GLobal Unique Enterprise (GLUE) Identifiers
draft-ietf-spice-glue-id-05
| Document | Type | Active Internet-Draft (spice WG) | |
|---|---|---|---|
| Authors | Brent Zundel , Pamela Dingle , Michael B. Jones | ||
| Last updated | 2026-02-17 (Latest revision 2026-02-16) | ||
| Replaces | draft-zundel-spice-glue-id | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Reviews |
GENART IETF Last Call review
(of
-04)
by Sue Hares
Ready w/nits
SECDIR Telechat Review due 2026-03-03
Incomplete
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | (None) | ||
| Shepherd write-up | Show Last changed 2026-01-22 | ||
| IESG | IESG state | IESG Evaluation | |
| Action Holder | |||
| Consensus boilerplate | Yes | ||
| Telechat date |
On agenda of 2026-03-05 IESG telechat
Needs 3 more YES or NO OBJECTION positions to pass. |
||
| Responsible AD | Paul Wouters | ||
| Send notices to | (None) | ||
| IANA | IANA review state | Version Changed - Review Needed |
draft-ietf-spice-glue-id-05
Secure Patterns for Internet CrEdentials B. W. Zundel
Internet-Draft
Intended status: Standards Track P. Dingle
Expires: 20 August 2026 Microsoft Corporation
M. B. Jones
Self-Issued Consulting
16 February 2026
GLobal Unique Enterprise (GLUE) Identifiers
draft-ietf-spice-glue-id-05
Abstract
This specification establishes a URN namespace for GLobal Unique
Enterprise (GLUE) Identifiers. This enables URN identifiers to be
used for businesses and organizations. It enables organizational
identities from existing authorities to be represented within this
URN namespace.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://ietf-wg-
spice.github.io/draft-ietf-spice-glue-id/draft-ietf-spice-glue-
id.html. Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-spice-glue-id/.
Discussion of this document takes place on the Secure Patterns for
Internet CrEdentials Working Group mailing list
(mailto:[email protected]), which is archived at
https://mailarchive.ietf.org/arch/browse/spice/. Subscribe at
https://www.ietf.org/mailman/listinfo/spice/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-spice/draft-ietf-spice-glue-id.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Zundel, et al. Expires 20 August 2026 [Page 1]
Internet-Draft SPICE GLUE February 2026
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 20 August 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Core Concepts . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Uniqueness and Namespacing . . . . . . . . . . . . . . . 4
3. GLUE URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. GLUE Authority Identifiers . . . . . . . . . . . . . . . . . 6
4.1. Equivalence to Similar URIs . . . . . . . . . . . . . . . 6
4.1.1. LEI URNs . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
6.1. Private Identifiers as Corporate Identifiers . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
7.1. GLUE Authority Identifier URN Registry . . . . . . . . . 9
7.1.1. Registration Template . . . . . . . . . . . . . . . . 9
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 12
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12
Document History . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
Zundel, et al. Expires 20 August 2026 [Page 2]
Internet-Draft SPICE GLUE February 2026
1. Introduction
There are myriad entity identifier types for businesses and
organizations. With the increasing use of digital credentials, there
is a need for a common methodology for expressing these identifiers
such that claims about and by such entities can be made in a
consistent and interoperable manner.
This specification establishes a URN namespace that standardizes the
expression of existing organizational entity identifiers by providing
a common representation format. It also establishes a registry for
managing how existing organizational entity identification mechanisms
relate to this namespace.
Any organizational entity identifier whose identification mechanism
has been registered as an Authority Identifier in the registry may be
represented as a GLUE URI.
1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology
This specification uses the following terms:
GLUE URI: a URI that uses the GLUE URN namespace established in this
specification.
External Authority: an organization that allocates External
Identifiers for GLUE URIs using the Authority Identifier(s) over
which they have jurisdiction.
Authority Identifier: identifier for the External Authority
responsible for assigning the External Identifier used in GLUE
URIs.
