the client as an HTTP redirect. The dependency of
the identifier scheme on the behavior of a particular application
(namely HTTP in this case) is not the most desireable of attributes
for an identity scheme. If the PURL was to be used in a different
context by a different application, a comparable redirection
mechanism would be required to support the desired outcome.
In comparison, the Handle system [Handles] uses a non-URL name In comparison, the Handle system [18] uses a non-URL name scheme, and
scheme, and resolution in applications requires modification of the resolution in applications requires modification of the application.
application. The 'handle' itself is a persistent identifier The 'handle' itself is a persistent identifier consisting of two
consisting of two parts. The syntax is a two part identifier of parts. The syntax is a two part identifier of "<naming authority>/<
"<naming authority>/< name>" where the naming authority is an name>" where the naming authority is an administrative unit
administrative unit authorised to create and maintain handles and the authorized to create and maintain handles and the name of the
name of the resource is a string which must be unique to that resource is a string which must be unique to that authority but which
authority but which has no prescribed syntax. Use of handles can be has no prescribed syntax. Use of handles can be through standard web
through standard web browsers using a plug-in, or through unmodified browsers using a plug-in, or through unmodified web clients using
web clients using proxy servers and embedding the handle within a URL proxy servers and embedding the handle within a URL that specifies a
that specifies a handle resolver in a manner similar to the PURL handle resolver in a manner similar to the PURL approach. The
approach. The specification of a distinct handle syntax allows specification of a distinct handle syntax allows handles to be used
handles to be used in a broader set of contexts than web browsing as in a broader set of contexts than web browsing as there is
there is independence of the identifier to a particular access independence of the identifier to a particular access protocol and
protocol and server location. server location.
The issue of resolution of the compound identifiers remains The issue of resolution of the compound identifiers remains
problematic, and the use of embedding the URN into a proxy URL to problematic, and the use of embedding the URN into a proxy URL to
undertake redirection can be argued as defeating the purpose of undertake redirection can be argued as defeating the purpose of
having location and protocol independent identifiers, since the having location and protocol independent identifiers, since the
resultant identifier includes the location of the proxy agent. The resultant identifier includes the location of the proxy agent. The
full value of persistent identifiers to ensure persistence in full value of persistent identifiers to ensure persistence in
citations can only be realised if they are actually useful when citations can only be realized if they are actually useful when
citing documents and objects. In order to use them, the user must citing documents and objects. In order to use them, the user must
know that there is a persistent identifier and must be able to know that there is a persistent identifier and must be able to
discover what it is and how to resolve the identity. At present this discover what it is and how to resolve the identity. At present this
is difficult because of the nature of the redirects used in most is difficult because of the nature of the redirects used in most
existing systems. existing systems.
4. The DNS in Identity Spaces 4. The DNS in Identity Spaces
How good are any of these identities? Which one should be used in How good are any of these identities? Which one should be used in
which context? which context?
skipping to change at page 21, line 32 skipping to change at page 23, line 9
maintaining referential integrity, allowing efficient searching and maintaining referential integrity, allowing efficient searching and
persistence of the identity. The human world, and its digital persistence of the identity. The human world, and its digital
counterpart, is far from static. Any identity system that aspires to counterpart, is far from static. Any identity system that aspires to
be useful in a human space needs to be able to support a maintenance be useful in a human space needs to be able to support a maintenance
function that allows any implicit reference that is contained in an function that allows any implicit reference that is contained in an
identity space to be updated and refreshed in a reliable, trustable identity space to be updated and refreshed in a reliable, trustable
and timely manner. Knowing who you were is a less important piece of and timely manner. Knowing who you were is a less important piece of
information as compared to knowing who you are right now. That leads information as compared to knowing who you are right now. That leads
to consideration of structured identity spaces whose two major to consideration of structured identity spaces whose two major
attributes are: attributes are:
o sufficient structure to ensure that specific instances of the o
sufficient structure to ensure that specific instances of the
identity are unique, and identity are unique, and
o appropriate structure to allow rapid lookup of the identity to be o appropriate structure to allow rapid lookup of the identity to be
able to retrieve the current set of associated pointers within able to retrieve the current set of associated pointers within
various specified realms. various specified realms.
