Claim catalog URI syntax isn't XML friendly

[Paul Trevithick]

Drummond,

I just noticed a problem with the ICF-defined claims that follow [1]. (This issue doesn’t apply to Microsoft’s original claims). The syntax we have defined prevents ICF claims from being used in XML element names. For example, this is valid XML:

<?xml version="1.0"?>
<doc xmlns:icf="http://schemas.informationcard.net/@ics#">
    <icf:age-over-18>...</icf:age-over-18>
</doc>

But this isn’t:

<?xml version="1.0"?>
<doc xmlns:icf="http://schemas.informationcard.net/@ics#">
    <icf:age-over-18/2008-11>...</icf:age-over-18/2008-11>
</doc>

Suggestions?

--Paul

[1] http://wiki.informationcard.net/index.php/Claim_URI_Syntax

[Markus Sabadello]

Maybe the solution is to simply use a different separator, e.g. _

    <?xml version="1.0"?>
    <doc xmlns:icf="http://schemas.informationcard.net/@ics#">

        <icf:age-over-18_2008-11>...</icf:age-over-18_2008-11>
    </doc>

I don't think this is too ugly; after all the syntax defines the "claim-name" to be only the "age-over-18", not the entire "age-over-18/2008-11"...
I.e. "age-over-18/2008-11" is not an opaque string, it's just one way to serialize the claim definition to a string.

Markus

[Drummond Reed]

Paul,

 

XML-friendliness was never a requirement of the ICF claim syntax or we would not have used forward slash as a separator. However, Markus’ solution will work fine.

 

Alternately, if you want the XML binding to reflect the real information in the identifier, it should follow the structure of the identifier itself:

 

            <?xml version="1.0"?>
                        <doc xmlns:icf="http://schemas.informationcard.net/@ics#">
                                    <icf:age-over-18>

                                                <icf-ver:2008-11>...</icf-ver: 2008-11>
                                    </icf:age-over-18>

                        </doc>

 

=Drummond

 

---

[John Bradley]

Yes that would be more correct.

Putting the date before or after creates the same problem with the /

Paul, What are you trying to do?

John B.

On 13-Jul-09, at 2:51 PM, Drummond Reed wrote:

> Paul,
>
> XML-friendliness was never a requirement of the ICF claim syntax or
> we would not have used forward slash as a separator. However,
> Markus’ solution will work fine.
>
> Alternately, if you want the XML binding to reflect the real
> information in the identifier, it should follow the structure of the
> identifier itself:
>
> <?xml version="1.0"?>
> <doc xmlns:icf="http://schemas.informationcard.net/@ics#
> ">
> <icf:age-over-18>
> <icf-ver:
> 2008-11>...</icf-ver: 2008-11>
> </icf:age-over-18>
> </doc>
>
> =Drummond
>

[Paul Trevithick]

Drummond,

There are circumstances where we want to use ICF claims (and the original CardSpace p-card claims) as elements to describe something, like “ex:Paul”, E.g.:

<?xml version="1.0"?>
<ex:paul
    xmlns:icf="http://schemas.informationcard.net/@ics#”
    xmlns:pcrd=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims#”>

<icf:age-over-18>1</icf:age-over-18>
<pcrd:givenname>Paul</pcrd:givenname>
<pcrd:surname>Paul</pcrd:surname>
<icf:us-resident>1</icf:us-resident>

</ex:paul>

This would be awkward if we had to include the <icf-ver:2008-11> sub elements everywhere. Especially in the presence of other attributes. So something like what Markus suggested (e.g. “<icf:age-over-18_2008-11>) would be better.

--Paul

On 7/13/09 2:51 PM, "Drummond Reed" <drummo...@cordance.net> wrote:

Paul,
 
XML-friendliness was never a requirement of the ICF claim syntax or we would not have used forward slash as a separator. However, Markus’ solution will work fine.
 