External Identifier: identifier assigned by an External Authority to
identify a particular organization within GLUE URNs over which it
has jurisdiction.
Zundel, et al. Expires 20 August 2026 [Page 3]
Internet-Draft SPICE GLUE February 2026
2. Core Concepts
Every GLUE URI MUST contain the following components:
* The Authority Identifier
* The External Identifier
2.1. Uniqueness and Namespacing
Each GLUE URI MUST be globally unique.
A business entity can be identified by multiple GLUE URIs, but each
GLUE URI can only refer to a single business entity.
It is assumed that most registered organizational entity
identification schemes already handle any necessary namespacing as
part of the External Identifier. However, if collisions are possible
within the set of possible external identifiers for an Authority
Identifier scheme, then further namespacing is necessary at the GLUE
URI level. Such namespacing MUST be done on the Authority
Identifier. The combination of the namespacing and the authority
MUST result in a unique Authority Identifier.
For example, assume there is an External Authority FEA that provides
identifiers for organizations in Singapore and South Korea. The
identifiers issued in Singapore are unique within Singapore, and the
identifiers issued in South Korea are unique within South Korea, but
there is no guarantee that an organization in Singapore will not be
assigned the same identifier as an organization in South Korea. Upon
registration of FEA as an Authority Identifier, it would be necessary
to separately register two different Authority Identifiers (e.g.,
FEA-SG and FEA-KR) to provide differentiation between the two sets of
External Identifiers.
3. GLUE URIs
GLUE URIs comply with [RFC3986]. They begin with urn:glue: and are
followed by an Authority Identifier, a colon character (":"), and the
External Identifier allocated by the authority.
Authority Identifiers consist of a sequence of characters beginning
with a letter or digit and followed by any combination of letters,
digits, plus ("+"), hyphen ("-"), or period ("."). Although
Authority Identifiers are case-insensitive, the canonical form is
lowercase and documents that specify Authority Identifiers must do so
with lowercase letters. An implementation should accept uppercase
letters as equivalent to lowercase in Authority Identifier names
Zundel, et al. Expires 20 August 2026 [Page 4]
Internet-Draft SPICE GLUE February 2026
(e.g., allow "EXAMPLE" as well as "example") for the sake of
robustness but should only produce lowercase Authority Identifier
names for consistency. There is a limit of 50 characters for the
length of an Authority Identifier. The ABNF [RFC5234] for Authority
Identifiers is:
authority-identifier = (ALPHA/DIGIT) *49( ALPHA / DIGIT / "+" / "-" /
"." )
External Identifiers consist of a sequence of characters beginning
with a letter or digit or hyphen ("-") and followed by any
combination of letters, digits, plus ("+"), hyphen ("-"), or period
("."). A digit or hyphen is allowed as the first character to permit
the case where the External Identifier is the representation of a
number. It is specific to the Authority Identifier whether the
External Identifiers are case-insensitive or case-sensitive. When
they are case-insensitive, the canonical form is lowercase and
documents that specify External Identifiers must do so with lowercase
letters. There is a limit of 1000 characters for an External
Identifier. The ABNF [RFC5234] for External Identifiers is:
external-identifier = ( ALPHA / DIGIT / "-" ) *999( ALPHA / DIGIT /
"+" / "-" / "." )
Combining these, the ABNF [RFC5234] for a GLUE URI is:
glue-uri = "urn:glue:" authority-identifier ":" external-identifier
For example, the following is a GLUE URI using the Authority
Identifier "pen" and the External Identifier "32473":
urn:glue:pen:32473
A GLUE URI is defined over the restricted US-ASCII syntax specified
in this section. Percent-encoding is not permitted. Consequently,
GLUE URIs do not support representation of External Identifiers whose
canonical form includes non-ASCII characters. This specification is
therefore limited to identifier systems whose canonical
representations are fully within the permitted character set.