There is a good match between these desired attributes and those of There is a good match between these desired attributes and those of
the DNS, and one perspective to be drawn from this is that the major the DNS, and one perspective to be drawn from this is that the major
underpinning of useful and lasting digital identities rests within underpinning of useful and lasting digital identities rests within
the framework of the DNS. In other words any useful identity space is the framework of the DNS. In other words any useful identity space is
skipping to change at page 23, line 19 skipping to change at page 24, line 46
When sending a query to a server, the server is to send the same data When sending a query to a server, the server is to send the same data
back regardless of context. Further, the server should send either a back regardless of context. Further, the server should send either a
"match" which consists of one or more resource records, or a "match" which consists of one or more resource records, or a
"failure" which include the special response "no such domain". "failure" which include the special response "no such domain".
This implies that two users sending the same query from two different This implies that two users sending the same query from two different
locations at the same time should receive the same data in response. locations at the same time should receive the same data in response.
Or, the same user using two different computers with different Or, the same user using two different computers with different
operating system should receive the same data. operating system should receive the same data.
Having the DNS server doing a "search" or "fuzzy matching" is ill- Having the DNS server doing a "search", undertaking "fuzzy matching"
advised, because the DNS server can not know the context of the or inferring some additional context to a query that guides the
query, nor what the DNS response is to be used for. It is always easy server to choose a particular response is ill-advised. The DNS server
to guess that the response is to be used by the most popular can not know the context of the query, nor should it guess what the
operating system, for the most popular application. It must though be DNS response is to be used for. It is always tempting to assume that
remembered that other operating systems and other applications might the response is to be used by the most popular operating system for
break when fuzzy matching happens. For example, instead of giving the most popular application of the day. It must though be remembered
back a "no such response" it is conceivable to give back something that other operating systems and other applications might break when
which pushes a potential error to the application layer by returning fuzzy matching happens. For example, instead of giving back a "no
a synthesized answer that has resource records pointing to some form such response" it is conceivable to give back something which pushes
of application- level service. This implies the DNS server must know a potential error to the application layer by returning a synthesized
answer that has resource records pointing to some form of
application- level service. This implies the DNS server must know
what application layer protocol is in use, and that a "no" at the what application layer protocol is in use, and that a "no" at the
application layer has the same semantics as a "no" on the DNS application layer has the same semantics as a "no" on the DNS
(naming) layer. Often TCP is used at the application layer which (naming) layer. Often TCP is used at the application layer which
implies a "no" might only be signalled to the other end by not implies a "no" might only be signalled to the other end by not
accepting the connection, which means the querying client cannot accepting the connection, which means the querying client cannot
differentiate between "no such (dns) name" and "no response in differentiate between "no such (dns) name" and "no response in
application protocol". application protocol".
4.4 Coherency of the DNS 4.4 Coherency of the DNS
skipping to change at page 24, line 39 skipping to change at page 26, line 19
can also give a higher freedom regarding context, as the bundles can also give a higher freedom regarding context, as the bundles
possibly look differently depending on such things like (parent) possibly look differently depending on such things like (parent)
domain and language. domain and language.
4.5 The DNS as an Identity Glue 4.5 The DNS as an Identity Glue
When comparing the desired attributes of a useful identity system to When comparing the desired attributes of a useful identity system to
the properties of the DNS it is evident that there is a reasonable the properties of the DNS it is evident that there is a reasonable
level of fit between the DNS and a generic identity realm. The DNS level of fit between the DNS and a generic identity realm. The DNS
provides a namespace that ensures uniqueness, is consistent, can provides a namespace that ensures uniqueness, is consistent, can
support persistence, and referential consistency. There are a number support persistence, and referential consistency. The space is
of compromises that have, necessarily, been made in the design of the structured in a manner that supports relatively efficient lookup over
DNS. The space is structured in a manner that supports relatively a large name space that has both hierarchical structuring and within
efficient lookup over a large name space that has both hierarchical that some areas of large flat name spaces. The DNS can support trust
structuring and within that some areas of large flat name spaces. The models in terms of being able to validate the authenticity of
DNS can support trust models in terms of being able to validate the responses. The DNS can support a variety of resource records that
authenticity of responses. The DNS can support a variety of resource allow a DNS name token to be used as a search object that can map to
records that allow a DNS name token to be used as a search object related values drawn from other identifier realms, as well as
that can map to related values drawn from other identifier realms, as supporting indirect self-reference through the use of NAPTR records
well as supporting indirect self-reference through the use of NAPTR and URIs.
records and URIs.
