What do OpenID, Higgins, I-Names, and XDI Have in Common?An OASIS Webinar on XRI and XRDS
May 6, 2008
Gabe Wachob,XRI TC Co-Chair
Paul Trevithick,The Higgins Project
Drummond Reed, XRI TC Co-Chair
John Bradley,ooTao, OpenID
Les Chasen,NeuStar XRI GRS
Markus Sabadello,XDI.org
What do OpenID, Higgins, i-names, and XDI have in common?
They all use two new OASIS technologies you may not even have heard of yet.
How did these specifications already become key building blocks of the Internet identity layer? What problems do they solve? Where do they fit with the work of other OASIS Technical Committees?
That’s what we’ll cover today...
OASIS XRI Technical CommitteeFormed January 2003
XRI (Extensible Resource Identifier)
A new type of Internet identifier (URI) designed expressly for digital identity
An open standard for abstract structured identifiers Abstract, i.e., identifiers upon which
discovery can be performed Structured, i.e., a syntactic framework for
expressing identifiers – “XML for identifiers”
XRDS (Extensible Resource Descriptor Sequence)
A simple, extensible service discovery format for XRIs or URLs
The logical equivalent of a DNS resource record at the XRI layer of identification
The discovery format used by OpenID 2.0, OAuth, and Higgins
Local Path/Query
IP Address
Domain Name
URI/IRI
AbstractIdentifier
Layer
ReassignableXRI “i-names”
PersistentXRI “i-numbers”
XRDSDocu-ment
XRDSDocu-ment
XRDSResolution
TN(Tele-phone
Number)
Otherconcreteidentifier
types
ConcreteIdentifier
Layer
Synonyms
Examples of XRI i-names
Human-friendly reassignable identifiers=gmw
= 用例 @boeing
@cordance*drummond.reed
+flower
$xml
Examples of XRI i-numbers
Persistent identifiers (never reassigned)=!7a42.cd93.40f4.18e5
=!7a42.cd93.40f4.18e5!283
@!b3a7.5537.9fea.31ec
+!3792
+!3792!14
Examples of XRI cross-references
Identifiers reused across contexts=(mailto:[email protected])
=(http://equalsdrummond.name)
@(http://boeing.com)
@cordance*(urn:isbn:0-395-36341-1)
+flower*(http://en.wikipedia.org/rose)
Examples of XRIs transformed into URIs
XRI Syntax 2.0 defines a strict trans-formation of an XRI into an IRI and URI
xri://=drummond.reed
xri://=%E7%94%A8%E4%BE%8B
xri://@!b3a7.5537.9fea.31ec!133
xri://=(mailto:[email protected])
xri://@cordance*(urn:isbn:0-395-36341-1)
<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <EquivID>xri://=example.name</EquivID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service priority=“10”> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!7c4.58ff.7c9a.e285/</URI>
</Service> <Service priority=“10”> <Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>
Query and synonyms
Service #1
Service #2
Example XRDS document
The XRI 2.0 specifications XRI Syntax 2.0
Explicit syntax for reassignable and persistent identifiers
Global context symbols Cross-references for
identifier reuse across contexts
Flexible delegation at all levels of hierarchy
Lossless transformation into IRI and URI forms
XRI Resolution 2.0 HTTP(S)-based
resolution protocol XRDS: simple XML
discovery document format
Synonym management and verification
Service endpoint selection logic
Redirect and Ref processing
Why have XRI and XRDS already become key building blocks of the Internet identity layer?
Not only have XRI and XRDS become an integral part of OpenID 2.0, but the XRI technical community is now a strong part of the OpenID community.
— Bill Washburn Executive Director, OpenID Foundation
XRI and XRDS have become essential elements of the Higgins Project. Without them, we couldn’t fully implement the abstract data model that is the heart of Higgins and the key to user-controlled identity and data sharing.
— Paul Trevithick Higgins Project Lead
Where are XRI and XRDS being used today?
OpenID 2.0 OAuth Discovery Higgins Project XDI.org i-name/i-number registries XDI data sharing
Case Study: the top 3 problems XRI/XRDS solved for OpenID 2.0
Extensible service discovery OpenID recycling Automatic secure resolution
http://middleware.internet2.edu/idtrust/2008/papers/01-reed-openid-xri-xrds.pdf
What is OpenID?
An open community specification for user-centric Internet authentication Based on the concept that users can have
their own globally-resolvable identifiers and OpenID authentication providers
Primary use case: eliminate the need for different usernames and passwords at every website
Relying Party(RP)
User
DiscoveryOpenID Provider
(OP)
2
3
4
1
5XRDS
Document
=drummond.reed
Problem #1:Extensible service discovery OpenID 2.0 need to describe what
versions an OpenID identifier supports Also what OpenID extensions it
supports (SREG, AX, PAPE, etc.) And what other services may be
available (e.g., OAuth, SAML, XDI) And it needed redundant, prioritized
OpenID provider endpoint URLs
Solution: XRDS documents
Simple, standard discovery format Can be hosted on any blog, web
server, IdM system, etc. Easily extensible using new URIs or
XRIs to define service types Can be extended with elements from
any other namespace
<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=! 7c4.58ff.7c9a.e285/</URI>
</Service> <Service priority=“10”> <Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> <URI>https://secure-authn.example.com/openid/</URI> <openid:delegate>http://example.com/bob</openid:delegate> </Service> </XRD></XRDS>
Problem #2:OpenID recycling With usernames/passwords, usernames
can be recycled The service provider controls the binding
with the credential With OpenID, that’s no longer true
The user controls the binding to the credential!
