What do OpenID, Higgins, INames, and XDI Have in Common

1
What do OpenID, Higgins, I-Names, and XDI Have in
Common?
An OASIS Webinar on XRI and XRDS
May 6, 2008
2
What do OpenID, Higgins, i-names, and XDI have in
common? They all use two new OASIS technologies
you may not even have heard of yet. How did
these specifications already become key building
blocks of the Internet identity layer? What
problems do they solve? Where do they fit with
the work of other OASIS Technical
Committees? Thats what well cover today...
3
OASIS XRI Technical Committee
Formed January 2003
4
XRI (Extensible Resource Identifier)

• A new type of Internet identifier (URI) designed
  expressly for digital identity
• An open standard for abstract structured
  identifiers
• Abstract, i.e., identifiers upon which discovery
  can be performed
• Structured, i.e., a syntactic framework for
  expressing identifiers XML for identifiers

5
XRDS (Extensible Resource Descriptor Sequence)

• A simple, extensible service discovery format for
  XRIs or URLs
• The logical equivalent of a DNS resource record
  at the XRI layer of identification
• The discovery format used by OpenID 2.0, OAuth,
  and Higgins

6
Synonyms
AbstractIdentifierLayer
ReassignableXRI i-names
PersistentXRI i-numbers
XRDSDocu-ment
XRDSResolution
Domain Name
TN(Tele-phoneNumber)
Otherconcreteidentifiertypes
ConcreteIdentifierLayer
IP Address
Local Path/Query
URI/IRI
7
Examples of XRI i-names

• Human-friendly reassignable identifiers
• gmw
• ??
• _at_boeing
• _at_cordancedrummond.reed
• flower
• xml

8
Examples of XRI i-numbers

• Persistent identifiers (never reassigned)
• !7a42.cd93.40f4.18e5
• !7a42.cd93.40f4.18e5!283
• _at_!b3a7.5537.9fea.31ec
• !3792
• !3792!14

9
Examples of XRI cross-references

• Identifiers reused across contexts
• (mailtogabe.wachob_at_gmail.com)
• (http//equalsdrummond.name)
• _at_(http//boeing.com)
• _at_cordance(urnisbn0-395-36341-1)
• flower(http//en.wikipedia.org/rose)

10
Examples of XRIs transformed into URIs

• XRI Syntax 2.0 defines a strict trans-formation
  of an XRI into an IRI and URI
• xri//drummond.reed
• xri//E794A8E4BE8B
• xri//_at_!b3a7.5537.9fea.31ec!133
• xri//(mailtogabe.wachob_at_gmail.com)
• xri//_at_cordance(urnisbn0-395-36341-1)

11
Example XRDS document
ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltEquivIDgtxri//example.namelt/EquivIDgt
ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/Canonic
alIDgt ltService priority10gt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/!7c4.58ff.7c9a.e285/lt
/URIgt lt/Servicegt ltService priority10gt
ltTypegthttp//openid.net/server/1.0lt/Typegt
ltTypegthttp//specs.openid.net/auth/2.0/signo
nlt/Typegt ltPathgtopenidlt/Pathgt
ltURIgthttp//authn.example.com/openid/lt/URIgt
lt/Servicegt lt/XRDgt lt/XRDSgt
Query and synonyms
Service 1
Service 2
12
The XRI 2.0 specifications

• XRI Syntax 2.0
• Explicit syntax for reassignable and persistent
  identifiers
• Global context symbols
• Cross-references for identifier reuse across
  contexts
• Flexible delegation at all levels of hierarchy
• Lossless transformation into IRI and URI forms

• XRI Resolution 2.0
• HTTP(S)-based resolution protocol
• XRDS simple XML discovery document format
• Synonym management and verification
• Service endpoint selection logic
• Redirect and Ref processing

13
Why have XRI and XRDS already become key building
blocks of the Internet identity layer?
14

• Not only have XRI and XRDS become an integral
  part of OpenID 2.0, but the XRI technical
  community is now a strong part of the OpenID
  community.
• Bill Washburn Executive Director,
  OpenID Foundation

15

• XRI and XRDS have become essential elements of
  the Higgins Project. Without them, we couldnt
  fully implement the abstract data model that is
  the heart of Higgins and the key to
  user-controlled identity and data sharing.
• Paul Trevithick Higgins Project Lead

16
Where are XRI and XRDS being used today?

• OpenID 2.0
• OAuth Discovery
• Higgins Project
• XDI.org i-name/i-number registries
• XDI data sharing

17
Case Study the top 3 problems XRI/XRDS solved
for OpenID 2.0

• Extensible service discovery
• OpenID recycling
• Automatic secure resolution

http//middleware.internet2.edu/idtrust/2008/paper
s/01-reed-openid-xri-xrds.pdf
18
What is OpenID?

