Title: What do OpenID, Higgins, INames, and XDI Have in Common
1What do OpenID, Higgins, I-Names, and XDI Have in
Common?
An OASIS Webinar on XRI and XRDS
May 6, 2008
2What do OpenID, Higgins, i-names, and XDI have in
common? They all use two new OASIS technologies
you may not even have heard of yet. How did
these specifications already become key building
blocks of the Internet identity layer? What
problems do they solve? Where do they fit with
the work of other OASIS Technical
Committees? Thats what well cover today...
3OASIS XRI Technical Committee
Formed January 2003
4XRI (Extensible Resource Identifier)
- A new type of Internet identifier (URI) designed
expressly for digital identity - An open standard for abstract structured
identifiers - Abstract, i.e., identifiers upon which discovery
can be performed - Structured, i.e., a syntactic framework for
expressing identifiers XML for identifiers
5XRDS (Extensible Resource Descriptor Sequence)
- A simple, extensible service discovery format for
XRIs or URLs - The logical equivalent of a DNS resource record
at the XRI layer of identification - The discovery format used by OpenID 2.0, OAuth,
and Higgins
6Synonyms
AbstractIdentifierLayer
ReassignableXRI i-names
PersistentXRI i-numbers
XRDSDocu-ment
XRDSResolution
Domain Name
TN(Tele-phoneNumber)
Otherconcreteidentifiertypes
ConcreteIdentifierLayer
IP Address
Local Path/Query
URI/IRI
7Examples of XRI i-names
- Human-friendly reassignable identifiers
- gmw
- ??
- _at_boeing
- _at_cordancedrummond.reed
- flower
- xml
8Examples of XRI i-numbers
- Persistent identifiers (never reassigned)
- !7a42.cd93.40f4.18e5
- !7a42.cd93.40f4.18e5!283
- _at_!b3a7.5537.9fea.31ec
- !3792
- !3792!14
9Examples of XRI cross-references
- Identifiers reused across contexts
- (mailtogabe.wachob_at_gmail.com)
- (http//equalsdrummond.name)
- _at_(http//boeing.com)
- _at_cordance(urnisbn0-395-36341-1)
- flower(http//en.wikipedia.org/rose)
10Examples of XRIs transformed into URIs
- XRI Syntax 2.0 defines a strict trans-formation
of an XRI into an IRI and URI - xri//drummond.reed
- xri//E794A8E4BE8B
- xri//_at_!b3a7.5537.9fea.31ec!133
- xri//(mailtogabe.wachob_at_gmail.com)
- xri//_at_cordance(urnisbn0-395-36341-1)
11Example XRDS document
ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltEquivIDgtxri//example.namelt/EquivIDgt
ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/Canonic
alIDgt ltService priority10gt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/!7c4.58ff.7c9a.e285/lt
/URIgt lt/Servicegt ltService priority10gt
ltTypegthttp//openid.net/server/1.0lt/Typegt
ltTypegthttp//specs.openid.net/auth/2.0/signo
nlt/Typegt ltPathgtopenidlt/Pathgt
ltURIgthttp//authn.example.com/openid/lt/URIgt
lt/Servicegt lt/XRDgt lt/XRDSgt
Query and synonyms
Service 1
Service 2
12The XRI 2.0 specifications
- XRI Syntax 2.0
- Explicit syntax for reassignable and persistent
identifiers - Global context symbols
- Cross-references for identifier reuse across
contexts - Flexible delegation at all levels of hierarchy
- Lossless transformation into IRI and URI forms
- XRI Resolution 2.0
- HTTP(S)-based resolution protocol
- XRDS simple XML discovery document format
- Synonym management and verification
- Service endpoint selection logic
- Redirect and Ref processing
13Why have XRI and XRDS already become key building
blocks of the Internet identity layer?
