What do OpenID, Higgins, I-Names, and XDI Have in Common?An OASIS Webinar on XRI and XRDS

May 6, 2008

Gabe Wachob,XRI TC Co-Chair

Paul Trevithick,The Higgins Project

Drummond Reed, XRI TC Co-Chair

John Bradley,ooTao, OpenID

Les Chasen,NeuStar XRI GRS

Markus Sabadello,XDI.org

What do OpenID, Higgins, i-names, and XDI have in common?

They all use two new OASIS technologies you may not even have heard of yet.

How did these specifications already become key building blocks of the Internet identity layer? What problems do they solve? Where do they fit with the work of other OASIS Technical Committees?

That’s what we’ll cover today...

OASIS XRI Technical CommitteeFormed January 2003

XRI (Extensible Resource Identifier)

A new type of Internet identifier (URI) designed expressly for digital identity

An open standard for abstract structured identifiers Abstract, i.e., identifiers upon which

discovery can be performed Structured, i.e., a syntactic framework for

expressing identifiers – “XML for identifiers”

XRDS (Extensible Resource Descriptor Sequence)

A simple, extensible service discovery format for XRIs or URLs

The logical equivalent of a DNS resource record at the XRI layer of identification

The discovery format used by OpenID 2.0, OAuth, and Higgins

Local Path/Query

IP Address

Domain Name

URI/IRI

AbstractIdentifier

Layer

ReassignableXRI “i-names”

PersistentXRI “i-numbers”

XRDSDocu-ment

XRDSDocu-ment

XRDSResolution

TN(Tele-phone

Number)

Otherconcreteidentifier

types

ConcreteIdentifier

Layer

Synonyms

Examples of XRI i-names

Human-friendly reassignable identifiers=gmw

= 用例 @boeing

@cordance*drummond.reed

+flower

$xml

Examples of XRI i-numbers

Persistent identifiers (never reassigned)=!7a42.cd93.40f4.18e5

=!7a42.cd93.40f4.18e5!283

@!b3a7.5537.9fea.31ec

+!3792

+!3792!14

Examples of XRI cross-references

Identifiers reused across contexts=(mailto:gabe.wachob@gmail.com)

=(http://equalsdrummond.name)

@(http://boeing.com)

@cordance*(urn:isbn:0-395-36341-1)

+flower*(http://en.wikipedia.org/rose)

Examples of XRIs transformed into URIs

XRI Syntax 2.0 defines a strict trans-formation of an XRI into an IRI and URI

xri://=drummond.reed

xri://=%E7%94%A8%E4%BE%8B

xri://@!b3a7.5537.9fea.31ec!133

xri://=(mailto:gabe.wachob@gmail.com)

xri://@cordance*(urn:isbn:0-395-36341-1)

<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <EquivID>xri://=example.name</EquivID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service priority=“10”> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!7c4.58ff.7c9a.e285/</URI>

</Service> <Service priority=“10”> <Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>

Query and synonyms

Service #1

Service #2

Example XRDS document

The XRI 2.0 specifications XRI Syntax 2.0

Explicit syntax for reassignable and persistent identifiers

Global context symbols Cross-references for

identifier reuse across contexts

Flexible delegation at all levels of hierarchy

Lossless transformation into IRI and URI forms

XRI Resolution 2.0 HTTP(S)-based

resolution protocol XRDS: simple XML

discovery document format

Synonym management and verification

Service endpoint selection logic

Redirect and Ref processing

Why have XRI and XRDS already become key building blocks of the Internet identity layer?

Not only have XRI and XRDS become an integral part of OpenID 2.0, but the XRI technical community is now a strong part of the OpenID community.

— Bill Washburn Executive Director, OpenID Foundation

XRI and XRDS have become essential elements of the Higgins Project. Without them, we couldn’t fully implement the abstract data model that is the heart of Higgins and the key to user-controlled identity and data sharing.

— Paul Trevithick Higgins Project Lead

Where are XRI and XRDS being used today?

OpenID 2.0 OAuth Discovery Higgins Project XDI.org i-name/i-number registries XDI data sharing

Case Study: the top 3 problems XRI/XRDS solved for OpenID 2.0

Extensible service discovery OpenID recycling Automatic secure resolution

http://middleware.internet2.edu/idtrust/2008/papers/01-reed-openid-xri-xrds.pdf

What is OpenID?

An open community specification for user-centric Internet authentication Based on the concept that users can have

their own globally-resolvable identifiers and OpenID authentication providers

Primary use case: eliminate the need for different usernames and passwords at every website

Relying Party(RP)

User

DiscoveryOpenID Provider

(OP)

2

3

4

1

5XRDS

Document

=drummond.reed

Problem #1:Extensible service discovery OpenID 2.0 need to describe what

versions an OpenID identifier supports Also what OpenID extensions it

supports (SREG, AX, PAPE, etc.) And what other services may be

available (e.g., OAuth, SAML, XDI) And it needed redundant, prioritized

OpenID provider endpoint URLs

Solution: XRDS documents

Simple, standard discovery format Can be hosted on any blog, web

server, IdM system, etc. Easily extensible using new URIs or

XRIs to define service types Can be extended with elements from

any other namespace

<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=! 7c4.58ff.7c9a.e285/</URI>

</Service> <Service priority=“10”> <Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> <URI>https://secure-authn.example.com/openid/</URI> <openid:delegate>http://example.com/bob</openid:delegate> </Service> </XRD></XRDS>

Problem #2:OpenID recycling With usernames/passwords, usernames

can be recycled The service provider controls the binding

with the credential With OpenID, that’s no longer true

The user controls the binding to the credential!

