Skip to main content

SPICE GLUE: GLobal Unique Enterprise Identifiers
draft-zundel-spice-glue-id-01

Document Type Active Internet-Draft (individual)
Authors Brent Zundel , Pamela Dingle
Last updated 2024-10-21
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-zundel-spice-glue-id-01
Secure Patterns for Internet CrEdentials                       B. Zundel
Internet-Draft                                                  mesur.io
Intended status: Informational                                 P. Dingle
Expires: 24 April 2025                             Microsoft Corporation
                                                         21 October 2024

            SPICE GLUE: GLobal Unique Enterprise Identifiers
                     draft-zundel-spice-glue-id-01

Abstract

   This specification defines the glue URI scheme and the rules for
   encoding these URIs.  It also establishes the registries necessary
   for management of this scheme.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at https://mesur-
   io.github.io/draft-zundel-spice-glue-id/draft-zundel-spice-glue-
   id.html.  Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/.

   Discussion of this document takes place on the Secure Patterns for
   Internet CrEdentials Working Group mailing list
   (mailto:spice@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/spice/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/spice/.

   Source for this draft and an issue tracker can be found at
   https://github.com/mesur-io/draft-zundel-spice-glue-id.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Zundel & Dingle           Expires 24 April 2025                 [Page 1]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

   This Internet-Draft will expire on 24 April 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Core Concepts . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Uniqueness and Namespacing  . . . . . . . . . . . . . . .   3
   4.  Text Encoding of glue URIs  . . . . . . . . . . . . . . . . .   4
     4.1.  glue URI Scheme Text Syntax . . . . . . . . . . . . . . .   4
   5.  DIDs and glue . . . . . . . . . . . . . . . . . . . . . . . .   4
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   7.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   4
     7.1.  Private identifiers as corporate identifiers  . . . . . .   4
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     8.1.  'glue' URI Scheme Registration  . . . . . . . . . . . . .   5
     8.2.  'glue' Scheme URI authority registry  . . . . . . . . . .   5
     8.3.  URI Scheme Registration . . . . . . . . . . . . . . . . .   6
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   6
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Enterprise entity identifiers are myriad.  With the increasing use of
   digitial credentials, there is a need for a common methodology for
   expressing these identifiers such that claims about and by such
   entities can be made in a consistent and interoperable manner.

   This specification defines a URI scheme that standardizes the
   expression of existing company entity identifers by providing a
   common representation format.  It also establishes a registry for
   managing how existing company entity identification mechanisms relate
   to this scheme.

Zundel & Dingle           Expires 24 April 2025                 [Page 2]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

   Any company entity identifier whose identification mechanism has been
   registered as an authority identifier in the registry may be
   represented as a glue URI.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The term "glue URI" is used to refer to a URI that uses the glue
   scheme.

   TODO: define external authority, company entity

3.  Core Concepts

   Every glue URI, whether expressed as a string or encoded in binary
   MUST be comprised of the following components:

   *  The Authority Identifier

   *  The External Number

   The Authority Identifier indicates the external authority responsible
   for assigning the External Number and the scheme used to do so.

   The External Number is the identifier assigned to the company by the
   external authority.

3.1.  Uniqueness and Namespacing

   Each glue URI MUST be globally unique.  It is assumed that most
   registered company entity identification schemes already handle any
   necessary namespacing as part of the external number.  However, in
   the event that collisions are possible within the set of possible
   external identifiers for an authority identifier scheme, then further
   namespacing might be necessary at the glue id level.  Such
   namespacing SHOULD be done on the authority identifier as part of the
   registration process.

   That is, the different namespaces would be considered either
   different schemes operated by the same authority, or the same scheme
   operated by different authorities.  In either case a unique authority
   identifier would be necessary for each.

Zundel & Dingle           Expires 24 April 2025                 [Page 3]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

   For example, assume there is an external authority FEA that provides
   identifiers for company entities in USA and Canada.  The identifiers
   in the USA are unique, and the identifiers in Canada are unique, but
   there is no guarantee that a company entity in Canada won't be
   assigned the same number as a company entity in the USA.  Upon
   registration of FEA as an Authority Identifier, it would be necessary
   to seperately register FEA-USA and FEA-Can to provide differentiation
   between the two sets of external numbers.

