diff options
Diffstat (limited to 'draft-schanzen-reclaimid.xml')
-rw-r--r-- | draft-schanzen-reclaimid.xml | 386 |
1 files changed, 386 insertions, 0 deletions
diff --git a/draft-schanzen-reclaimid.xml b/draft-schanzen-reclaimid.xml new file mode 100644 index 0000000..5141a39 --- /dev/null +++ b/draft-schanzen-reclaimid.xml | |||
@@ -0,0 +1,386 @@ | |||
1 | <?xml version='1.0' encoding='utf-8'?> | ||
2 | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [ | ||
3 | <!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> | ||
4 | <!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> | ||
5 | <!ENTITY RFC2119 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> | ||
6 | <!ENTITY RFC2782 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2782.xml"> | ||
7 | <!ENTITY RFC3629 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml"> | ||
8 | <!ENTITY RFC3686 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml"> | ||
9 | <!ENTITY RFC3826 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3826.xml"> | ||
10 | <!ENTITY RFC3912 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3912.xml"> | ||
11 | <!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml"> | ||
12 | <!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml"> | ||
13 | <!ENTITY RFC5891 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5891.xml"> | ||
14 | <!ENTITY RFC6781 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml"> | ||
15 | <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml"> | ||
16 | <!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml"> | ||
17 | <!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml"> | ||
18 | <!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml"> | ||
19 | <!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml"> | ||
20 | ]> | ||
21 | <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> | ||
22 | <?rfc strict="yes" ?> | ||
23 | <?rfc toc="yes" ?> | ||
24 | <?rfc symrefs="yes"?> | ||
25 | <?rfc sortrefs="yes" ?> | ||
26 | <?rfc compact="yes" ?> | ||
27 | <?rfc subcompact="no" ?> | ||
28 | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" docName="draft-schanzen-reclaimid-00" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" version="3"> | ||
29 | <!-- xml2rfc v2v3 conversion 2.26.0 --> | ||
30 | <front> | ||
31 | <title abbrev="reclaimid"> | ||
32 | re:claimID - A System for Self-sovereign, Decentralised Identity Management and Personal Data Sharing | ||
33 | </title> | ||
34 | <seriesInfo name="Internet-Draft" value="draft-schanzen-reclaimid-00"/> | ||
35 | <author fullname="Martin Schanzenbach" initials="M." surname="Schanzenbach"> | ||
36 | <organization>GNUnet e.V.</organization> | ||
37 | <address> | ||
38 | <postal> | ||
39 | <street>Boltzmannstrasse 3</street> | ||
40 | <city>Garching</city> | ||
41 | <code>85748</code> | ||
42 | <country>DE</country> | ||
43 | </postal> | ||
44 | <email>schanzen@gnunet.org</email> | ||
45 | </address> | ||
46 | </author> | ||
47 | <author fullname="Christian Grothoff" initials="C." surname="Grothoff"> | ||
48 | <organization>Berner Fachhochschule</organization> | ||
49 | <address> | ||
50 | <postal> | ||
51 | <street>Hoeheweg 80</street> | ||
52 | <city>Biel/Bienne</city> | ||
53 | <code>2501</code> | ||
54 | <country>CH</country> | ||
55 | </postal> | ||
56 | <email>grothoff@gnunet.org</email> | ||
57 | </address> | ||
58 | </author> | ||
59 | <author fullname="Bernd Fix" initials="B." surname="Fix"> | ||
60 | <organization>GNUnet e.V.</organization> | ||
61 | <address> | ||
62 | <postal> | ||
63 | <street>Boltzmannstrasse 3</street> | ||
64 | <city>Garching</city> | ||
65 | <code>85748</code> | ||
66 | <country>DE</country> | ||
67 | </postal> | ||
68 | <email>fix@gnunet.org</email> | ||
69 | </address> | ||
70 | </author> | ||
71 | |||
72 | <!-- Meta-data Declarations --> | ||