Alternately, if you want the XML binding to reflect the real information in the identifier, it should follow the structure of the identifier itself:
 
           <?xml version="1.0"?>
                        <doc xmlns:icf="http://schemas.informationcard.net/@ics#">
                                    <icf:age-over-18>
                                                <icf-ver:2008-11>...</icf-ver: 2008-11>
                                    </icf:age-over-18>
                        </doc>

=Drummond
 

From: icf-wg-...@googlegroups.com [mailto:icf-wg-...@googlegroups.com] On Behalf Of Markus Sabadello
Sent: Monday, July 13, 2009 12:03 AM
To: icf-wg-...@googlegroups.com
Cc: Drummond Reed
Subject: [ICF.WG.Schemas] Re: Claim catalog URI syntax isn't XML friendly

Maybe the solution is to simply use a different separator, e.g. _

    <?xml version="1.0"?>

    <doc xmlns:icf="http://schemas.informationcard.net/@ics# <http://schemas.informationcard.net/@ics> ">

       <icf:age-over-18_2008-11>...</icf:age-over-18_2008-11>
    </doc>

I don't think this is too ugly; after all the syntax defines the "claim-name" to be only the "age-over-18", not the entire "age-over-18/2008-11"...
I.e. "age-over-18/2008-11" is not an opaque string, it's just one way to serialize the claim definition to a string.

Markus

On Mon, Jul 13, 2009 at 1:08 AM, Paul Trevithick <ptrev...@gmail.com> wrote:

Drummond,

I just noticed a problem with the ICF-defined claims that follow [1]. (This issue doesn’t apply to Microsoft’s original claims). The syntax we have defined prevents ICF claims from being used in XML element names. For example, this is valid XML:
<?xml version="1.0"?>

<doc xmlns:icf="http://schemas.informationcard.net/@ics# <http://schemas.informationcard.net/@ics> ">

    <icf:age-over-18>...</icf:age-over-18>
</doc>

But this isn’t:
<?xml version="1.0"?>

<doc xmlns:icf="http://schemas.informationcard.net/@ics# <http://schemas.informationcard.net/@ics> ">

[Axel.N...@telekom.de]

1) Why is there a "#" at the end of your xmlns?

 

2) How about?:

 

<?xml version="1.0"?>
<ex:paul xmlns:ex=http://tmpuri.org/"
    xmlns:icf200812="http://schemas.informationcard.net/@ics/2008-12" 

    xmlns:icf200906="http://schemas.informationcard.net/@ics/2009-06"
    xmlns:pcrd="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">

    <icf200812:age-over-18>1</icf:age-over-18>

    <pcrd:givenname>Paul</pcrd:givenname>
    <pcrd:surname>Paul</pcrd:surname>

    <icf200812:us-resident>1</icf:us-resident>
    <icf200906:icam-assurance-level-1/>

</ex:paul>

 

3) is the value range of icam-assurance-level-1|2|3 correct? Shouldn't that be xs:token tri-boolean?

 

-Axel

---

Von: icf-wg-...@googlegroups.com [mailto:icf-wg-...@googlegroups.com] Im Auftrag von Paul Trevithick
Gesendet: Montag, 13. Juli 2009 21:42
An: ICF.WG.Schemas
Betreff: [ICF.WG.Schemas] Re: Claim catalog URI syntax isn't XML friendly

[Paul Trevithick]

1. Old RDFXML habit sorry.
2. This was discussed and rejected by the group I’d have to dig back to remember why. As I recall Drummond got hold of some W3C (I think it was) best practice documents for URIs and they suggested that trailing dates was better than what you have below. Personally I like what you’ve proposed below better and I was thinking the same thing. Or even something more heretical: switching to yearly versioning so that there weren’t so many “xmlns” declarations required!
3. Yes, I was being lazy on that part and hoping nobody would catch me.
   

[Axel.N...@telekom.de]

Von: icf-wg-...@googlegroups.com [mailto:icf-wg-...@googlegroups.com] Im Auftrag von Paul Trevithick

Gesendet: Montag, 13. Juli 2009 22:57
An: ICF.WG.Schemas
Betreff: Re: AW: [ICF.WG.Schemas] Re: Claim catalog URI syntax isn't XML friendly

1. Old RDFXML habit sorry.

2. This was discussed and rejected by the group I’d have to dig back to remember why. As I recall Drummond got hold of some W3C (I think it was) best practice documents for URIs and they suggested that trailing dates was better than what you have below. Personally I like what you’ve proposed below better and I was thinking the same thing. Or even something more heretical: switching to yearly versioning so that there weren’t so many “xmlns” declarations required! 

2.  
   
