idnits 2.17.1
draft-milinovic-6338bis-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (July 08, 2020) is 1387 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
** Obsolete normative reference: RFC 2818 (ref. '3') (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 5246 (ref. '4') (Obsoleted by RFC 8446)
** Obsolete normative reference: RFC 3406 (ref. '5') (Obsoleted by RFC 8141)
-- Obsolete informational reference (is this intentional?): RFC 2141 (ref.
'11') (Obsoleted by RFC 8141)
Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group M. Milinovic
3 Internet-Draft University Computing Centre, University of Zagreb (SRCE)
4 Obsoletes: 6338 (if approved) July 08, 2020
5 Intended status: Informational
6 Expires: January 9, 2021
8 Definition of a Uniform Resource Name (URN) Namespace for the Schema for
9 Academia (SCHAC)
10 draft-milinovic-6338bis-00
12 Abstract
14 This document describes a Uniform Resource Name (URN) namespace for
15 the Schema for Academia (SCHAC).
17 The namespace described in this document is for naming persistent
18 resources defined by the SCHAC participants internationally, their
19 working groups, and other designated subordinates. The main use of
20 this namespace will be for the creation of controlled vocabulary
21 values for attributes in the SCHAC schema. These values will be
22 associated with particular instances of persons or objects belonging
23 to any of the SCHAC object classes.
25 This document obsoletes RFC 6338.
27 Status of This Memo
29 This Internet-Draft is submitted in full conformance with the
30 provisions of BCP 78 and BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF). Note that other groups may also distribute
34 working documents as Internet-Drafts. The list of current Internet-
35 Drafts is at https://datatracker.ietf.org/drafts/current/.
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
42 This Internet-Draft will expire on January 9, 2021.
44 Copyright Notice
46 Copyright (c) 2020 IETF Trust and the persons identified as the
47 document authors. All rights reserved.
49 This document is subject to BCP 78 and the IETF Trust's Legal
50 Provisions Relating to IETF Documents
51 (https://trustee.ietf.org/license-info) in effect on the date of
52 publication of this document. Please review these documents
53 carefully, as they describe your rights and restrictions with respect
54 to this document. Code Components extracted from this document must
55 include Simplified BSD License text as described in Section 4.e of
56 the Trust Legal Provisions and are provided without warranty as
57 described in the Simplified BSD License.
59 1. Introduction
61 The Schema for Academia (SCHAC) international activity was born
62 inside the Task Force on European Middleware Coordination and
63 Collaboration (TF-EMC2) of the Trans-European Research and Education
64 Networking Association ([6]). The initial aim of SCHAC was to
65 harmonize the disjoint person schemas of the participating countries
66 in order to have a common way for expressing data about persons,
67 exchanged between educational organizations. SCHAC, as are other
68 person schemas, is designed to ease the sharing of information about
69 a given individual between parties, mostly, but not limited to,
70 educational and research institutions. The main aims of this sharing
71 are to provide resources to individuals and to allow said individuals
72 to move, virtually and physically, between such institutions. Thus,
73 the SCHAC schema was defined with input from all participants'
74 national person schemas [7].
76 SCHAC does not supplant other person schemas such as
77 organizationalPerson [8], inetOrgPerson [9], or [10]; it extends
78 those where needed for the purposes of Higher Education outside the
79 United States. This characteristic has made SCHAC, originally a
80 European effort, useful for groups outside Europe.
82 TERENA joined forces with DANTE in 2014 to become the organization
83 known as GEANT [18]. At the same time, TERENA delegated schema
84 management to [17].
86 2. Requirements Language
88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
90 document are to be interpreted as described in [1].