73 | <area>General</area> | ||
74 | <workgroup>Independent Stream</workgroup> | ||
75 | <keyword>identity management</keyword> | ||
76 | <abstract> | ||
77 | <t>This document contains the re:claimID technical specification.</t> | ||
78 | </abstract> | ||
79 | </front> | ||
80 | <middle> | ||
81 | <section anchor="introduction" numbered="true" toc="default"> | ||
82 | <name>Introduction</name> | ||
83 | <t> | ||
84 | re:claimID is a decentralized, self-sovereign identity management | ||
85 | system. It allows users to be in control over their digital identities | ||
86 | without having to rely on central identity provider services (IdPs) in | ||
87 | order to share personal data. | ||
88 | </t> | ||
89 | <t> | ||
90 | re:claimID is built upon the GNU Name System <xref target="GNS"/> | ||
91 | for data sharing and storage. | ||
92 | It leverages the zone privacy and key blinding properties of the name | ||
93 | system in order to provide a secure sharing and authorization mechanism. | ||
94 | </t> | ||
95 | <t> | ||
96 | The system supports both "self-asserted" as well as third party asserted | ||
97 | identity attributes. The assertion mechanisms are out of scope of this | ||
98 | document. | ||
99 | </t> | ||
100 | <t> | ||
101 | The re:claimID system can used and integrated into the OpenID Connect | ||
102 | protocol. | ||
103 | </t> | ||
104 | <t> | ||
105 | This document defines the normative wire format of resource records, resolution processes, | ||
106 | cryptographic routines and security considerations for use by implementors. | ||
107 | </t> | ||
108 | <t> | ||
109 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | ||
110 | NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and | ||
111 | "OPTIONAL" in this document are to be interpreted as described | ||
112 | in <xref target="RFC2119"/>. | ||
113 | </t> | ||
114 | </section> | ||
115 | <section anchor="identities" numbered="true" toc="default"> | ||
116 | <name>Identities</name> | ||
117 | <t> | ||
118 | An identity in re:claimID is defined through a zone in GNS. | ||
119 | As such, the creation of a zone in GNS implicitly also creates | ||
120 | a re:claimID identity. | ||
121 | </t> | ||
122 | <section anchor="attributes" numbered="true" toc="default"> | ||
123 | <name>Attributes</name> | ||
124 | <t> | ||
125 | A re:claimID identity attribute is stored in GNS under records | ||
126 | of type "RECLAIM_ATTRIBUTE". An attribute consists of an identifier, | ||
127 | an optional attestation identifier, a type, a flag, a name and data. | ||
128 | The record format of a RECLAIM_ATTRIBUTE is as follows: | ||
129 | </t> | ||
130 | <figure anchor="figure_gnsattribute"> | ||
131 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
132 | 0 8 16 24 32 40 48 56 | ||
133 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
134 | | TYPE | FLAG | | ||
135 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
136 | | ID | | ||
137 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
138 | | ATTESTATION | | ||
139 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
140 | | NSIZE | DSIZE | | ||
141 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
142 | / NAME + DATA / | ||
143 | / / | ||
144 | +-----------------------------------------------+ | ||
145 | ]]></artwork> | ||
146 | <!-- <postamble>which is a very simple example.</postamble>--> | ||
147 | </figure> | ||
148 | <t> | ||
149 | where: | ||
150 | </t> | ||
151 | <dl> | ||
152 | <dt>TYPE</dt> | ||
153 | <dd> | ||
154 | Is the 32 bit attribute type as defined in the GANA registry. | ||
155 | </dd> | ||
156 | <dt>FLAG</dt> | ||
157 | <dd> | ||
158 | Is a 32 bit attribute flag combination as defined in the GANA registry | ||
159 | </dd> | ||
160 | <dt>ID</dt> | ||
161 | <dd> | ||
162 | Is a 64 bit attribute identifier. | ||