There are obvious trade-offs in the design, protocol and deployment There are obvious trade-offs in the design, protocol and deployment
of the DNS in terms of resiliency, dynamic behaviours and of the DNS in terms of resiliency, dynamic behaviours and
scalability. While it is not argued here that the DNS represents the scalability. While it is not argued here that the DNS represents the
only optimal trade-off between these properties, it is argued that only optimal trade-off between these properties, it is argued that
any other identity space with similar properties will be faced with any other identity space with similar properties will be faced with
precisely the same set of trade-offs. It is also probable that any precisely the same set of trade-offs. It is also probable that any
similar identity space faced with the same requirements of similar identity space faced with the same requirements of
scalability, operational performance, accuracy and validity of scalability, operational performance, accuracy and validity of
responses and flexibility of mapping the identity space to related responses and flexibility of mapping the identity space to related
skipping to change at page 25, line 33 skipping to change at page 27, line 13
characteristics of the application that require the subsequent characteristics of the application that require the subsequent
exchange of information (such as location changes in a mobility exchange of information (such as location changes in a mobility
environment, or a server hand-over at the application level) this is environment, or a server hand-over at the application level) this is
generally the task of components within the protocol stack, using a generally the task of components within the protocol stack, using a
trust relationship between the communicating parties to alter the trust relationship between the communicating parties to alter the
identity elements used within the stack to match the changing identity elements used within the stack to match the changing
characteristics. characteristics.
5. Security Considerations 5. Security Considerations
[To be completed. Topics include wrong domain, napping, grabbing Any identity system that provides a mapping from an identity value
misspellings, multiple roots, etc. ] within one realm to an identity value (or set of values) within
another realm will present a number of considerations with respect to
security. The trust model for an identity system is that the mapping
supported by the identity system is authentic, and that when the
identity value is used as a key in a query operation, the response
should be an accurate response that correctly represents the mapping
originally provided by the assigned holder of that identity value.
[Also note that: identity realms need to operate with authenticity Equally, it is necessary to correctly report responses where an
that can be verified in a trustable manner. DNNSEC is your friend.] invalid or unassigned identity value is used, providing the query
agent with a clear indication that the identity value is not
assigned.
6. Acknowledgements In a hierarchically structured identity space there are a number of
potential weak points in the identity space, where vulnerabilities
exist for third parties to intercept queries and substitute a
non-authentic response. This could involve misrepresentation of the
of the root servers for the hierarchy, or misrepresentation of
delegation points, as well as misrepresentation of responses for
particular mapping queries.
The editors acknowledge the contributions made by Leslie Daigle and Any design of an identity space resolution service should be
James Kempf. resilient to these forms of attack, by using appropriate mechanisms
to reduce the risks of interception and misrepresentation in identity
resolution operations. However, recognizing the lack of absolute
assurances that a resolution system is resilient to all forms of
attack, a resolution services should also be capable of exposing the
trust model that exists within the identity space, and allow a user
of the resolution service the ability to validate the response
against the trust model. In other words authenticity should be a
verifiable quality of the identity realm, rather than simply being an
assertion that is interpretable only as a article of faith.
Normative References 6. Acknowledgements
The editors acknowledge the contributions made by Brian Carpenter,
Vint Cerf, Leslie Daigle Joel Halpern, and James Kempf in the
preparation of this document.
Informative References Informative References
[1] Saltzer, J., "On the Naming and Binding of Network [1] Saltzer, J., "On the Naming and Binding of Network
Destinations", RFC 1498, August 1993. Destinations", RFC 1498, August 1993.
[2] Berners-Lee, T., "Universal Resource Identifiers in WWW: A [2] Berners-Lee, T., "Universal Resource Identifiers in WWW: A
Unifying Syntax for the Expression of Names and Addresses of Unifying Syntax for the Expression of Names and Addresses of
Objects on the Network as used in the World-Wide Web", RFC Objects on the Network as used in the World-Wide Web", RFC
1630, June 1994. 1630, June 1994.
[3] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform [3] Sollins, K. and L. Masinter, "Functional Requirements for
Uniform Resource Names", RFC 1737, December 1994.
[4] Moats, R., "URN Syntax", RFC 2141, May 1997.
[5] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396, August Resource Identifiers (URI): Generic Syntax", RFC 2396, August
1998. 1998.
[4] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) [6] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[7] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998. Specification", RFC 2460, December 1998.
