May 6, 2008Gabe Wachob and Drummond Reed, XRI TC Co-Chairs

What do OpenID, Higgins, I-Names, and XDI Have in Common?An OASIS Webinar on XRI and XRDS

OASIS XRI Technical CommitteeOpened January 2003

Topics

What are XRI and XRDS? Why have they become key building

blocks of the Internet identity layer? Case study: what specific problems did

they help solve for OpenID 2.0? What synergy do they have with other

OASIS TCs and specifications? OASIS Standard vote on XRI 2.0

What are XRI and XRDS?

XRI (Extensible Resource Identifier)

A new type of Internet identifier (URI) designed expressly for digital identity

An open standard for expressing and discovering abstract structured identifiers Abstract: identifiers that resolve to other

identifiers Structured: identifiers that can contain self-

describing “tags” – “XML for identifiers”

XRDS (Extensible Resource Descriptor Sequence)

A simple, extensible, XML-based service discovery format for any XRI- or URL-identifiable resource

The logical equivalent of a DNS resource record at the XRI layer of identification

The discovery format used by OpenID 2.0, OAuth, and Higgins

Local Path/Query

IP Address

Domain Name

URI/IRI

AbstractIdentifier

Layer

ReassignableXRI “i-name(s)”

PersistentXRI “i-number”

XRDSDocu-ment

XRDSDocu-ment

XRDSResolution

TN(Tele-phone

Number)

Otherconcreteidentifier

types

ConcreteIdentifier

Layer

Synonyms

Examples of XRI i-names

Human-friendly reassignable identifiers=gmw

= 用例 @boeing

@cordance*drummond

+flower

$xml

Examples of XRI i-numbers

Persistent identifiers (never reassigned)=!7a42.cd93.40f4.18e5

=!7a42.cd93.40f4.18e5!283

@!b3a7.5537.9fea.31ec

+!3792

+!3792!14

Examples of XRI cross-references

Identifiers reused across contexts=(mailto:gabe.wachob@gmail.com)

=(http://equalsdrummond.name)

@(http://boeing.com)

@cordance*(urn:isbn:0-395-36341-1)

+flower*(http://en.wikipedia.org/rose)

Examples of XRIs transformed into URIs

XRI Syntax 2.0 defines a strict trans-formation of an XRI into an IRI and URIxri://=drummond.reed

xri://= 用例 xri://@!b3a7.5537.9fea.31ec!133

xri://=(mailto:gabe.wachob@gmail.com)

xri://@cordance*(urn:isbn:0-395-36341-1)

<XRDS xmlns=“xri://xrds”> <XRD xmlns=“xri://xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service priority=“10”> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!7c4.58ff.7c9a.e285/</URI>

</Service> <Service priority=“10”> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>

Query and synonyms

Service #1

Service #2

Example XRDS document

Why have XRI and XRDS become key building blocks of the Internet identity layer?

Not only did XRI and XRDS become an integral part of OpenID 2.0, but the XRI technical community has become an integral part of the OpenID community.

— Bill Washburn Executive Director, OpenID Foundation

XRI and XRDS have become essential elements of the Higgins Project. Without them, we couldn’t fully implement the abstract data model that is the heart of Higgins and the key to user-controlled identity and data sharing.

— Paul Trevithick Higgins Project Lead

Where are XRI and XRDS being used?

OpenID 2.0 OAuth Discovery Higgins Project XDI.org i-name/i-number registries XDI data sharing

Case Study: the top 3 problems XRI/XRDS solved for OpenID 2.0

Extensible service discovery OpenID recycling Automatic secure resolution

What is OpenID?