14- Not only have XRI and XRDS become an integral
part of OpenID 2.0, but the XRI technical
community is now a strong part of the OpenID
community. - Bill Washburn Executive Director,
OpenID Foundation
15- XRI and XRDS have become essential elements of
the Higgins Project. Without them, we couldnt
fully implement the abstract data model that is
the heart of Higgins and the key to
user-controlled identity and data sharing. - Paul Trevithick Higgins Project Lead
16Where are XRI and XRDS being used today?
- OpenID 2.0
- OAuth Discovery
- Higgins Project
- XDI.org i-name/i-number registries
- XDI data sharing
17Case Study the top 3 problems XRI/XRDS solved
for OpenID 2.0
- Extensible service discovery
- OpenID recycling
- Automatic secure resolution
http//middleware.internet2.edu/idtrust/2008/paper
s/01-reed-openid-xri-xrds.pdf
18What is OpenID?
- An open community specification for user-centric
Internet authentication - Based on the concept that users can have their
own globally-resolvable identifiers and OpenID
authentication providers - Primary use case eliminate the need for
different usernames and passwords at every website
19(No Transcript)
20(No Transcript)
21(No Transcript)
22Relying Party(RP)
OpenID Provider(OP)
Discovery
drummond.reed
User
23Problem 1Extensible service discovery
- OpenID 2.0 need to describe what versions an
OpenID identifier supports - Also what OpenID extensions it supports (SREG,
AX, PAPE, etc.) - And what other services may be available (e.g.,
OAuth, SAML, XDI) - And it needed redundant, prioritized OpenID
provider endpoint URLs
24Solution XRDS documents
- Simple, standard discovery format
- Can be hosted on any blog, web server, IdM
system, etc. - Easily extensible using new URIs or XRIs to
define service types - Can be extended with elements from any other
namespace
25ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/
CanonicalIDgt ltServicegt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/! 7c4.58ff.7c9a.e285/
lt/URIgt lt/Servicegt ltService
priority10gt ltTypegthttp//openid.net/ser
ver/1.0lt/Typegt ltTypegthttp//specs.openid.n
et/auth/2.0/signonlt/Typegt
ltPathgtopenidlt/Pathgt ltURIgthttp//authn.exa
mple.com/openid/lt/URIgt ltURIgthttps//secure
-authn.example.com/openid/lt/URIgt
ltopeniddelegategthttp//example.com/boblt/openidde
legategt lt/Servicegt lt/XRDgt lt/XRDSgt
26Problem 2OpenID recycling
- With usernames/passwords, usernames can be
recycled - The service provider controls the binding with
the credential - With OpenID, thats no longer true
- The user controls the binding to the credential!
- Losing control of the identifier losing
control of the credential
27Solution persistent synonyms
- Bind a recyclable OpenID identifier with a
non-recyclable (persistent) identifier, e.g., an
XRI i-number - Always authenticate based on the persistent
i-number - Treat the recyclable identifier as only a
temporary handle for the i-number - The user always stays protected
28ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/
CanonicalIDgt ltServicegt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/!1234.5678.a1b2.c3d4/
lt/URIgt lt/Servicegt ltServicegt
ltTypegthttp//openid.net/openid/1.1lt/Typegt
ltTypegthttp//openid.net/openid/2.0lt/Typegt
ltPathgtopenidlt/Pathgt ltURIgthttp//authn.exa
mple.com/openid/lt/URIgt lt/Servicegt
lt/XRDgt lt/XRDSgt
29Problem 3Automatic secure resolution
- OpenID could not specify HTTPS resolution for all
OpenID URLs - Too many users do not have access to HTTPS certs
or infrastructure - Thus the default had to be HTTP
- This forces users with HTTPS URLs to type the
entire string, e.g., https//my.openid.identif
ier.tld
30SolutionXRI secure resolution
- As abstract identifiers, XRIs always map to
concrete identifiers - This mapping process - XRI resolution - offers
three trusted modes - HTTPS, SAML, or both
- So XRI i-names used as OpenIDs can use HTTPS
resolution as the default - No need for users to know/do anything
31XRI and XRDS are also building blocks for other
identity solutions
- OAuth
- XRDS discovery format
- Higgins Project
- Context discovery and resolution
- XDI.org XRI registries
- i-name/i-number registries resolution
- SAML and Information Cards
- Privacy-protected identifier claims
32What is the relationship of XRI and XRDS with
other OASIS TCs and the IDtrust Member Section?