92 3. Specification Template
94 Namespace ID:
96 schac
98 Registration Information:
100 Registration Version Number 2
102 Registration Date: 2019-10-30
104 Registrant of the namespace:
106 REFEDS
107 c/o GEANT
108 Hoekenrode 3
109 1102 BR Amsterdam
110 The Netherlands
112 Designated contacts:
114 Contact: Schema Editorial Board
115 Affiliation: REFEDS, GEANT
116 Hoekenrode 3
117 1102 BR Amsterdam
118 The Netherlands
120 EMail: schema-board@lists.refeds.org
122 Syntactic structure:
124 The Namespace Specific Strings (NSSs) of all URNs assigned by
125 SCHAC will conform to the syntax defined in Section 2.2 of [11],
126 "URN Syntax". In addition, all SCHAC URN NSSs will consist of a
127 left-to-right series of tokens delimited by colons. The left-to-
128 right sequence of colon-delimited tokens corresponds to descending
129 nodes in a tree. To the right of the lowest naming authority
130 node, there may be zero, one, or more levels of hierarchical
131 naming nodes terminating in a rightmost leaf node. See the
132 "Identifier assignment" section below for more on the semantics of
133 NSSs. This syntax convention is captured in the following
134 normative ABNF rules for SCHAC NSSs (see [2]:
136 SCHAC-NSS = 1*subStChar *( ":" 1*subStChar )
138 subStChar = trans / "%" HEXDIG HEXDIG
140 trans = ALPHA / DIGIT / other / reserved
142 other = "(" / ")" / "+" / "," / "-" / "." /
143 "=" / "@" / ";" / "$" /
144 "_" / "!" / "*" / "'"
146 reserved = "/" / "?" / "#"
148 The exclusion of the colon from the list of "other" characters
149 means that the colon can only occur as a delimiter between string
150 tokens. Note that this ABNF rule set guarantees that any valid
151 SCHAC NSS is also a valid RFC 2141 NSS.
153 Relevant ancillary documentation:
155 None.
157 Identifier uniqueness:
159 It is the responsibility of REFEDS to guarantee uniqueness of the
160 names of immediately subordinate naming authorities. Each lower-
161 level naming authority in turn inherits the responsibility of
162 guaranteeing uniqueness of names in its branch of the naming tree.
164 Identifier persistence:
166 REFEDS bears ultimate responsibility for maintaining the usability
167 of SCHAC URNs over time. This responsibility MAY be delegated to
168 subordinate naming authorities per the discussion in the section
169 below on identifier assignment. That section provides a mechanism
170 for the delegation to be revoked in the case where a subordinate
171 naming authority ceases to function.
173 Identifier assignment:
175 REFEDS will create an initial series of immediately subordinate
176 naming authorities, and will define a process for adding to that
177 list of authorities. Such a list, and the policy for adding to
178 it, will be published at the root registry page. Each country
179 with a representative in SCHAC will be invited to designate a
180 naming authority. Country-specific namespaces based on the
181 country Internet Top-Level Domain (TLD) [12] will then be assigned
182 to the designated authority. The subordinated namespaces int and
183 eu will remain under REFEDS authority, controlled by the SCHAC
184 activity members, for entities of global, international, or
185 European interest. There is also the possibility of granting
186 subordinate namespaces to multi-country organizations; in this
187 case, the organizational Internet Fully Qualified Domain Name
188 (FQDN) will be used as the prefix.
190 As an example, a European-level interest entity would be any value
191 related to information used in the Higher Education European
192 Space, or the so-called Bologna process. Such entities will
193 belong in the eu subordinate namespace.
195 Global international entities could encompass values related to
196 the Grid community or values useful both for some European and for
197 some Australian universities. Such entities would belong in the
198 int subordinate namespace.
200 Examples of multi-country organizations include GEANT itself or an
201 association like the Educational Policy Institute (EPI)
202 (educationalpolicy.org) that has members from Australia, Canada,
203 and the US.
205 URNs intended for values of SCHAC attributes will include the
206 attribute name immediately after the NSS prefix, before any
207 geographical namespace delegation, such that any string can convey
208 information about the attribute for which it is a value. For
209 example, values for schacUserStatus will be of the form:
211 urn:schac:userStatus:int
212 urn:schac:userStatus:au or
213 urn:schac:userStatus:terena.org
215 If at all possible, automated registry publication mechanisms will
216 be provided, based on the work on distributed URN registries done
217 by REFEDS.
219 Institutions and communities affiliated with SCHAC participants
220 may request that they be granted subordinate naming authority
221 status. Uniqueness of these namespaces under country authority
222 will be based on the requestor's Internet FQDN. This
223 subordination procedure SHOULD be carried along the delegation
224 chain; i.e., if at all possible, all entities that receive a
225 delegated namespace MUST have a valid FQDN and MUST publish an
226 Internet accessible URN value registry, based on the URN registry
227 mechanisms designed by REFEDS.
