Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU Focus Group on Identity Management Geneva, February 2007 Norman Paskin The Handle System Corporation for National Research Initiatives

Similar presentations

Presentation on theme: "ITU Focus Group on Identity Management Geneva, February 2007 Norman Paskin The Handle System Corporation for National Research Initiatives"— Presentation transcript:

1 ITU Focus Group on Identity Management Geneva, February 2007 Norman Paskin The Handle System Corporation for National Research Initiatives

2 Norman Paskin –Corporation for National Research Initiatives –Member of Handle System Advisory Committee –I manage one implementation of the Handle System (DOI) Handle System: a practical tool, in use today, deployed in several content sectors to deal with managing information on digital networks Outline of the presentation: Relevance to the ITU FG Background Handle System overview Applications Some projects Usage statistics Topics relevant to identity management: security, granularity Relation to the Domain Name System Management and standards The Handle System and Identity Management

3 The Handle System is a general purpose distributed information system that provides efficient, extensible, and secure identifier and resolution services for use on networks such as the Internet. Fits ITU FG scope: management of...attributes of an entity The network level and in general lower layers have not been addressed sufficiently with regard to digital identity, and this remains a weak point in standardization and research –ITU Workshop on Digital Identity for Next Generation Networks, Dec 06 A non-commercial, openly available protocol and reference implementation Can utilise existing or new numbering schemes Developed at Corporation for National Research Initiatives (US) The Handle System and Identity Management

4 Digital information needs to be a first class citizen in the networked environment First class = one that has an identity independent of any other item Current internet less than optimal for security, privacy, mobility. Original Internet design conflated addresses to serve two purposes: an indication of the location of the end point, and an indication of its identity – now recognised as a limitation (see e.g. NewArch*, FIND**) *Future generation Internet architecture **Future internet network design The fundamental characteristic of digital information is that it is processable data, enabling re-use and hence new forms of electronic commerce, creativity and social benefit. Managing these units of digital information, the citizens in the network, requires that they have unique names (or identifiers) denoting a specific referent, and the ability to manage their attributes Objects (citizens) may be representations of content, people, parties, resources, licences, avatars, sensors, etc. The Handle System and Identity Management

5 Handle System is part of a wider architecture (but entirely separable and usable alone) Managing information in the Net over very long periods of time – e.g. centuries or more Dealing with very large amounts of information in the Net over time When information, its location(s) and even the underlying systems may change dramatically over time Respecting and protecting rights, interests and value Robert Kahn/Robert Wilensky A framework for distributed digital object services 1995 – Part of Digital Object Architecture

6 Identifier: unique persistent string (number, name, identifier) assigned to a referent –Unique: one to many: an identifier specifies one and only one referent (but a referent may have more than one identifier) –Persistent: once assigned, does not change referent Resolution: process by which an identifier is input to a network service which returns some information Referent: the object to which the identifier is assigned, whether or not resolution returns that object. –may be abstract, physical or digital, since all these forms of object are of relevance in identifier management (e.g. creations, resources, agreements, people, organisations) – classical ontology issues –Digital object: an instance of an abstract data type Terms

7 Basic Internet resolution system: identify objects, not servers. Optimized for speed, reliability, scaling Open defined protocol and data model (IETF RFC 3650,1,2) –free protocol; service at low cost (non-profit); –freely available to be used as engine underneath other named identifiers. Separation of control of the handle and who runs the servers –distributed administration, granularity at the handle level Any Unicode character set –internationalisation All transactions can be secure and certified –Both registration and resolution Not all data public: individual values within a handle can be private. No semantics in the identifier Logically centralized, physically distributed and highly scalable Does not need DNS, but can work with DNS: –deployed via tools e.g http proxies, client plug-ins, server software, etc Handle System overview

8 A Handle consists of a prefix and suffix e.g. 123/4567 Prefix and suffix may be any length e.g /456-mydoc Suffix may incorporate another identifier numbering scheme e.g /ISBN Thereby adds functionality to that numbering scheme Shorter prefixes (1-3 digits) reserved for major projects, countries, etc. Handle syntax

9 URL2…. DLS3acme/repository HS_ADMIN100acme.admin/jsmith XYZ Data value Handle Data type Index /456URL1…. Handles resolve to typed data One or more Handle values (type:value) Resolution can return all values, or all values of one type Schematic (simplified) representation of a handle record PrefixSuffix Handle value(s)

10 : 3 Handles resolve to typed data Fuller representation of a handle record: e.g. the handle " /may99-payette" has a set of three handle values: : 2 : HS_ADMIN : acme.admin/jsmith : 1 : URL : : {Relative: 24 hours} : PUBLIC_READ, ADMIN_WRITE : : {empty}

11 A handle has a set of values assigned to it = a record that consists of a group of fields. field defines the syntax and semantics of a values data –e.g. URL (resolving to current location) –pre-defined set of handle data types for administrative use –registered handle data types for non-administrative use (URL, , and DESC): others being added * Types may include: –HS_PUBKEY: public key used to authenticate entities in the Handle System. –HS_SECKEY: secret key password to access some service. –DESC: UTF8-encoded descriptions of the object identified by the handle. Full list at * Handle System Advisory Committee is defining a recommended practice process Handle System: typing

12 Provides infrastructure for application domains, e.g. digital libraries & publishing, network management, id management... International DOI Foundation –Federation of several independent applications including e.g. CrossRef (scholarly journal consortium: covers 90+% of literature) Office of Publications of the European Community (EC documents) MEDRA (Multilingual European DOI Registration Agency) Nielsen BookData, R.R. Bowker, et al (bibliographic data - ISBN) German Nat. Lib. Science and Technology (science data) –adds a layer of social infrastructure (and specific rules) Defense Virtual Information Architecture –Defense Technical Information Center (DTIC), DARPA, CNRI –context sensitive distribution of data and metadata: resolution result depends on who you are.. GRID computing –Shared computing resources –Handle System - Globus Toolkit Integration Project Handle System usage (1)

