| Internet-Draft | SPICE GLUE | March 2026 |
| Zundel, et al. | Expires 16 September 2026 | [Page] |
This specification establishes a URN namespace for GLobal Unique Enterprise (GLUE) Identifiers. This enables URN identifiers to be used for businesses and organizations. It enables organizational identities from existing authorities to be represented within this URN namespace.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://ietf-wg-spice.github.io/draft-ietf-spice-glue-id/draft-ietf-spice-glue-id.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-spice-glue-id/.¶
Discussion of this document takes place on the Secure Patterns for Internet CrEdentials Working Group mailing list (mailto:spice@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spice/. Subscribe at https://www.ietf.org/mailman/listinfo/spice/.¶
Source for this draft and an issue tracker can be found at https://github.com/ietf-wg-spice/draft-ietf-spice-glue-id.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
There are myriad entity identifier types for businesses and organizations. With the increasing use of digital credentials, there is a need for a common methodology for expressing these identifiers such that claims about and by such entities can be made in a consistent and interoperable manner.¶
This specification establishes a URN namespace that standardizes the expression of existing organizational entity identifiers by providing a common representation format. It also establishes an IANA registry for managing how existing organizational entity identification mechanisms relate to this namespace.¶
Any organizational entity identifier whose identification mechanism has been registered as an Authority Identifier in the registry may be represented as a GLUE URN.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification uses the following terms:¶
a URN that uses the GLUE URN namespace established in this specification.¶
identifier for the External Authority responsible for assigning the External Identifiers used in GLUE URNs over which it has jurisdiction.¶
identifier assigned by an External Authority to identify a particular organization within GLUE URNs with Authority Identifier(s) over which it has jurisdiction.¶
an organization that allocates External Identifiers over which it has jurisdiction that are used in GLUE URNs with its Authority Identifier(s).¶
Every GLUE URN MUST contain the following components:¶
Each GLUE URN is globally unique identifier. An organization can be identified by multiple GLUE URNs, but each distinct GLUE URN can only refer to a single organization. If multiple External Authorities have issued identifiers for the same organization (e.g., the organization has both a Dun & Bradstreet number and a Private Enterprise Number), then the same organization can be identified by GLUE URNs differentiated by the Authority Identifier.¶
It is assumed that most registered organizational entity identification schemes already handle any namespacing necessary to achieve uniqueness as part of the External Identifier. However, if collisions are possible within the set of possible external identifiers for an Authority Identifier scheme, then further namespacing is necessary at the GLUE URN level. Such namespacing could be done by allocating multiple Authority Identifiers. The combination of the Authority Identifier and the External Identifier MUST result in a unique GLUE URN.¶
For example, assume there is an External Authority FEA that provides identifiers for organizations in Singapore and South Korea. The identifiers issued in Singapore are unique within Singapore, and the identifiers issued in South Korea are unique within South Korea, but there is no guarantee that an organization in Singapore will not be assigned the same identifier as an organization in South Korea. Upon registration of FEA as an Authority Identifier, it would be necessary to separately register two different Authority Identifiers (e.g., FEA-SG and FEA-KR) to provide differentiation between the two sets of External Identifiers.¶
GLUE URNs comply with [RFC8141]. They begin with "urn:glue:" and are followed by an Authority Identifier, a colon character (":"), and the External Identifier allocated by the authority.¶
Authority Identifiers consist of a sequence of characters beginning with a letter or digit and followed by any combination of letters, digits, plus ("+"), hyphen ("-"), or period ("."). Although Authority Identifiers are case-insensitive, the canonical form is lowercase and documents that specify Authority Identifiers must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in Authority Identifier names (e.g., allow "EXAMPLE" as well as "example") for the sake of robustness but should only produce lowercase Authority Identifier names for consistency. There is a limit of 50 characters for the length of an Authority Identifier. The ABNF [RFC5234] for Authority Identifiers is:¶
authority-identifier = (ALPHA/DIGIT) *49( ALPHA / DIGIT / "+" / "-" / "." )
¶