229 On at least an annual basis, REFEDS will contact the liaisons or
230 directors of each immediately subordinate naming authority. If
231 there is no response, or if the respondent indicates that they
232 wish to relinquish naming authority, the authority over that
233 branch of the tree reverts to REFEDS. This process will be
234 enforced recursively by each naming authority on its subordinates.
235 This process guarantees that responsibility for each branch of the
236 tree will lapse for less than one year, at worst, before being
237 reclaimed by a superior authority.
239 Lexical equivalence of two SCHAC Namespace Specific Strings (NSSs)
240 is defined below as an exact, case-sensitive string match. REFEDS
241 will assign names of immediately subordinate naming authorities in
242 lowercase only. This forestalls the registration of two SCHAC-
243 subordinate naming authorities whose names differ only in case.
244 Attribute names will use the same mixed-case format as in the
245 schema definition.
247 Identifier resolution:
249 The namespace is not currently listed with a Resolution Discovery
250 System (RDS), but nothing about the namespace prohibits the future
251 definition of appropriate resolution methods or listing with an
252 RDS.
254 REFEDS will maintain a registry of all SCHAC-assigned URN values,
255 both final and for delegation, on its web site:
257
259 Delegation entries will have a pointer to the registry of the
260 subordinate naming authority. This SHOULD recurse down the
261 delegation tree, but registries for several delegated namespaces
262 MAY be maintained by a single naming authority.
264 All registries MUST publish their URNs over https links [3]. The
265 https links MUST be secured by sites offering credentials signed
266 by a SCHAC-community recognized Certification Authority (CA) using
267 the latest secure methods for accessing a web site (which at
268 present is the latest version of Transport Layer Security (TLS)
269 [4]). Registries SHOULD consider the user interface implications
270 of their choice of CA, taking into account issues like browser
271 alerts and blind trust.
273 Lexical equivalence:
275 Lexical equivalence of two SCHAC Namespace Specific Strings (NSSs)
276 is defined as an exact, case-sensitive string match.
278 Conformance with URN syntax:
280 All SCHAC NSSs fully conform to RFC 2141 syntax rules for NSSs.
282 Validation mechanism:
284 As specified in the "Identifier resolution" section above, TERENA
285 will maintain an index of all SCHAC-assigned URNs on its web site:
286 Presence in that registry or in any
287 subordinate registry implies that a given URN is valid. Delegated
288 naming authorities MUST guarantee that values are valid in their
289 assigned spaces.
291 Scope:
293 Global.
295 4. Examples
297 The following examples are not guaranteed to be real. They are
298 listed for pedagogical reasons only.
300 urn:schac:personalUniqueID:es:DNI:9999999Z
301 urn:schac:personalUniqueCode:es:uma.es:codUni:061696758X
302 urn:schac:userStatus:au:uq.edu.au:service:mail:receive:disabled
303 urn:schac:personalPosition:pl:umk.pl:programmer
305 5. Security Considerations
307 There are no additional security considerations beyond those normally
308 associated with the use and resolution of URNs in general.
310 In order to guarantee the validity and origin of SCHAC-NSS URN
311 values, they MUST be published over https links [3]. The https links
312 MUST be secured by sites offering credentials signed by a SCHAC-
313 community recognized Certification Authority (CA) using the latest
314 secure methods for accessing a web site (which at present is the
315 latest version of TLS [4]).
317 6. Namespace Considerations
319 Registration of a Namespace Identifier (NID) specific to SCHAC is
320 reasonable given the following considerations:
322 SCHAC would like to assign URNs to some very fine-grained objects.
323 This does not seem to be the primary intended use of the XML.org
324 namespace ([13]), or the more tightly controlled Organization for
325 the Advancement of Structured Information Standards ([14])
326 namespace ([15]).
328 SCHAC seeks naming autonomy. SCHAC is not a member of OASIS, so
329 becoming a subordinate naming authority under the OASIS URN space
330 is not an option. There is the MACE (Middleware Architecture
331 Committee for Education) ([16]) namespace, but the SCHAC
332 development is done outside of the MACE activity scope; thus, the
333 attributes and values do not belong in the MACE namespace. Using
334 the MACE namespace requires that the SCHAC namespace be placed
335 under one of the SCHAC participants' namespaces, which hinders its
336 global scope.
338 SCHAC will want to assign URNs to non-XML objects as well. That
339 is another reason that XML.org may not be an appropriate higher-
340 level naming authority for SCHAC.