[5] Faltstrom, P., "E.164 number and DNS", RFC 2916, September [8] Mealling, M. and R. Daniel, "The Naming Authority Pointer
(NAPTR) DNS Resource Record", RFC 2915, September 2000.
[9] Faltstrom, P., "E.164 number and DNS", RFC 2916, September
2000. 2000.
[6] Narten, T. and R. Draves, "Privacy Extensions for Stateless [10] Narten, T. and R. Draves, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6", RFC 3041, January 2001. Address Autoconfiguration in IPv6", RFC 3041, January 2001.
[7] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", [11] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001. RFC 3118, June 2001.
[8] Mealling, M. and R. Denenberg, "Report from the Joint W3C/IETF [12] Mealling, M. and R. Denenberg, "Report from the Joint W3C/IETF
URI Planning Interest Group: Uniform Resource Identifiers URI Planning Interest Group: Uniform Resource Identifiers
(URIs), URLs, and Uniform Resource Names (URNs): Clarifications (URIs), URLs, and Uniform Resource Names (URNs): Clarifications
and Recommendations", RFC 3305, August 2002. and Recommendations", RFC 3305, August 2002.
[9] Klensin, J., "Role of the Domain Name System (DNS)", RFC 3467, [13] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
One: The Comprehensive DDDS", RFC 3401, October 2002.
[14] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
Two: The Algorithm", RFC 3402, October 2002.
[15] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
Three: The Domain Name System (DNS) Database", RFC 3403,
October 2002.
[16] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
Four: The Uniform Resource Identifiers (URI)", RFC 3404,
October 2002.
[17] Klensin, J., "Role of the Domain Name System (DNS)", RFC 3467,
February 2003. February 2003.
[10] IEEE, "Guidelines for use of a 48-bit Global Identifier [18] Sun, S., Lannom, L. and B. Boesch, "Handle System Overview",
RFC 3650, November 2003.
[19] IEEE, "Guidelines for use of a 48-bit Global Identifier
(EUI-48)", December 2003, <http://standards.ieee.org/regauth/ (EUI-48)", December 2003, <http://standards.ieee.org/regauth/
oui/tutorials/EUI48.html>. oui/tutorials/EUI48.html>.
[11] IEEE, "Guidelines for 64-bit Global Identifier (EUI-64) [20] IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
Registration Authority", December 2003, <http:// Registration Authority", December 2003, <http://
standards.ieee.org/db/oui/tutorials/EUI64.html>. standards.ieee.org/db/oui/tutorials/EUI64.html>.
[12] IEEE, "802.11 Wireless", December 2003, <http:// [21] IEEE, "802.11 Wireless", December 2003, <http://
standards.ieee.org/getieee802/802.11.html>. standards.ieee.org/getieee802/802.11.html>.
[13] Shoch, J., "Internetwork Naming, Addressing, and Routing", [22] OCLC, "PURLS: Persistent Uniform Resource Locators", December
1995, <http://purl.oclc.org/docs/new_purl_summary.html>.
[23] Shoch, J., "Internetwork Naming, Addressing, and Routing",
Proceedings of the 17th IEEE Computer Society International Proceedings of the 17th IEEE Computer Society International
Conference pp. 72-79, December 1978. Conference pp. 72-79, December 1978.
[14] Kunze, J. and R. Rodgers, "The ARK Persistent Identifier [24] Kunze, J. and R. Rodgers, "The ARK Persistent Identifier
Scheme", draft-kunze-ark-07 (work in progress), February 2004. Scheme", draft-kunze-ark-07 (work in progress), February 2004.
Authors' Addresses Authors' Addresses
Patrik Faltstrom Patrik Faltstrom, Editor
Internet Architecture Board Internet Architecture Board
Geoff Huston EMail: paf@cisco.com
Geoff Huston, Editor
Internet Architecture Board Internet Architecture Board
EMail: gih@telstra.net
Appendix A. IAB Members Appendix A. IAB Members
Internet Architecture Board Members at the time this document was Internet Architecture Board Members at the time this document was
completed were: completed were:
Bernard Aboba Bernard Aboba
Harald Alvestrand Harald Alvestrand
Rob Austein Rob Austein
Leslie Daigle Leslie Daigle
Patrik Faltstrom Patrik Faltstrom
 End of changes. 71 change blocks. 
188 lines changed or deleted 295 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/