163 | </dd> | ||
164 | <dt>ATTESTATION</dt> | ||
165 | <dd> | ||
166 | Is the 64 bit credential identifier which asserts this attribute. | ||
167 | 0 means no attestation. | ||
168 | </dd> | ||
169 | <dt>NSIZE</dt> | ||
170 | <dd> | ||
171 | 32 bit length of the attribute name in bytes. | ||
172 | </dd> | ||
173 | <dt>DSIZE</dt> | ||
174 | <dd> | ||
175 | 32 bit length of the attribute data. | ||
176 | </dd> | ||
177 | <dt>NAME</dt> | ||
178 | <dd> | ||
179 | The attribute name. A UTF-8 string. | ||
180 | </dd> | ||
181 | <dt>DATA</dt> | ||
182 | <dd> | ||
183 | The attribute data. | ||
184 | </dd> | ||
185 | </dl> | ||
186 | </section> | ||
187 | <section anchor="credentials" numbered="true" toc="default"> | ||
188 | <name>Credentials</name> | ||
189 | <t> | ||
190 | A re:claimID credential is stored in GNS under records | ||
191 | of type "RECLAIM_CREDENTIAL". A credential consists of an identifier, | ||
192 | a type, a flag, a name and data. | ||
193 | The record format of a RECLAIM_CREDENTIAL is as follows: | ||
194 | </t> | ||
195 | <figure anchor="figure_gnscred"> | ||
196 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
197 | 0 8 16 24 32 40 48 56 | ||
198 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
199 | | TYPE | FLAG | | ||
200 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
201 | | ID | | ||
202 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
203 | | NSIZE | DSIZE | | ||
204 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
205 | / NAME + DATA / | ||
206 | / / | ||
207 | +-----------------------------------------------+ | ||
208 | ]]></artwork> | ||
209 | <!-- <postamble>which is a very simple example.</postamble>--> | ||
210 | </figure> | ||
211 | <t> | ||
212 | where: | ||
213 | </t> | ||
214 | <dl> | ||
215 | <dt>TYPE</dt> | ||
216 | <dd> | ||
217 | Is the 32 bit credential type as defined in the GANA registry. | ||
218 | </dd> | ||
219 | <dt>FLAG</dt> | ||
220 | <dd> | ||
221 | Is a 32 bit credential flag combination as defined in the GANA registry | ||
222 | </dd> | ||
223 | <dt>ID</dt> | ||
224 | <dd> | ||
225 | Is a 64 bit credential identifier. | ||
226 | </dd> | ||
227 | <dt>NSIZE</dt> | ||
228 | <dd> | ||
229 | 32 bit length of the credential name in bytes. | ||
230 | </dd> | ||
231 | <dt>DSIZE</dt> | ||
232 | <dd> | ||
233 | 32 bit length of the credential data. | ||
234 | </dd> | ||
235 | <dt>NAME</dt> | ||
236 | <dd> | ||
237 | The credential name. A UTF-8 string. | ||
238 | </dd> | ||
239 | <dt>DATA</dt> | ||
240 | <dd> | ||
241 | The credential data. | ||
242 | </dd> | ||
243 | </dl> | ||
244 | </section> | ||
245 | <section anchor="tickets" numbered="true" toc="default"> | ||
246 | <name>Tickets</name> | ||
247 | <section anchor="attrrefs" numbered="true" toc="default"> | ||
248 | <name>Attribute References</name> | ||
249 | </section> | ||
250 | <section anchor="credpres" numbered="true" toc="default"> | ||
251 | <name>Credential Presentations</name> | ||
252 | </section> | ||
253 | </section> | ||
254 | </section> | ||
255 | <section anchor="access" numbered="true" toc="default"> | ||
256 | <name>Access Management</name> | ||
257 | <section anchor="authorization" numbered="true" toc="default"> | ||
258 | <name>Authorization</name> | ||
259 | </section> | ||
260 | <section anchor="revocation" numbered="true" toc="default"> | ||
261 | <name>Revocation</name> | ||
262 | </section> | ||
263 | </section> | ||
264 | <section anchor="openid" numbered="true" toc="default"> | ||
265 | <name>OpenID Connect Integration</name> | ||
266 | <section anchor="openidclientreg" numbered="true" toc="default"> | ||
267 | <name>Client Registration</name> | ||
268 | </section> | ||
269 | <section anchor="AuthorizationCode" numbered="true" toc="default"> | ||
270 | <name>Authorization Code</name> | ||
271 | </section> | ||