342 Some of the already defined SCHAC attribute values have been assigned
343 URNs under the urn:mace:terena.org namespace. These values will
344 enter a deprecation cycle, with a clear indication that they will be
345 replaced by values under the new namespace once it is assigned. In
346 any case, [5] (which replaced RFC 2611) includes an explicit
347 statement that two or more URNs may point to the same resource.
349 7. Community Considerations
351 The assignment and use of identifiers within the namespace are open,
352 and the related rule is established by the SCHAC activity members.
353 Registration agencies (the next-level naming authorities) will be the
354 National Research and Education Networks (NRENs) and established
355 organizational cross-border organizations that participate in SCHAC.
357 It is expected that the majority of the European NRENs, their
358 constituencies, participants in the Australian Access Federation, and
359 some other international activities will make use of the SCHAC
360 namespace.
362 After the establishment of the SCHAC namespace, TERENA established a
363 registry service (analogously to other distributed pan-European
364 services, such as eduroam, PerfSONAR, etc.) for the namespace
365 clients. This registry is now maintained by REFEDS and available
366 via: . The
367 policy for registrations will be defined in documents available at
368 the root page of the registry.
370 8. IANA Considerations
372 In accordance with BCP 66 [5], IANA has registered the Formal URN
373 Namespace 'schac' in the Registry of URN Namespaces, using the
374 registration template presented in Section 2 of this document.
376 9. Acknowledgments
378 The original registration of SCHAC was done by Victoriano Giralt
379 (University of Malaga) and Dr. Rodney McDuff (The University of
380 Queensland) for their work on the original specification. Their work
381 remains much appreciated.
383 SCHAC was the result of the TERENA TF-EMC2 task force and many others
384 that have contributed ideas to the development of the schema.
386 Peter Saint-Andre has also provided comments that have improved the
387 overall document quality, for which we herein thank him. We'd also
388 like to thank Chris Lonvick for helping us express our security
389 concerns in a better way. Finally, we thank other reviewers that
390 have helped us to give the final touches to the text.
392 Special thanks should go to Dyonisius Visser from the TERENA
393 technical team for taking the time and effort required to set up the
394 root instance of the namespace registry.
396 10. References
398 10.1. Normative References
400 [1] Bradner, S., "Key words for use in RFCs to Indicate
401 Requirement Levels", BCP 14, RFC 2119, March 1997.
403 [2] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
404 Specifications: ABNF", STD 68, RFC 5234, January 2008.
406 [3] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
408 [4] Dierks, T. and E. Rescorla, "The Transport Layer Security
409 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
411 [5] Daigle, L., van Gulik, D., Iannella, R., and P. Faltstrom,
412 "Uniform Resource Names (URN) Namespace Definition
413 Mechanisms", BCP 66, RFC 3406, October 2002.
415 10.2. Informative References
417 [6] TERENA, "Trans-European Research and Education Networking
418 Association", .
420 [7] REFEDS, "SCHAC - SCHema for ACademia",
421 .
423 [8] Sciberras, A., Ed., "Lightweight Directory Access Protocol
424 (LDAP): Schema for User Applications", RFC 4519, June
425 2006.
427 [9] Smith, M., "Definition of the inetOrgPerson LDAP Object
428 Class", RFC 2798, April 2000.
430 [10] REFEDS, "eduPerson Object Class Specification", December
431 2007, .
433 [11] Moats, R., "URN Syntax", RFC 2141, May 1997.
435 [12] IANA, "Country TLDs",
436 .
438 [13] Best, K. and N. Walsh, "A URN Namespace for XML.org",
439 RFC 3120, June 2001.
441 [14] OASIS, "Organization for the Advancement of Structured
442 Information Standards: OASIS",
443 .
445 [15] Best, K. and N. Walsh, "A URN Namespace for OASIS",
446 RFC 3121, June 2001.
448 [16] Morgan, R. and K. Hazelton, "Definition of a Uniform
449 Resource Name (URN) Namespace for the Middleware
450 Architecture Committee for Education (MACE)", RFC 3613,
451 October 2003.
453 [17] REFEDS, "REFEDS", .
455 [18] GEANT, "GEANT", .
457 Author's Address
459 Miroslav Milinovic
460 University Computing Centre, University of Zagreb (SRCE)
462 Email: miro@srce.hr