• An open community specification for user-centric
  Internet authentication
• Based on the concept that users can have their
  own globally-resolvable identifiers and OpenID
  authentication providers
• Primary use case eliminate the need for
  different usernames and passwords at every website

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
Relying Party(RP)
OpenID Provider(OP)
Discovery
drummond.reed
User
23
Problem 1Extensible service discovery

• OpenID 2.0 need to describe what versions an
  OpenID identifier supports
• Also what OpenID extensions it supports (SREG,
  AX, PAPE, etc.)
• And what other services may be available (e.g.,
  OAuth, SAML, XDI)
• And it needed redundant, prioritized OpenID
  provider endpoint URLs

24
Solution XRDS documents

• Simple, standard discovery format
• Can be hosted on any blog, web server, IdM
  system, etc.
• Easily extensible using new URIs or XRIs to
  define service types
• Can be extended with elements from any other
  namespace

25
ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/
CanonicalIDgt ltServicegt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/! 7c4.58ff.7c9a.e285/
lt/URIgt lt/Servicegt ltService
priority10gt ltTypegthttp//openid.net/ser
ver/1.0lt/Typegt ltTypegthttp//specs.openid.n
et/auth/2.0/signonlt/Typegt
ltPathgtopenidlt/Pathgt ltURIgthttp//authn.exa
mple.com/openid/lt/URIgt ltURIgthttps//secure
-authn.example.com/openid/lt/URIgt
ltopeniddelegategthttp//example.com/boblt/openidde
legategt lt/Servicegt lt/XRDgt lt/XRDSgt
26
Problem 2OpenID recycling

• With usernames/passwords, usernames can be
  recycled
• The service provider controls the binding with
  the credential
• With OpenID, thats no longer true
• The user controls the binding to the credential!
• Losing control of the identifier losing
  control of the credential

27
Solution persistent synonyms

• Bind a recyclable OpenID identifier with a
  non-recyclable (persistent) identifier, e.g., an
  XRI i-number
• Always authenticate based on the persistent
  i-number
• Treat the recyclable identifier as only a
  temporary handle for the i-number
• The user always stays protected

28
ltXRDS xmlnsxri//xrdsgt ltXRD
xmlnsxri//xrd(v2.0)gt
ltQuerygtexamplelt/Querygt ltExpiresgt2005-05-30T09
3010Zlt/Expiresgt ltProviderIDgtxri//lt/Provide
rIDgt ltCanonicalIDgtxri//!7c4.58ff.7c9a.e285lt/
CanonicalIDgt ltServicegt
ltTypegtxri//resauth(v2.0)lt/Typegt
ltURIgthttp//res.example.com/!1234.5678.a1b2.c3d4/
lt/URIgt lt/Servicegt ltServicegt
ltTypegthttp//openid.net/openid/1.1lt/Typegt
ltTypegthttp//openid.net/openid/2.0lt/Typegt
ltPathgtopenidlt/Pathgt ltURIgthttp//authn.exa
mple.com/openid/lt/URIgt lt/Servicegt
lt/XRDgt lt/XRDSgt
29
Problem 3Automatic secure resolution

• OpenID could not specify HTTPS resolution for all
  OpenID URLs
• Too many users do not have access to HTTPS certs
  or infrastructure
• Thus the default had to be HTTP
• This forces users with HTTPS URLs to type the
  entire string, e.g., https//my.openid.identif
  ier.tld

30
SolutionXRI secure resolution

• As abstract identifiers, XRIs always map to
  concrete identifiers
• This mapping process - XRI resolution - offers
  three trusted modes
• HTTPS, SAML, or both
• So XRI i-names used as OpenIDs can use HTTPS
  resolution as the default
• No need for users to know/do anything