13 DSpace - Digital Repository System –MIT Libraries/Hewlett-Packard –stable, long-term storage of intellectual output of faculty, researchers, centers and labs. National Digital Library Program (NDLP) –Library of Congress. Collections of historic materials converted to digital formats. LoC use handles to identify material in the library's own collections. Los Alamos National Labs –internal doc management (600m+) Several Digital Library projects –e.g. ARROW Others who may adopt RFCs: –e.g. Fedmark: independent commercial implementation of Handle protocols for digital rights system Handle System usage (2)

14 Some others of particular relevance to identity management... Transient Network Architecture –Pervasive transient mobile network in which all communications occur between persistently identified entities. –CNRI/Univ New Mexico, under NSFs FIND (Future Internet Network Design) project –; Using PKI capability for persistent trustworthy identity, separating: –Transport trustworthy (name/attribute is binding) –Administration trustworthy (attribute is issued by attribute holder) –Attribute credential (attribute value is true) Representing Value as Digital Objects: Transferability and Anonymity –Deeds of trust, mortgages, bills of lading, digital cash etc. –Transferable records" structured as digital objects – Possible Application of Handles to licences and parties –See separate talk on content industry identifiers Handle System projects

15 Assigned namespaces (prefix) –DOI –D-Space 500+ –Others 700+ Individual Handles (identifiers within each namespace) –DOI 25+ M –Other: 600?? millions total per namespace known only to namespace manager; e.g. LANL adding 600M but privately Global Handle System –Core three service sites (added locations being considered) –c. 60 million direct resolutions per month –c. 50 million proxy server resolutions Handle System statistics

16 Integrity of the Global Handle Registry service Protected service information and public key pair used to sign global service information. Handle protocol allows handle servers to authenticate their clients and to provide data integrity service on client request. Handle servers can be explicitly asked to generate or return a digital signature for every service response (but normally dont) Public key and/or secret key cryptography may be used. Server authentication may be used to prevent eavesdroppers from forging client requests or tampering with server responses. Client applications can (if wished) only accept information from the authoritative Global Handle Registry (not any mirrors) and check its integrity on each update. Handle System: security

17 See Similarities and differences in both the design and intended use. Naming –DNS naming hierarchy reflects a control hierarchy, Handle system need not. –Handle separates control of handle (id) from control of server (location) Distributed Administration –Handle administrators can add/delete identifier and identifier values securely over the public Internet. Proxies –Technical advantages regarding resolution work behind SOCKS or HTTP proxies, both supported in Handle client library (whereas DNS resolution from behind proxies is difficult/impossible). Unicode –Handle full native Unicode is supported. There are hacks to make DNS support 8-bit character sets, but they are not widely implemented. Replication –In DNS, if a single record is updated all records must be copied to mirror servers. The Handle System has finer granularity: if a single record is updated, the server will copy only that record to the mirror servers. Handle System and DNS (1)

18 Certification –DNS has to be fast, especially at the root. Not very good for alternative uses, e.g. certificates. Handle System has more flexible and robust certification support. Access Control –Handle System has support for access control and authentication. DNS does not Record Size –Technical advantages regarding UDP and TCP handling: more efficient request handling; much larger storage in a record (DNS 64KB, Handle System 4GB). Examples of integration with DNS: –CNNIC Handle implementation offers secured DNS resolution via a Handle protocol interface. Further work will package the Handle-DNS software for public release; deploy the Handle-DNS server TLD registry and its subsidiaries; and establish an ENUM service and client software based on the Handle-DNS interface. –Client library and proxies for use with http etc. Handle System and DNS (2)

19 Functional Granularity : it should be possible to identify an entity whenever it needs to be distinguished First class naming : Digital objects should have first class names DNS naming hierarchy reflects a control hierarchy –DNS: who runs controls who runs –Handle separates control of handle (id) from control of server (location) Handles are first class names : –URLs: grouped by domain name and then by some sort of hierarchical structure, originally based on file trees –Handles: each name stands on its own, unconnected to any DNS or other hierarchy. Can avoid broken URLs when control changes Ownership: In DNS, the system administrator is considered the owner of the data, in the Handle System the prefix administrator is considered the owner. –Each Handle identifier and prefix can have its own set of administrators independent from the system administrator. Relationships between objects can be expressed: –If you want to build a hierarchy you can – but on any basis –Handles can refer to other handles (some applications have introduced a detailed data model to allow this – e.g DOI) Handle System and granularity

20 Specification –RFC 3650: Overview –RFC 3651: Namespace and Service Definition –RFC 3652: Protocol DoD Instruction 1322 –Mandates Handle System use as part of Advanced Distributed Learning ISO standards track for DOI –A Handle application for the content sector –ISO TC46/SC9 (home of ISBN etc) Governance: HSAC - Handle System Advisory Committee –Approx 15 members representing big users –Goal: evolve to oversee the system, autonomous (IETF etc) –Currently by invitation; interest welcomed Handle System management and standards

21 Handle System home page

22 ITU Focus Group on Identity Management Geneva, February 2007 Norman Paskin The Handle System T E R T I U S L t d

Download ppt "ITU Focus Group on Identity Management Geneva, February 2007 Norman Paskin The Handle System Corporation for National Research Initiatives"

Similar presentations

Ads by Google