An open community specification for user-centric Internet authentication Based on the concept that users have their

own globally-resolvable identifier and OpenID authentication service

Primary use case: eliminate the need for separate usernames and passwords for different websites

XRDSDocument

Relying Party(RP)

OpenID Provider(OP)

Problem #1:Extensible service discovery OpenID 2.0 need to describe what

versions an OpenID identifier supports Also what OpenID extensions it

supports (SREG, AX, PAPE, etc.) And what other services may be

available (e.g., OAuth, SAML, XDI) It also needed redundant, prioritized

OpenID provider endpoints

Solution: XRDS documents

Simple, standard discovery format Can be hosted on any blog, web

server, IdM system, etc. Easily extensible using new URIs or

XRIs to define service types Can be extended with elements from

any other namespace

<XRDS xmlns=“xri://xrds”> <XRD xmlns=“xri://xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=! 7c4.58ff.7c9a.e285/</URI>

</Service> <Service priority=“10”> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> <URI>https://secure-authn.example.com/openid/</URI> <openid:delegate>http://example.com/bob</openid:delegate> </Service> </XRD></XRDS>

Problem #2:OpenID recycling With usernames/passwords, usernames

can be recycled The service provider controls the binding

with the credential With OpenID, that’s no longer true

The user controls the binding to the credential!

Losing control of the identifier = losing control of the credential

Solution: persistent synonyms Bind a recyclable OpenID identifier

with a non-recyclable (persistent) identifier such as an XRI i-number

Authenticate based on the persistent i-number

Treat the recyclable identifier as only a temporary handle for the persistent synonym

<XRDS xmlns=“xri://xrds”> <XRD xmlns=“xri://xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!1234.5678.a1b2.c3d4/</URI>

</Service> <Service> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid <URI>http://authn.example.com/openid/</URI> </Service> </XRD></XRDS>

Problem #3:Automatic secure resolution

OpenID could not specify HTTPS resolution for all OpenID URLs Too many users do not have access to

HTTPS certs or infrastructure Thus the default had to be HTTP This forces users with HTTPS URLs to to

type the entire string, e.g., https://my.openid.identifier.tld

Solution:XRI secure resolution As abstract identifiers, XRIs always

map to concrete identifiers This mapping process - XRI resolution -

offers three trusted modes: HTTPS, SAML, or both

So XRI i-names used as OpenIDs can use HTTPS resolution as the default No need for users to know/do anything

XRI and XRDS are also building blocks for other identity solutions OAuth

XRDS discovery format Higgins Project

Context discovery and resolution XDI.org XRI registries

i-name/i-number registries & resolution SAML and Information Cards

Privacy-protected identifier claims

Synergy with Other OASIS TCs

XDI (XRI Data Interchange)

The XDI controlled data sharing protocol is based entirely on XRI A globally addressable RDF graph where

the address of every node is an RDF statement structured as an XRI

subject-xri / predicate-xri / object-xri Enables a simple portable authorization

format called XDI link contracts

ORMS (Open Reputation Management Services)

Newest TC in the OASIS IDtrust member section

Will define neutral, vendor-independent system for exchanging reputation data

XRI and XDI TC members participating XRI for durable subject identifiers XDI for controlled data sharing

Other TCs in the IDtrust Member Section Digital Signature Services eXtended (DSS-X)

Advancing new profiles for the DSS OASIS Standard

Enterprise Key Management Infrastructure (EKMI)Defining symmetric key management protocols

Public Key Infrastructure (PKI) AdoptionAdvancing the use of digital certificates as a foundation for managing access to network resources and conducting electronic transactions

The OASIS Standard Voteon XRI 2.0

Specifications XRI Syntax 2.0

Explicit syntax for reassignable and persistent identifiers

Global context symbols Cross-references for

identifier reuse across domains

Flexible delegation at all levels of hierarchy

Lossless transformation into IRI and URI forms

XRI Resolution 2.0 HTTP(S)-based

resolution protocol XRDS: simple XML

discovery document format

Synonym management and verification

Service endpoint selection logic

Redirect and Ref processing

Conclusion

OpenID, OAuth, Higgins, i-names, XDI are just the start of what can now be built on XRI and XRDS

The OASIS XRI TC and IDtrust Member Section look forward to developing more key building blocks of the Internet identity layer

Contact us Gabe Wachob, XRI TC Co-Chair

http://xri.net/=gmw gabe.wachob@wachob.com

Drummond Reed, XRI TC Co-Chair http://xri.net/=drummond.reed drummond.reed@cordance.net

Wikipedia http://en.wikipedia.org/xri http://en.wikipedia.org/xrds

Learn through the IDtrust Knowledgebase of educational materials and background on the standards

Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories.

Collaborate with others online through a wiki interface

http://idtrust.xml.org