4.  Text Encoding of glue URIs

   All glue URIs comply with [RFC3986] and are therefore represented by
   a scheme identifier and a scheme-specific part.  The scheme
   identifier is: glue, and the scheme-specific parts are represented as
   a sequence of alphanumeric components separated by the '.' character.
   A formal definition is provided in the next section, but it can
   informally be considered as:

   glue:<authority-identifier>.<external-number>

   The Authority Identifier MUST be an alphanumeric string from the
   "Scheme" field of the glue URI Authority Identifier registry.  The
   External Number MUST be the identifier assigned to the company by the
   external authority under the identified scheme.

4.1.  glue URI Scheme Text Syntax

   TODO ABNF

5.  DIDs and glue

   TODO DIDs and glue

6.  Security Considerations

   TODO Security

7.  Privacy Considerations

7.1.  Private identifiers as corporate identifiers

   There are some corporate identifers which make use of personal
   identifiers.  This is the case for registered sole-proprietor
   businesses in much of the United States, where the business
   identifier may be the same as the social-security-number of the
   business owner.

Zundel & Dingle           Expires 24 April 2025                 [Page 4]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

   It is possible for such identifers to be represented as glue URIs.
   An identifier's expression as a glue URI does not change the privacy
   characteristics of that identifier.  The same cautions and concerns
   need to be taken with the glue URI representation as with the
   original identifier.

   Implementers storing or evaluating glue ids are encouraged to
   evaluate the privacy characteristics of each identification scheme
   represented by an authority identifier and to appropriately handle
   any glue id which violates privacy policies.

8.  IANA Considerations

   The following sections detail requests to IANA for the creation of a
   new registry and registration of the 'glue' URI scheme.

8.1.  'glue' URI Scheme Registration

   TODO

8.2.  'glue' Scheme URI authority registry

   IANA is requested to create a new registry entitled "'glue' Scheme
   URI Authority Identifiers".  The registration policy for this
   registry is Expert Review as defined in [RFC8126].

   Each entry in this registry associates one or more Authority
   Identifiers with a single organization.  Within the registry, the
   organization is identified using the "Name" field.  Each identified
   organization will be associated with one or more number of company
   identification schemes, which are listed in the "Scheme" field.  A
   reference for each scheme is listed in the "Reference" field of the
   registry.

   The initial values for the registry are:

Zundel & Dingle           Expires 24 April 2025                 [Page 5]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

+==================+========+===========================================+
| Name             | Scheme | Reference                                 |
|                  |        |                                           |
+==================+========+===========================================+
| GS1              |  gln   | https://www.gs1.org/standards/id-keys/gln |
|                  |        |                                           |
+------------------+--------+-------------------------------------------+
| GLEIF            |  lei   | https://www.iso.org/standard/78829.html   |
|                  |        |                                           |
+------------------+--------+-------------------------------------------+
| Dun & Bradstreet |  duns  | https://www.dnb.com/duns.html             |
|                  |        |                                           |
+------------------+--------+-------------------------------------------+
| Private Enterprise Numbers | pen | https://www.iana.org/assignments/enterprise-numbers/ |
|                            |     |                                                      |
+----------------------------+-----+------------------------------------------------------+

   ### Guidance for Designated Experts

   It is not required that registration of an Authority Identifier be
   done by a representative of the external authority.

8.3.  URI Scheme Registration

   The "glue" URI scheme is requested to be registered in the
   provisional "URI Schemes" registry.  The information below is
   provided according to the guidelines from RFC 4395: * URI scheme
   name: glue * Status: provisional * URI scheme syntax: See Section 4.1
   of Text Encoding of glue URIs (Section 4)

9.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/rfc/rfc3986>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/rfc/rfc8126>.

Zundel & Dingle           Expires 24 April 2025                 [Page 6]
Internet-Draft  SPICE GLUE: GLobal Unique Enterprise Ide    October 2024

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Brent Zundel
   mesur.io
   Email: brent.zundel@gmail.com

   Pamela Dingle
   Microsoft Corporation
   Email: pamela.dingle@microsoft.com

Zundel & Dingle           Expires 24 April 2025                 [Page 7]