External Identifiers consist of a sequence of characters beginning with a letter or digit or hyphen ("-") and followed by any combination of letters, digits, plus ("+"), hyphen ("-"), or period ("."). A digit or hyphen is allowed as the first character to permit the case where the External Identifier is the representation of a number. It is specific to the Authority Identifier whether the External Identifiers are case-insensitive or case-sensitive. When they are case-insensitive, the canonical form is lowercase and documents that specify External Identifiers MUST do so with lowercase letters. Always using the canonical form of these URNs means that code performing comparisons need not be aware of whether External Identifiers are case-sensitive or not; case-sensitive comparisons can always be performed on the namespace specific string.¶
While the original representation of some External Identifiers may contain characters that are ignored, these MUST be omitted when used in GLUE URNs. For instance, Dun & Bradstreet [DUNS] identifiers sometimes contain hyphen characters that are ignored. The DUNS numbers 12-345-6789 and 123456789 are considered to be equivalent. The latter form without the ignored characters MUST be used as the External Identifier in GLUE URNs.¶
Finally, documents that define a new Authority Identifier type MUST NOT allow the representation of an External Identifier to contain the colon character. Specifications MUST define a substitute character, such as period, that is used in place of a colon in External Identifiers. Any substitution can be specified in the Transformation Rules in the IANA registration for an Authority Identifier; see Section 7.1.¶
There is a limit of 1000 characters for an External Identifier. The ABNF [RFC5234] for External Identifiers is:¶
external-identifier = ( ALPHA / DIGIT / "-" ) *999( ALPHA / DIGIT / "+" / "-" / "." )
¶
Combining these, the ABNF [RFC5234] for a GLUE URN is:¶
glue-urn = "urn:glue:" authority-identifier ":" external-identifier
¶
For example, the following is a GLUE URN using the Authority Identifier "pen" and the External Identifier "32473". This example uses the Enterprise Number "32473" reserved for documentation in [RFC5612].¶
urn:glue:pen:32473
¶
A GLUE URN is defined over the restricted US-ASCII syntax specified in this section. Percent-encoding is not permitted. Consequently, GLUE URNs do not support representation of External Identifiers that use non-ASCII characters. This specification is therefore limited to identifier systems whose representations can be expressed fully within the permitted character set.¶
The Authority Identifier MUST be registered in the GLUE URN Authority Identifier registry defined in Section 7.1. The External Identifier MUST be the identifier assigned to the organization by the External Authority.¶
The security considerations inherent to using URNs apply. Security considerations for URNs can be found in [RFC8141].¶
The global uniqueness of GLUE URNs prevents situations in which the same identifier is allocated in different local namespaces and cannot be disambiguated when used. For instance both Canadian and Singaporean organization registries might use the local identifier "42", but with these referring to different organizations. Embedding these local identifiers in GLUE URNs enables disambiguation.¶
There are some corporate identifiers that make use of personal identifiers. For example, this is the case for some registered sole-proprietor businesses in the United States, where the Tax ID may be the same as the Social Security Number (SSN) of the business owner. Where the Tax ID uniquely identifies the business, the SSN uniquely identifies an individual.¶
It is possible for such business identifiers to be represented as GLUE URNs. An identifier's expression as a GLUE URN does not change the privacy characteristics of that identifier. The same cautions and concerns need to be taken with the GLUE URN representation as with the original identifier.¶
Implementers storing or evaluating GLUE URNs are encouraged to be aware the privacy characteristics of each identification scheme represented by an Authority Identifier and to appropriately handle any GLUE URN which violates privacy policies.¶
This specification establishes the IANA "GLUE Authority Identifier" registry creating a URN namespace for Authority Identifiers for GLobal Unique Enterprise (GLUE) Identifiers.¶
Each entry registers an Authority Identifier within the "urn:glue:" namespace. The organization responsible for the Authority Identifier is recorded.¶
IANA is requested to create the "GLobal Unique Enterprise (GLUE) Identifiers" registry group located at https://www.iana.org/assignments/glue-identifiers/ and place this registry there.¶
Values are registered on a Specification Required (Section 4.6 of [RFC8126]) basis after a two-week review period on the spice-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts. However, to allow for the allocation of values prior to publication of the final version of a specification, the Designated Experts may approve registration once they are satisfied that the specification will be completed and published. However, if the specification is not completed and published in a timely manner, as determined by the Designated Experts, the Designated Experts may request that IANA withdraw the registration.¶
Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register URN urn:glue:example").¶
Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. The Designated Experts verify that a specification exists. Experts are encouraged to be biased towards approving registrations unless they are abusive, frivolous, or actively harmful (not merely aesthetically displeasing or architecturally dubious).¶
Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. If the designated experts are not responsive, the registration requesters should contact IANA to escalate the process.¶
Criteria that should be applied by the Designated Experts includes determining whether the proposed registration duplicates existing functionality, determining whether it is likely to be of general applicability or whether it is useful only for a single application, and whether the registration references an existing organizational registry operated by an External Authority identified by the proposed Authority Identifier.¶
IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list.¶
It is suggested that multiple Designated Experts be appointed who are able to represent the perspectives of different applications using this specification, in order to enable broadly-informed review of registration decisions. In cases where a registration decision could be perceived as creating a conflict of interest for a particular Expert, that Expert should defer to the judgment of the other Experts.¶
The reason for the use of the mailing list is to enable public review of registration requests, enabling both Designated Experts and other interested parties to provide feedback on proposed registrations. The reason to allow the Designated Experts to allocate values prior to publication as a final specification is to enable giving authors of specifications proposing registrations the benefit of review by the Designated Experts before the specification is completely done, so that if problems are identified, the authors can iterate and fix them before publication of the final specification.¶
identifier for the External Authority responsible for assigning the External Identifier used in GLUE URNs. This identifier is not case sensitive and any letters MUST be expressed in lowercase characters. It MUST consist of a sequence of characters with a mazimum length of 50, beginning with a letter and followed by any combination of letters, digits, plus ("+"), period ("."), or hyphen ("-").¶
The URN within the "urn:glue:" namespace consisting of "urn:glue:" followed by the Authority Identifier.¶
The organization responsible for the Authority Identifier.¶
Syntactic transformations applied to the original External Identifiers when creating the GLUE URN, or "N/A" if none.¶
For IETF stream RFCs, use "IETF". For others, give the name of the responsible party. Other details (e.g., postal address, e-mail address, or home page URL) may also be included.¶
Reference to the document or documents that specify the Authority Identifier to be registered, preferably including URLs that can be used to retrieve the documents. An indication of the relevant sections may also be included, but is not required.¶
This specification registers the following URN namespace in the IANA "Formal URN Namespaces" registry [IANA.URN] established by [RFC8141].¶
glue¶
1¶
2026-03-02¶
IETF¶
GLobal Unique Enterprise (GLUE) identifier namespace, established by [[ this specification ]]¶
As specified in the glue-urn ABNF entry in Section 3 of [[ this specification ]]¶
Specification Required (Section 4.6 of [RFC8126]) basis¶
GLUE URNs are public identifiers for public entities.¶
GLUE URNs encapsulate other existing identifier namespaces. Therefore, they provide a globally unique equivalent to identifiers within those local namespaces. Some of those namespaces may also utilize URNs.¶
Resolution of GLUE URNs, which are identifiers, is not performed.¶
[[ this specification ]]¶
N/A¶
N/A¶
Amanda Baber, Carsten Bormann, Mohamed Boucadair, Tim Bray, Deb Cooley, Patrik Fältström, Arnt Gulbrandsen, Sue Hares, John Klensin, Erik Kline, Martin Lindström, Rohan Mahy, James Manger, Peter Saint-Andre, Orie Steele, Alexander (A.J.) Stein, Martin Thomson, Éric Vyncke, Dale Worley, and Peter Yee contributed to this specification.¶
-08¶
Addressed urn:glue registration feedback by Dale Worley about identifier uniqueness and defining Transformation Rules, when needed.¶
Addressed urn:glue registration feedback by Peter Saint-Andre about using "URN" rather than "URI", applying suggested language about when multiple External Authorities have issued identifiers for the same organization, and correcting issues with the registry descriptions.¶
-07¶
Registered urn:glue per Amanda Baber's instructions.¶
-06¶
Addressed Deb Cooley's review comments, specifically:¶
Addressed Mohamed Boucadair's review comments, specifically:¶
Addressed Erik Kline's review comments, specifically:¶
-05¶
Added ISO/IEC 6523 identifiers.¶
The first character of the Authority Identifier may be a digit.¶
Fixed wording in IANA Considerations.¶
Limited character set to US-ASCII.¶
Fixed multiple nits from WGLC.¶
-04¶
Applied review suggestions from Martin Thomson, specifically:¶
-03¶
Use the urn:glue URN namespace and delete the urn:ietf:spice URN namespace.¶
Addressed early IANA feedback.¶
-02¶
Improved several descriptions in the specification.¶
-01¶
Updated Brent's affiliation.¶
-00¶
Initial working group draft, based on draft-zundel-spice-glue-id-02¶