Losing control of the identifier = losing control of the credential
Solution: persistent synonyms Bind a recyclable OpenID identifier
with a non-recyclable (persistent) identifier, e.g., an XRI i-number
Always authenticate based on the persistent i-number
Treat the recyclable identifier as only a temporary handle for the i-number
The user always stays protected
<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!1234.5678.a1b2.c3d4/</URI>
</Service> <Service> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>
Problem #3:Automatic secure resolution
OpenID could not specify HTTPS resolution for all OpenID URLs Too many users do not have access to
HTTPS certs or infrastructure Thus the default had to be HTTP This forces users with HTTPS URLs to
type the entire string, e.g., https://my.openid.identifier.tld
Solution:XRI secure resolution As abstract identifiers, XRIs always
map to concrete identifiers This mapping process - XRI resolution -
offers three trusted modes: HTTPS, SAML, or both
So XRI i-names used as OpenIDs can use HTTPS resolution as the default No need for users to know/do anything
XRI and XRDS are also building blocks for other identity solutions OAuth
XRDS discovery format Higgins Project
Context discovery and resolution XDI.org XRI registries
i-name/i-number registries & resolution SAML and Information Cards
Privacy-protected identifier claims
What is the relationship of XRI and XRDS with other OASIS TCs and the IDtrust Member Section?
XDI (XRI Data Interchange)
The XDI controlled data sharing protocol is based entirely on XRIs A globally addressable RDF graph where
the address of every node is an RDF statement structured as an XRI
subject-xri / predicate-xri / object-xri Enables a simple portable authorization
format called XDI link contracts
ORMS (Open Reputation Management Services)
Newest TC in the OASIS IDtrust member section
Will define neutral, vendor-independent specs for exchanging reputation data
XRI and XDI TC members participating XRI for durable subject identifiers XDI for controlled data sharing
PKI-Related TCs Digital Signature Services eXtended (DSS-X)
Advancing new profiles for the DSS OASIS Standard
Enterprise Key Management Infrastructure (EKMI)Defining symmetric key management protocols
Public Key Infrastructure (PKI) AdoptionAdvancing the use of digital certificates as a foundation for managing access to network resources and conducting electronic transactions
Conclusion
Abstract structured identifiers offer 3 key features for the Internet identity layer Simple, safe, strong identifiers Simple, extensible, secure service discovery Interoperability between multiple identity
protocols and frameworks XRI and XRDS are building blocks
everyone can use
Contact us Gabe Wachob, XRI TC Co-Chair
http://xri.net/=gmw [email protected]
Drummond Reed, XRI TC Co-Chair http://xri.net/=drummond.reed [email protected]
Wikipedia http://en.wikipedia.org/XRI http://en.wikipedia.org/XRDS
Learn through the IDtrust Knowledgebase of educational materials and background on the standards
Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories.
Collaborate with others online through a wiki interface
http://idtrust.xml.org
Q&A
What is the relationship of XRI to URNs?
Uniform Resource Names are specified by IETF RFC 2141
They are persistent (non-recyclable) identifiers
XRI combines both URNs and HFNs (human-friendly names) in one syntax and resolution protocol
What is the relationship of XRI to the Handle System?
Handle is a persistent object identifier system developed by CNRI
Specified in RFCs 3650, 3651, 3652 Handle does not include HFNs or other
structured identifier features of XRI Handle does not use XML or HTTP for
resolution
Does XRI introduce new Internet namespaces?
Yes. Although it can describe and reuse many types of existing identifiers, it also includes four formal namespaces at the XRI level of identification
= for personal identifiers
@ for organizational identifiers
+ for generic tags
$ for specific tags
Does the XRI TC specify public registry services?
No, the scope of the XRI TC is limited to the technical specifications for XRI and specified XRIs (the $ space)
XDI.org, a member of the XRI TC, offers public XRI registry services
XDI.org is a completely separate non-profit organization
What IPR applies to XRI and XRDS? The TC operates under the OASIS “RF
on Limited Terms” mode (standard royalty-free terms)
This has been mandatory from the TC’s original charter
XDI.org made the initial contribution of IPR for what was then called XNS when the TC was formed in 2003
How does Higgins use XRI and XRDS? Higgins uses an abstract data model to
access data in different contexts (distributed repositories)
XRI is used for addressing contexts and entities within contexts
XRDS is used to resolve the metadata a Higgins component needs to open a Higgins context
What open source implementions of XRI and XRDS are available?
OpenXRI (Java) http://www.openxri.org
Barx (Ruby) http://xrisoft.org
MyXDI (C++) http://www.ootao.com