Internet-Draft SPICE GLUE: GLobal Unique Enterprise Ide November 2024
Zundel & Dingle Expires 6 May 2025 [Page]
Workgroup:
Secure Patterns for Internet CrEdentials
Internet-Draft:
draft-zundel-spice-glue-id-latest
Published:
Intended Status:
Informational
Expires:
Authors:
B. Zundel
mesur.io
P. Dingle
Microsoft Corporation

SPICE GLUE: GLobal Unique Enterprise Identifiers

Abstract

This specification defines the glue URI scheme and the rules for encoding these URIs. It also establishes the registries necessary for management of this scheme.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mesur-io.github.io/draft-zundel-spice-glue-id/draft-zundel-spice-glue-id.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/.

Discussion of this document takes place on the Secure Patterns for Internet CrEdentials Working Group mailing list (mailto:spice@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spice/. Subscribe at https://www.ietf.org/mailman/listinfo/spice/.

Source for this draft and an issue tracker can be found at https://github.com/mesur-io/draft-zundel-spice-glue-id.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 6 May 2025.

Table of Contents

1. Introduction

Enterprise entity identifiers are myriad. With the increasing use of digitial credentials, there is a need for a common methodology for expressing these identifiers such that claims about and by such entities can be made in a consistent and interoperable manner.

This specification defines a URI scheme that standardizes the expression of existing company entity identifers by providing a common representation format. It also establishes a registry for managing how existing company entity identification mechanisms relate to this scheme.

Any company entity identifier whose identification mechanism has been registered as an authority identifier in the registry may be represented as a glue URI.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The term "glue URI" is used to refer to a URI that uses the glue scheme.

TODO: define external authority, company entity

3. Core Concepts

Every glue URI, whether expressed as a string or encoded in binary MUST be comprised of the following components:

The Authority Identifier indicates the external authority responsible for assigning the External Number and the scheme used to do so.

The External Number is the identifier assigned to the company by the external authority.

3.1. Uniqueness and Namespacing

Each glue URI MUST be globally unique. It is assumed that most registered company entity identification schemes already handle any necessary namespacing as part of the external number. However, in the event that collisions are possible within the set of possible external identifiers for an authority identifier scheme, then further namespacing might be necessary at the glue id level. Such namespacing SHOULD be done on the authority identifier as part of the registration process.

That is, the different namespaces would be considered either different schemes operated by the same authority, or the same scheme operated by different authorities. In either case a unique authority identifier would be necessary for each.

For example, assume there is an external authority FEA that provides identifiers for company entities in USA and Canada. The identifiers in the USA are unique, and the identifiers in Canada are unique, but there is no guarantee that a company entity in Canada won't be assigned the same number as a company entity in the USA. Upon registration of FEA as an Authority Identifier, it would be necessary to seperately register FEA-USA and FEA-Can to provide differentiation between the two sets of external numbers.

4. Text Encoding of glue URIs

All glue URIs comply with [RFC3986] and are therefore represented by a scheme identifier and a scheme-specific part. The scheme identifier is: glue, and the scheme-specific parts are represented as a sequence of alphanumeric components separated by the '.' character. A formal definition is provided in the next section, but it can informally be considered as:

glue:<authority-identifier>.<external-number>

The Authority Identifier MUST be an alphanumeric string from the "Scheme" field of the glue URI Authority Identifier registry. The External Number MUST be the identifier assigned to the company by the external authority under the identified scheme.

5. DIDs and glue

TODO DIDs and glue

6. Security Considerations

TODO Security

7. Privacy Considerations

7.1. Private identifiers as corporate identifiers

There are some corporate identifers which make use of personal identifiers. This is the case for registered sole-proprietor businesses in much of the United States, where the business identifier may be the same as the social-security-number of the business owner.

It is possible for such identifers to be represented as glue URIs. An identifier's expression as a glue URI does not change the privacy characteristics of that identifier. The same cautions and concerns need to be taken with the glue URI representation as with the original identifier.

Implementers storing or evaluating glue ids are encouraged to evaluate the privacy characteristics of each identification scheme represented by an authority identifier and to appropriately handle any glue id which violates privacy policies.

8. IANA Considerations

The following sections detail requests to IANA for the creation of a new registry and registration of the 'glue' URI scheme.

8.2. 'glue' Scheme URI authority registry

IANA is requested to create a new registry entitled "'glue' Scheme URI Authority Identifiers". The registration policy for this registry is Expert Review as defined in [RFC8126].

Each entry in this registry associates one or more Authority Identifiers with a single organization. Within the registry, the organization is identified using the "Name" field. Each identified organization will be associated with one or more number of company identification schemes, which are listed in the "Scheme" field. A reference for each scheme is listed in the "Reference" field of the registry.

The initial values for the registry are:

Table 1
Name Scheme Reference
GS1 gln https://www.gs1.org/standards/id-keys/gln
GLEIF lei https://www.iso.org/standard/78829.html
Dun & Bradstreet duns https://www.dnb.com/duns.html
Private Enterprise Numbers pen https://www.iana.org/assignments/enterprise-numbers/

8.2.1. Guidance for Designated Experts

It is not required that registration of an Authority Identifier be done by a representative of the external authority.

8.3. URI Scheme Registration

The "glue" URI scheme is requested to be registered in the provisional "URI Schemes" registry. The information below is provided according to the guidelines from RFC 4395:

URI scheme name:

glue

Status:

provisional

URI scheme syntax:

See Section 4

9. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3986]
Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, , <https://www.rfc-editor.org/rfc/rfc3986>.
[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/rfc/rfc8126>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

TODO acknowledge.

Authors' Addresses

Brent Zundel
mesur.io
Pamela Dingle
Microsoft Corporation