33XDI (XRI Data Interchange)
- The XDI controlled data sharing protocol is based
entirely on XRIs - A globally addressable RDF graph where the
address of every node is an RDF statement
structured as an XRI - subject-xri / predicate-xri / object-xri
- Enables a simple portable authorization format
called XDI link contracts
34ORMS (Open Reputation Management Services)
- Newest TC in the OASIS IDtrust member section
- Will define neutral, vendor-independent specs for
exchanging reputation data - XRI and XDI TC members participating
- XRI for durable subject identifiers
- XDI for controlled data sharing
35PKI-Related TCs
- Digital Signature Services eXtended
(DSS-X)Advancing new profiles for the DSS OASIS
Standard - Enterprise Key Management Infrastructure
(EKMI)Defining symmetric key management
protocols - Public Key Infrastructure (PKI)
AdoptionAdvancing the use of digital
certificates as a foundation for managing access
to network resources and conducting electronic
transactions
36Conclusion
- Abstract structured identifiers offer 3 key
features for the Internet identity layer - Simple, safe, strong identifiers
- Simple, extensible, secure service discovery
- Interoperability between multiple identity
protocols and frameworks - XRI and XRDS are building blocks everyone can use
37Contact us
- Gabe Wachob, XRI TC Co-Chair
- http//xri.net/gmw
- gabe.wachob_at_wachob.com
- Drummond Reed, XRI TC Co-Chair
- http//xri.net/drummond.reed
- drummond.reed_at_cordance.net
- Wikipedia
- http//en.wikipedia.org/XRI
- http//en.wikipedia.org/XRDS
38- Learn through the IDtrust Knowledgebase of
educational materials and background on the
standards - Share news, events, presentations, white papers,
product listings, opinions, questions, and
recommendations through postings, blogs, forums,
and directories. - Collaborate with others online through a wiki
interface - http//idtrust.xml.org
39QA
40What is the relationship of XRI to URNs?
- Uniform Resource Names are specified by IETF RFC
2141 - They are persistent (non-recyclable) identifiers
- XRI combines both URNs and HFNs (human-friendly
names) in one syntax and resolution protocol
41What is the relationship of XRI to the Handle
System?
- Handle is a persistent object identifier system
developed by CNRI - Specified in RFCs 3650, 3651, 3652
- Handle does not include HFNs or other structured
identifier features of XRI - Handle does not use XML or HTTP for resolution
42Does XRI introduce new Internet namespaces?
- Yes. Although it can describe and reuse many
types of existing identifiers, it also includes
four formal namespaces at the XRI level of
identification - for personal identifiers
- _at_ for organizational identifiers
- for generic tags
- for specific tags
43Does the XRI TC specify public registry services?
- No, the scope of the XRI TC is limited to the
technical specifications for XRI and specified
XRIs (the space) - XDI.org, a member of the XRI TC, offers public
XRI registry services - XDI.org is a completely separate non-profit
organization
44What IPR applies to XRI and XRDS?
- The TC operates under the OASIS RF on Limited
Terms mode (standard royalty-free terms) - This has been mandatory from the TCs original
charter - XDI.org made the initial contribution of IPR for
what was then called XNS when the TC was formed
in 2003
45How does Higgins use XRI and XRDS?
- Higgins uses an abstract data model to access
data in different contexts (distributed
repositories) - XRI is used for addressing contexts and entities
within contexts - XRDS is used to resolve the metadata a Higgins
component needs to open a Higgins context
46What open source implementions of XRI and XRDS
are available?
- OpenXRI (Java)
- http//www.openxri.org
- Barx (Ruby)
- http//xrisoft.org
- MyXDI (C)
- http//www.ootao.com