   ## Hm, then we discussed claims URIs not XML namespaces. There is no formal translation between the claims catalog and some XML (yet).
   If we would define an XML schema for the catalog then each claim URI would be an xs:token. [The Claim-Name might be considered to be an identifier / xs:token too but only because (until now) there is no collision between Claim-Names.] The unique identifier of a claim is its URI.
    

[Paul Trevithick]

Axel,

I think you (and Drummond) think I’m trying to create an XML format for the ICF claim catalog. I’m not. I’m focusing entirely on the syntax of the identifiers themselves. As I have tried to show, the current syntax means that the identifiers cannot be used “as is” as XML element names.

Since there’s no time like the present, I’ve started a new page and in this section [1] I’ve added my pet proposed requirement as item (currently #5).

Alex/all,

Let’s add any more requirements that we think we already have here [1].

--Paul

[1] https://wiki.informationcard.net/index.php/Claim_Catalog_Requirements#Proposed_Requirements

[John Bradley]

The value of icam-assurance-level-1 is likely a entityID that can be
used to discover if the certificate that signed the cert is valid for
asserting icam-assurance-level-1.

An empty entityID would be no but people shouldn't issue cards with
that claim if they are not certified.

In the first stage white-lists will probably be manually configured
and the return value ignored.

The claim is mostly used to drive card selection, as the RP cant
specify a set of issuers.

Chopping claim URI up into namespace declarations is a total hack no
matter how you do it.

The reason for the trailing date was to better represent versioning by
attribute.

If we register one attribute per month having the date first doesn't
help.

John B.

On 13-Jul-09, at 4:47 PM, <Axel.N...@telekom.de> wrote:

> 1) Why is there a "#" at the end of your xmlns?
>
> 2) How about?:
>
> <?xml version="1.0"?>
> <ex:paul xmlns:ex=http://tmpuri.org/"
> xmlns:icf200812="http://schemas.informationcard.net/@ics/2008-12"
> xmlns:icf200906="http://schemas.informationcard.net/@ics/2009-06"
> xmlns:pcrd="http://schemas.xmlsoap.org/ws/2005/05/identity/
> claims">
> <icf200812:age-over-18>1</icf:age-over-18>
> <pcrd:givenname>Paul</pcrd:givenname>
> <pcrd:surname>Paul</pcrd:surname>
> <icf200812:us-resident>1</icf:us-resident>
> <icf200906:icam-assurance-level-1/>
> </ex:paul>
>
> 3) is the value range of icam-assurance-level-1|2|3 correct?
> Shouldn't that be xs:token tri-boolean?
>
> -Axel
>

[Paul Trevithick]

## inline

On 7/13/09 6:25 PM, "John Bradley" <ve7...@ve7jtb.com> wrote:

The value of icam-assurance-level-1 is likely a entityID that can be
used to discover if the certificate that signed the cert is valid for
asserting icam-assurance-level-1.

## Err. What do you mean by an entityID? Why do you mention this here. Is this related to the syntax (“/”) issue? I’m not following you.

An empty entityID would be no but people shouldn't issue cards with
that claim if they are not certified.

In the first stage white-lists will probably be manually configured
and the return value ignored.

The claim is mostly used to drive card selection,  as the RP cant
specify a set of issuers.

<snip>

[John Bradley]

Axel asked about the value of the icam-assurance-level-1 claim.

The name is icam-assurance-level-1 and its value is xs:string not a
tri-boolian.

That was separate from the XML formating issue.

John B.

[Paul Trevithick]

John,

[1] says that the value range for icam-assurance-level-1 is “unspecified” --do you expect this to be specified at some point? And if so could we then (at that point) update the Value Range column here [1]?

--Paul

[1] http://wiki.informationcard.net/index.php/Claim_Catalog?#icam-assurance-level-1

[John Bradley]

I expect it to be a string. Likely a entityID (URL) in SAML speak
that allows for trust discovery.

We are still working on the trust white-list issues.

John B.

[Drummond Reed]

Hmmm. This is very interesting. I see what you’d like to do. It’s just that having claim URIs serve double duty as XML Qnames just hasn’t been brought up before.

 

You can either build the versioning into the XML namespace, as Axel suggests, or build it into the claim name itself, as Markus suggests. If those are the only two options, I personally prefer the latter, to keep the XML namespaces clean. But I’d want the revised ABNF for ICF claim URIs to still be structured so that a smart parser can still understand either the URI or the XML, i.e., use something like:

 

            http://schemas.informationcard.net/@ics/age-18-or-over-v-2008-12

 

…where the –v–YYYY-MM pattern is enforced by the ABNF.