The Authority Identifier MUST be registered in the GLUE URI Authority
Identifier registry defined in Section 7.1. The External Identifier
MUST be the identifier assigned to the organization by the External
Authority.
Zundel, et al. Expires 20 August 2026 [Page 5]
Internet-Draft SPICE GLUE February 2026
4. GLUE Authority Identifiers
This section defines the following GLUE Authority Identifiers.
+==============+============+===================================+
| Organization | Authority | External Authority Specification |
| | Identifier | |
+==============+============+===================================+
| GS1 | gln | https://www.gs1.org/standards/id- |
| | | keys/gln |
+--------------+------------+-----------------------------------+
| GLEIF | lei | https://www.iso.org/ |
| | | standard/78829.html |
+--------------+------------+-----------------------------------+
| Dun & | duns | https://www.dnb.com/duns.html |
| Bradstreet | | |
+--------------+------------+-----------------------------------+
| Private | pen | https://www.iana.org/assignments/ |
| Enterprise | | enterprise-numbers |
| Numbers | | |
+--------------+------------+-----------------------------------+
| ISO/IEC 6523 | iso6523 | https://www.iso.org/ |
| | | standard/82246.html |
+--------------+------------+-----------------------------------+
Table 1
They are registered in the GLUE Authority Identifier URN Registry in
Section 7.1.
4.1. Equivalence to Similar URIs
A GLUE URI is an identifier in a distinct URN namespace. By default,
a GLUE URI is not equivalent to any other URI, including a URI
defined by the referenced authority's own namespace. Equivalence
between a GLUE URI and a non-GLUE URI exists only when explicitly
specified for a given Authority Identifier. Implementations and
relying parties MUST NOT assume equivalence between GLUE URIs and
non-GLUE URIs unless such equivalence is explicitly defined by the
authority or documented in the relevant registry entry.
Zundel, et al. Expires 20 August 2026 [Page 6]
Internet-Draft SPICE GLUE February 2026
4.1.1. LEI URNs
[LEI-IANA] registers a URN namespace for LEIs. This means that LEIs
can be represented as URNs in at least two ways. Therefore there is
an equivalence between a GLUE URI with an "lei" Authority Identifier
and an LEI URN, provided the 20-digit LEI Code of the LEI URN is
identifical to the External Identifier of the GLUE URI. For example,
"urn:lei:INR2EJN1ERAN0W5ZP974" is equivalent to
"urn:glue:lei:INR2EJN1ERAN0W5ZP974".
5. Security Considerations
There are no additional security considerations beyond those already
inherent to using URNs. Security considerations for URNs can be
found in [RFC2141].
6. Privacy Considerations
6.1. Private Identifiers as Corporate Identifiers
There are some corporate identifiers that make use of personal
identifiers. For example, this is the case for some registered sole-
proprietor businesses in the United States, where the Tax ID may be
the same as the Social Security Number (SSN) of the business owner.
Where the Tax ID uniquely identifies the business, the SSN uniquely
identifies an individual.
It is possible for such business identifiers to be represented as
GLUE URIs. An identifier's expression as a GLUE URI does not change
the privacy characteristics of that identifier. The same cautions
and concerns need to be taken with the GLUE URI representation as
with the original identifier.
Implementers storing or evaluating GLUE URIs are encouraged to be
aware the privacy characteristics of each identification scheme
represented by an Authority Identifier and to appropriately handle
any GLUE URI which violates privacy policies.
7. IANA Considerations
This section establishes a registry and populates it with its initial
contents.
Values are registered on a Specification Required [RFC8126] basis
after a two-week review period on the [email protected]
mailing list, on the advice of one or more Designated Experts.
However, to allow for the allocation of values prior to publication
of the final version of a specification, the Designated Experts may
Zundel, et al. Expires 20 August 2026 [Page 7]
Internet-Draft SPICE GLUE February 2026
approve registration once they are satisfied that the specification
will be completed and published. However, if the specification is
not completed and published in a timely manner, as determined by the
Designated Experts, the Designated Experts may request that IANA
withdraw the registration.