Losing control of the identifier = losing control of the credential

Solution: persistent synonyms Bind a recyclable OpenID identifier

with a non-recyclable (persistent) identifier, e.g., an XRI i-number

Always authenticate based on the persistent i-number

Treat the recyclable identifier as only a temporary handle for the i-number

The user always stays protected

<XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!1234.5678.a1b2.c3d4/</URI>

</Service> <Service> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>

Problem #3:Automatic secure resolution

OpenID could not specify HTTPS resolution for all OpenID URLs Too many users do not have access to

HTTPS certs or infrastructure Thus the default had to be HTTP This forces users with HTTPS URLs to

type the entire string, e.g., https://my.openid.identifier.tld

Solution:XRI secure resolution As abstract identifiers, XRIs always

map to concrete identifiers This mapping process - XRI resolution -

offers three trusted modes: HTTPS, SAML, or both

So XRI i-names used as OpenIDs can use HTTPS resolution as the default No need for users to know/do anything

XRI and XRDS are also building blocks for other identity solutions OAuth

XRDS discovery format Higgins Project

Context discovery and resolution XDI.org XRI registries

i-name/i-number registries & resolution SAML and Information Cards

Privacy-protected identifier claims

What is the relationship of XRI and XRDS with other OASIS TCs and the IDtrust Member Section?

XDI (XRI Data Interchange)

The XDI controlled data sharing protocol is based entirely on XRIs A globally addressable RDF graph where

the address of every node is an RDF statement structured as an XRI

subject-xri / predicate-xri / object-xri Enables a simple portable authorization

format called XDI link contracts

ORMS (Open Reputation Management Services)

Newest TC in the OASIS IDtrust member section

Will define neutral, vendor-independent specs for exchanging reputation data

XRI and XDI TC members participating XRI for durable subject identifiers XDI for controlled data sharing

PKI-Related TCs Digital Signature Services eXtended (DSS-X)

Advancing new profiles for the DSS OASIS Standard

Enterprise Key Management Infrastructure (EKMI)Defining symmetric key management protocols

Public Key Infrastructure (PKI) AdoptionAdvancing the use of digital certificates as a foundation for managing access to network resources and conducting electronic transactions

Conclusion

Abstract structured identifiers offer 3 key features for the Internet identity layer Simple, safe, strong identifiers Simple, extensible, secure service discovery Interoperability between multiple identity

protocols and frameworks XRI and XRDS are building blocks

everyone can use

Contact us Gabe Wachob, XRI TC Co-Chair

http://xri.net/=gmw gabe.wachob@wachob.com

Drummond Reed, XRI TC Co-Chair http://xri.net/=drummond.reed drummond.reed@cordance.net

Wikipedia http://en.wikipedia.org/XRI http://en.wikipedia.org/XRDS

Learn through the IDtrust Knowledgebase of educational materials and background on the standards

Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories.

Collaborate with others online through a wiki interface

http://idtrust.xml.org

Q&A

What is the relationship of XRI to URNs?

Uniform Resource Names are specified by IETF RFC 2141

They are persistent (non-recyclable) identifiers

XRI combines both URNs and HFNs (human-friendly names) in one syntax and resolution protocol

What is the relationship of XRI to the Handle System?

Handle is a persistent object identifier system developed by CNRI

Specified in RFCs 3650, 3651, 3652 Handle does not include HFNs or other

structured identifier features of XRI Handle does not use XML or HTTP for

resolution

Does XRI introduce new Internet namespaces?

Yes. Although it can describe and reuse many types of existing identifiers, it also includes four formal namespaces at the XRI level of identification

= for personal identifiers

@ for organizational identifiers

+ for generic tags

$ for specific tags

Does the XRI TC specify public registry services?

No, the scope of the XRI TC is limited to the technical specifications for XRI and specified XRIs (the $ space)

XDI.org, a member of the XRI TC, offers public XRI registry services

XDI.org is a completely separate non-profit organization

What IPR applies to XRI and XRDS? The TC operates under the OASIS “RF

on Limited Terms” mode (standard royalty-free terms)

This has been mandatory from the TC’s original charter

XDI.org made the initial contribution of IPR for what was then called XNS when the TC was formed in 2003

How does Higgins use XRI and XRDS? Higgins uses an abstract data model to

access data in different contexts (distributed repositories)

XRI is used for addressing contexts and entities within contexts

XRDS is used to resolve the metadata a Higgins component needs to open a Higgins context

What open source implementions of XRI and XRDS are available?

OpenXRI (Java) http://www.openxri.org

Barx (Ruby) http://xrisoft.org

MyXDI (C++) http://www.ootao.com