272 | <section anchor="IDToken" numbered="true" toc="default"> | ||
273 | <name>ID Token</name> | ||
274 | </section> | ||
275 | <section anchor="UserinfoEndpoint" numbered="true" toc="default"> | ||
276 | <name>Userinfo Endpoint</name> | ||
277 | </section> | ||
278 | |||
279 | </section> | ||
280 | <section anchor="encoding" numbered="true" toc="default"> | ||
281 | <name>Internationalization and Character Encoding</name> | ||
282 | <t> | ||
283 | All attribute names in re:claimID are encoded in UTF-8 | ||
284 | <xref target="RFC3629" />. | ||
285 | </t> | ||
286 | </section> | ||
287 | |||
288 | <section anchor="security" numbered="true" toc="default"> | ||
289 | <name>Security Considerations</name> | ||
290 | </section> | ||
291 | <section anchor="gana" numbered="true" toc="default"> | ||
292 | <name>GANA Considerations</name> | ||
293 | <t> | ||
294 | GANA is requested to populate this registry as follows: | ||
295 | </t> | ||
296 | <figure anchor="figure_rrtypenums"> | ||
297 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
298 | Number: 65549 | ||
299 | Name: RECLAIM_TICKET | ||
300 | Contact: N/A | ||
301 | References: [This.I-D] | ||
302 | Description: Ticket | ||
303 | |||
304 | Number: 65549 | ||
305 | Name: RECLAIM_ATTRIBUTE | ||
306 | Contact: N/A | ||
307 | References: [This.I-D] | ||
308 | Description: Identity attribute | ||
309 | |||
310 | Number: 65550 | ||
311 | Name: RECLAIM_ATTRIBUTE_REF | ||
312 | Contact: N/A | ||
313 | References: [This.I-D] | ||
314 | Description: Refrerence to identity attribute | ||
315 | |||
316 | Number: 65551 | ||
317 | Name: RECLAIM_OIDC_CLIENT | ||
318 | Contact: N/A | ||
319 | References: [This.I-D] | ||
320 | Description: OIDC client description | ||
321 | |||
322 | Number: 65552 | ||
323 | Name: RECLAIM_OIDC_REDIRECT | ||
324 | Contact: N/A | ||
325 | References: [This.I-D] | ||
326 | Description: OIDC client redirect(s) | ||
327 | |||
328 | Number: 65553 | ||
329 | Name: RECLAIM_CREDENTIAL | ||
330 | Contact: N/A | ||
331 | References: [This.I-D] | ||
332 | Description: Credential | ||
333 | |||
334 | Number: 65554 | ||
335 | Name: RECLAIM_PRESENTATION | ||
336 | Contact: N/A | ||
337 | References: [This.I-D] | ||
338 | Description: Credential presentation | ||
339 | ]]></artwork> | ||
340 | </figure> | ||
341 | <t> | ||
342 | GANA is requested to amend the "GNUnet Signature Purpose" registry | ||
343 | as follows: | ||
344 | </t> | ||
345 | <figure anchor="figure_purposenums"> | ||
346 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
347 | Purpose: 27 | ||
348 | Name: RECLAIM_CODE_SIGN | ||
349 | References: [This.I-D] | ||
350 | Description: Signature in OIDC authorization code | ||
351 | ]]></artwork> | ||
352 | </figure> | ||
353 | </section> | ||
354 | <!-- gana --> | ||
355 | <section> | ||
356 | <name>Test Vectors</name> | ||
357 | </section> | ||
358 | </middle> | ||
359 | <back> | ||
360 | <references> | ||
361 | <name>Normative References</name> | ||
362 | |||
363 | &RFC2119; | ||
364 | &RFC3629; | ||
365 | |||
366 | <reference anchor="GNS" target="https://lsd.gnunet.org/lsd0001"> | ||
367 | <front> | ||
368 | <title>The GNU Name System</title> | ||
369 | <author initials="M." surname="Schanzenbach" fullname="Martin Schanzenbach"> | ||
370 | <organization>GNUnet e.V.</organization> | ||
371 | </author> | ||
372 | |||
373 | <author initials="C." surname="Grothoff" fullname="Christian Grothoff"> | ||
374 | <organization>GNUnet e.V.</organization> | ||
375 | </author> | ||
376 | |||
377 | <author initials="B." surname="Fix" | ||
378 | fullname="Bernd Fix"> | ||
379 | <organization>GNUnet e.V.</organization> | ||
380 | </author> | ||
381 | <date year="2020" month="March"/> | ||
382 | </front> | ||
383 | </reference> | ||
384 | </references> | ||
385 | </back> | ||
386 | </rfc> | ||