Registration requests sent to the mailing list for review should use
an appropriate subject (e.g., "Request to register URN
urn:glue:example").
Within the review period, the Designated Experts will either approve
or deny the registration request, communicating this decision to the
review list and IANA. The Designated Experts verify that a
specification exists. Experts are encouraged to be biased towards
approving registrations unless they are abusive, frivolous, or
actively harmful (not merely aesthetically displeasing or
architecturally dubious).
Denials should include an explanation and, if applicable, suggestions
as to how to make the request successful. If the designated experts
are not responsive, the registration requesters should contact IANA
to escalate the process.
Criteria that should be applied by the Designated Experts includes
determining whether the proposed registration duplicates existing
functionality, determining whether it is likely to be of general
applicability or whether it is useful only for a single application,
and whether the registration makes sense.
IANA must only accept registry updates from the Designated Experts
and should direct all requests for registration to the review mailing
list.
It is suggested that multiple Designated Experts be appointed who are
able to represent the perspectives of different applications using
this specification, in order to enable broadly-informed review of
registration decisions. In cases where a registration decision could
be perceived as creating a conflict of interest for a particular
Expert, that Expert should defer to the judgment of the other
Experts.
Zundel, et al. Expires 20 August 2026 [Page 8]
Internet-Draft SPICE GLUE February 2026
The reason for the use of the mailing list is to enable public review
of registration requests, enabling both Designated Experts and other
interested parties to provide feedback on proposed registrations.
The reason to allow the Designated Experts to allocate values prior
to publication as a final specification is to enable giving authors
of specifications proposing registrations the benefit of review by
the Designated Experts before the specification is completely done,
so that if problems are identified, the authors can iterate and fix
them before publication of the final specification.
7.1. GLUE Authority Identifier URN Registry
This specification establishes the IANA "GLUE Authority Identifier
URN" registry creating a URN namespace for Authority Identifiers for
GLobal Unique Enterprise (GLUE) Identifiers.
Each entry registers the URN for an Authority Identifier within the
"urn:glue:" namespace. The organization responsible for the
Authority Identifier is recorded.
IANA is requested to create the "GLobal Unique Enterprise (GLUE)
Identifiers" registry group located at
https://www.iana.org/assignments/glue-identifiers/ and place this
registry there.
7.1.1. Registration Template
Authority Identifier: identifier for the External Authority
responsible for assigning the External Identifier used in GLUE
URIs. This identifier is not case sensitive and any letters MUST
be expressed in lowercase characters. It MUST consist of a
sequence of characters with a mazimum length of 50, beginning with
a letter and followed by any combination of letters, digits, plus
("+"), period ("."), or hyphen ("-").
URN: The URN within the "urn:glue:" namespace consisting of
"urn:glue:" followed by the Authority Identifier.
Organization: The organization responsible for the Authority
Identifier.
Change Controller: For IETF stream RFCs, use "IETF". For others,
give the name of the responsible party. Other details (e.g.,
postal address, e-mail address, home page URI) may also be
included.
Specification Document(s): Reference to the document or documents
Zundel, et al. Expires 20 August 2026 [Page 9]
Internet-Draft SPICE GLUE February 2026
that specify the Authority Identifier to be registered, preferably
including URLs that can be used to retrieve the documents. An
indication of the relevant sections may also be included, but is
not required.