31
XRI and XRDS are also building blocks for other
identity solutions

• OAuth
• XRDS discovery format
• Higgins Project
• Context discovery and resolution
• XDI.org XRI registries
• i-name/i-number registries resolution
• SAML and Information Cards
• Privacy-protected identifier claims

32
What is the relationship of XRI and XRDS with
other OASIS TCs and the IDtrust Member Section?
33
XDI (XRI Data Interchange)

• The XDI controlled data sharing protocol is based
  entirely on XRIs
• A globally addressable RDF graph where the
  address of every node is an RDF statement
  structured as an XRI
• subject-xri / predicate-xri / object-xri
• Enables a simple portable authorization format
  called XDI link contracts

34
ORMS (Open Reputation Management Services)

• Newest TC in the OASIS IDtrust member section
• Will define neutral, vendor-independent specs for
  exchanging reputation data
• XRI and XDI TC members participating
• XRI for durable subject identifiers
• XDI for controlled data sharing

35
PKI-Related TCs

• Digital Signature Services eXtended
  (DSS-X)Advancing new profiles for the DSS OASIS
  Standard
• Enterprise Key Management Infrastructure
  (EKMI)Defining symmetric key management
  protocols
• Public Key Infrastructure (PKI)
  AdoptionAdvancing the use of digital
  certificates as a foundation for managing access
  to network resources and conducting electronic
  transactions

36
Conclusion

• Abstract structured identifiers offer 3 key
  features for the Internet identity layer
• Simple, safe, strong identifiers
• Simple, extensible, secure service discovery
• Interoperability between multiple identity
  protocols and frameworks
• XRI and XRDS are building blocks everyone can use

37
Contact us

• Gabe Wachob, XRI TC Co-Chair
• http//xri.net/gmw
• gabe.wachob_at_wachob.com
• Drummond Reed, XRI TC Co-Chair
• http//xri.net/drummond.reed
• drummond.reed_at_cordance.net
• Wikipedia
• http//en.wikipedia.org/XRI
• http//en.wikipedia.org/XRDS

38

• Learn through the IDtrust Knowledgebase of
  educational materials and background on the
  standards
• Share news, events, presentations, white papers,
  product listings, opinions, questions, and
  recommendations through postings, blogs, forums,
  and directories.
• Collaborate with others online through a wiki
  interface
• http//idtrust.xml.org

39
QA
40
What is the relationship of XRI to URNs?

• Uniform Resource Names are specified by IETF RFC
  2141
• They are persistent (non-recyclable) identifiers
• XRI combines both URNs and HFNs (human-friendly
  names) in one syntax and resolution protocol

41
What is the relationship of XRI to the Handle
System?

• Handle is a persistent object identifier system
  developed by CNRI
• Specified in RFCs 3650, 3651, 3652
• Handle does not include HFNs or other structured
  identifier features of XRI
• Handle does not use XML or HTTP for resolution

42
Does XRI introduce new Internet namespaces?

• Yes. Although it can describe and reuse many
  types of existing identifiers, it also includes
  four formal namespaces at the XRI level of
  identification
• for personal identifiers
• _at_ for organizational identifiers
• for generic tags
• for specific tags

43
Does the XRI TC specify public registry services?

• No, the scope of the XRI TC is limited to the
  technical specifications for XRI and specified
  XRIs (the space)
• XDI.org, a member of the XRI TC, offers public
  XRI registry services
• XDI.org is a completely separate non-profit
  organization

44
What IPR applies to XRI and XRDS?

• The TC operates under the OASIS RF on Limited
  Terms mode (standard royalty-free terms)
• This has been mandatory from the TCs original
  charter
• XDI.org made the initial contribution of IPR for
  what was then called XNS when the TC was formed
  in 2003

45
How does Higgins use XRI and XRDS?

• Higgins uses an abstract data model to access
  data in different contexts (distributed
  repositories)
• XRI is used for addressing contexts and entities
  within contexts
• XRDS is used to resolve the metadata a Higgins
  component needs to open a Higgins context

46
What open source implementions of XRI and XRDS
are available?

• OpenXRI (Java)
• http//www.openxri.org
• Barx (Ruby)
• http//xrisoft.org
• MyXDI (C)
• http//www.ootao.com