 

But the big question is…what do we do about all our existing claims? Do we start issuing synonyms?

 

(Isn’t semantics fun? ;-)

 

=Drummond

 

 

---

<BR

[John Bradley]

One thing you could do is just drop the trailing date in the qname.

It isn't really adding anything. The claim without the date is the
most recent version.
If there is more than one version of the age-18-or-over you replace
the / with some other character.

Turning the claim into a qname is a connivence there is no formal
transform rule.

John B.

On 13-Jul-09, at 9:43 PM, Drummond Reed wrote:

> Hmmm. This is very interesting. I see what you’d like to do. It’s
> just that having claim URIs serve double duty as XML Qnames just
> hasn’t been brought up before.
>
> You can either build the versioning into the XML namespace, as Axel
> suggests, or build it into the claim name itself, as Markus
> suggests. If those are the only two options, I personally prefer the
> latter, to keep the XML namespaces clean. But I’d want the revised
> ABNF for ICF claim URIs to still be structured so that a smart
> parser can still understand either the URI or the XML, i.e., use
> something like:
>
> http://schemas.informationcard.net/@ics/age-18-or-over-v-2008-12
>
> …where the –v–YYYY-MM pattern is enforced by the ABNF.
>
> But the big question is…what do we do about all our existing claims?
> Do we start issuing synonyms?
>
> (Isn’t semantics fun? ;-)
>
> =Drummond
>
>

> From: icf-wg-...@googlegroups.com [mailto:icf-wg-...@googlegroups.com
> ] On Behalf OfAxel....@telekom.de
> Sent: Monday, July 13, 2009 2:14 PM
> To: icf-wg-...@googlegroups.com
> Subject: AW: AW: [ICF.WG.Schemas] Re: Claim catalog URI syntax isn't
> XML friendly
>
>

[Paul Trevithick]

I like this.

As for Drummond’s issue, I was thinking that we could issue synonyms in the new syntax “_” (vs. “/” syntax) and then deprecate the existing URIs in favor of the new synonyms.

[Paul Trevithick]

Thanks. Do you expect that we’d update the [1] entry at some point in the future when this is all defined?

[John Bradley]

It will get updated once the GSA makes a decision.

At the moment the RPs are not checking for a value. It is only being
used to filter cards.

John B.

[Markus Sabadello]

The problem if you just drop it, i.e. if you do this

<icf:age-over-18 xmlns:icf="http://schemas.informationcard.net/@ics#">...</icf:age-over-18>

.. is that you cannot map that back to the claim URI without looking it up somehow.

Markus

[John Bradley]

What ever application is using Paul's qnames is going to have to do a
programatic conversion anyway to extract the claim from the qname so
changing the last / to a v for version is probably the best thing if
you want bidirectional mapping.

Other schema types that avoid qnames are also a possibility

<claim>
<name>http://schemas.informationcard.net/@ics/age-18-or-over/2008-12</
name>
<data>1</data>
</claim>

Without more information I can't say if using qnames to encode what
would normally be a value is a good idea.

My first reaction is not to change the ABNF without some compelling
reason.

John B.

[Paul Trevithick]

Okay, thanks.

[Paul Trevithick]

True, and the more I think about it, requiring lookup is too complex for some uses and OTOH defining both “static” (with version) and “dynamic” (lookup the latest version) kinds of URIs is too complicated for what we gain here...

I’m back to just substituting “_” (as you said) or “-v-” (as Drummond said) for “/” and being done with it.

On 7/14/09 9:55 AM, "Markus Sabadello" <markus.s...@gmail.com> wrote:

The problem if you just drop it, i.e. if you do this

<icf:age-over-18 xmlns:icf="http://schemas.informationcard.net/@ics#">...</icf:age-over-18>

.. is that you cannot map that back to the claim URI without looking it up somehow.

Markus

On Tue, Jul 14, 2009 at 3:55 AM, John Bradley <ve7...@ve7jtb.com> wrote:

One thing you could do is just drop the trailing date in the qname.

It isn't really adding anything.   The claim without the date is the
most recent version.
If there is more than one version of the age-18-or-over you replace
the / with some other character.

Turning the claim into a qname is a connivence there is no formal
transform rule.

John B.

<snip>