7.1.2. Initial Registry Contents
7.1.2.1. gln
* Authority Identifier: gln
* URN: urn:glue:gln
* Organization: GS1
* Change Controller: IETF
* Specification Document(s): Section 4 of this specification, [GLN]
7.1.2.2. lei
* Authority Identifier: lei
* URN: urn:glue:lei
* Organization: GLEIF
* Change Controller: IETF
* Specification Document(s): Section 4 of this specification, [LEI],
[LEI-IANA]
7.1.2.3. duns
* Authority Identifier: duns
* URN: urn:glue:duns
* Organization: Dun & Bradstreet
* Change Controller: IETF
* Specification Document(s): Section 4 of this specification, [DUNS]
7.1.2.4. pen
* Authority Identifier: pen
Zundel, et al. Expires 20 August 2026 [Page 10]
Internet-Draft SPICE GLUE February 2026
* URN: urn:glue:pen
* Organization: Private Enterprise Numbers
* Change Controller: IETF
* Specification Document(s): Section 4 of this specification, [PEN],
[RFC9371]
7.1.2.5. iso6523
* Authority Identifier: iso6523
* URN: urn:glue:iso6523
* Organization: ISO/IEC 6523
* Change Controller: IETF
* Specification Document(s): Section 4 of this specification,
[ISO6523]
8. References
8.1. Normative References
[DUNS] "D-U-N-S Numbers", n.d., <https://www.dnb.com/duns.html>.
[GLN] "Global Location Nymber (GLN)", n.d.,
<https://www.gs1.org/standards/id-keys/gln>.
[ISO6523] "ISO/IEC 6523-1:2023. Information technology — Structure
for the identification of organizations and organization
parts, Part 1: Identification of organization
identification schemes", 2023,
<https://www.iso.org/standard/82246.html>.
[LEI] "Legal Entity Identifier (LEI)", 2020,
<https://www.iso.org/standard/78829.html>.
[LEI-IANA] "LEI Namespace Identifier", n.d.,
<https://www.iana.org/assignments/urn-formal/lei>.
[PEN] "Private Enterprise Numbers", n.d.,
<https://www.iana.org/assignments/enterprise-numbers>.
Zundel, et al. Expires 20 August 2026 [Page 11]
Internet-Draft SPICE GLUE February 2026
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/rfc/rfc3986>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
8.2. Informative References
[RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
May 1997, <https://www.rfc-editor.org/rfc/rfc2141>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/rfc/rfc5234>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/rfc/rfc8126>.
[RFC9371] Baber, A. and P. Hoffman, "Registration Procedures for
Private Enterprise Numbers (PENs)", RFC 9371,
DOI 10.17487/RFC9371, March 2023,
<https://www.rfc-editor.org/rfc/rfc9371>.
Acknowledgments
Carsten Bormann, Tim Bray, Patrik Fältström, Arnt Gulbrandsen, Sue
Hares, John Klensin, Martin Lindström, Rohan Mahy, James Manger, Orie
Steele, Alexander (A.J.) Stein, Martin Thomson, and Peter Yee
contributed to this specification.
Document History
-05
* Added ISO/IEC 6523 identifiers.
* The first character of the Authority Identifier may be a digit.
Zundel, et al. Expires 20 August 2026 [Page 12]
Internet-Draft SPICE GLUE February 2026
* Fixed wording in IANA Considerations.
* Limited character set to US-ASCII.
* Fixed multiple nits from WGLC.
-04
* Applied review suggestions from Martin Thomson, specifically:
- Added references for each registered Authority Identifier.
- Added size limits for Authority Identifiers and External
Identifiers.
- Added a note about LEI URNs.
-03
* Use the urn:glue URN namespace and delete the urn:ietf:spice URN
namespace.
* Addressed early IANA feedback.
-02
* Improved several descriptions in the specification.
-01
* Updated Brent's affiliation.
-00
* Initial working group draft, based on draft-zundel-spice-glue-
id-02
Authors' Addresses
Brent W. Zundel
United States
Email: [email protected]
Pamela Dingle
Microsoft Corporation
United States
Email: [email protected]
Zundel, et al. Expires 20 August 2026 [Page 13]
Internet-Draft SPICE GLUE February 2026
Michael B. Jones
Self-Issued Consulting
United States
Email: [email protected]
URI: https://self-issued.info/
Zundel, et al. Expires 20 August 2026 [Page 14]