1 / 46

What do OpenID, Higgins, I-Names, and XDI Have in Common?

What do OpenID, Higgins, I-Names, and XDI Have in Common?. An OASIS Webinar on XRI and XRDS. May 6, 2008. What do OpenID, Higgins, i-names, and XDI have in common? They all use two new OASIS technologies you may not even have heard of yet.

bethan
Télécharger la présentation

What do OpenID, Higgins, I-Names, and XDI Have in Common?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What do OpenID, Higgins, I-Names, and XDI Have in Common? An OASIS Webinar on XRI and XRDS May 6, 2008

  2. What doOpenID, Higgins, i-names, and XDI have in common? They all use two new OASIS technologies you may not even have heard of yet. How did these specifications already become key building blocks of the Internet identity layer? What problems do they solve? Where do they fit with the work of other OASIS Technical Committees? That’s what we’ll cover today...

  3. OASIS XRI Technical Committee Formed January 2003

  4. XRI (Extensible Resource Identifier) • A new type of Internet identifier (URI) designed expressly for digital identity • An open standard for abstractstructured identifiers • Abstract, i.e., identifiers upon which discovery can be performed • Structured, i.e., a syntactic framework for expressing identifiers – “XML for identifiers”

  5. XRDS (Extensible Resource Descriptor Sequence) • A simple, extensible service discovery format for XRIs or URLs • The logical equivalent of a DNS resource record at the XRI layer of identification • The discovery format used by OpenID 2.0, OAuth, and Higgins

  6. Synonyms AbstractIdentifierLayer ReassignableXRI “i-names” PersistentXRI “i-numbers” XRDSDocu-ment XRDSResolution Domain Name TN(Tele-phoneNumber) Otherconcreteidentifiertypes ConcreteIdentifierLayer IP Address Local Path/Query URI/IRI

  7. Examples of XRI i-names • Human-friendly reassignable identifiers =gmw =用例 @boeing @cordance*drummond.reed +flower $xml

  8. Examples of XRI i-numbers • Persistent identifiers (never reassigned) =!7a42.cd93.40f4.18e5 =!7a42.cd93.40f4.18e5!283 @!b3a7.5537.9fea.31ec +!3792 +!3792!14

  9. Examples of XRI cross-references • Identifiers reused across contexts =(mailto:gabe.wachob@gmail.com) =(http://equalsdrummond.name) @(http://boeing.com) @cordance*(urn:isbn:0-395-36341-1) +flower*(http://en.wikipedia.org/rose)

  10. Examples of XRIs transformed into URIs • XRI Syntax 2.0 defines a strict trans-formation of an XRI into an IRI and URI xri://=drummond.reed xri://=%E7%94%A8%E4%BE%8B xri://@!b3a7.5537.9fea.31ec!133 xri://=(mailto:gabe.wachob@gmail.com) xri://@cordance*(urn:isbn:0-395-36341-1)

  11. Example XRDS document <XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <EquivID>xri://=example.name</EquivID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service priority=“10”> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!7c4.58ff.7c9a.e285/</URI></Service> <Service priority=“10”> <Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD> </XRDS> Query and synonyms Service #1 Service #2

  12. XRI Syntax 2.0 Explicit syntax for reassignable and persistent identifiers Global context symbols Cross-references for identifier reuse across contexts Flexible delegation at all levels of hierarchy Lossless transformation into IRI and URI forms XRI Resolution 2.0 HTTP(S)-based resolution protocol XRDS: simple XML discovery document format Synonym management and verification Service endpoint selection logic Redirect and Ref processing The XRI 2.0 specifications

  13. Why have XRI and XRDS already become key building blocks of the Internet identity layer?

  14. Not only have XRI and XRDS become an integral part of OpenID 2.0, but the XRI technical community is now a strong part of the OpenID community. — Bill Washburn Executive Director, OpenID Foundation

  15. XRI and XRDS have become essential elements of the Higgins Project. Without them, we couldn’t fully implement the abstract data model that is the heart of Higgins and the key to user-controlled identity and data sharing. — Paul Trevithick Higgins Project Lead

  16. Where are XRI and XRDS being used today? • OpenID 2.0 • OAuth Discovery • Higgins Project • XDI.org i-name/i-number registries • XDI data sharing

  17. Case Study: the top 3 problems XRI/XRDS solved for OpenID 2.0 • Extensible service discovery • OpenID recycling • Automatic secure resolution http://middleware.internet2.edu/idtrust/2008/papers/01-reed-openid-xri-xrds.pdf

  18. What is OpenID? • An open community specification for user-centric Internet authentication • Based on the concept that users can have their own globally-resolvable identifiers and OpenID authentication providers • Primary use case: eliminate the need for different usernames and passwords at every website

  19. 3 2 XRDSDocument 4 5 1 Relying Party(RP) OpenID Provider(OP) Discovery =drummond.reed User

  20. Problem #1:Extensible service discovery • OpenID 2.0 need to describe what versions an OpenID identifier supports • Also what OpenID extensions it supports (SREG, AX, PAPE, etc.) • And what other services may be available (e.g., OAuth, SAML, XDI) • And it needed redundant, prioritized OpenID provider endpoint URLs

  21. Solution: XRDS documents • Simple, standard discovery format • Can be hosted on any blog, web server, IdM system, etc. • Easily extensible using new URIs or XRIs to define service types • Can be extended with elements from any other namespace

  22. <XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=! 7c4.58ff.7c9a.e285/</URI></Service> <Service priority=“10”><Type>http://openid.net/server/1.0</Type> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> <URI>https://secure-authn.example.com/openid/</URI> <openid:delegate>http://example.com/bob</openid:delegate> </Service> </XRD> </XRDS>

  23. Problem #2:OpenID recycling • With usernames/passwords, usernames can be recycled • The service provider controls the binding with the credential • With OpenID, that’s no longer true • The user controls the binding to the credential! • Losing control of the identifier = losing control of the credential

  24. Solution: persistent synonyms • Bind a recyclable OpenID identifier with a non-recyclable (persistent) identifier, e.g., an XRI i-number • Always authenticate based on the persistent i-number • Treat the recyclable identifier as only a temporary handle for the i-number • The user always stays protected

  25. <XRDS xmlns=“xri://$xrds”> <XRD xmlns=“xri://$xrd*($v*2.0)”> <Query>*example</Query> <Expires>2005-05-30T09:30:10Z</Expires> <ProviderID>xri://=</ProviderID> <CanonicalID>xri://=!7c4.58ff.7c9a.e285</CanonicalID> <Service> <Type>xri://$res*auth*($v*2.0)</Type> <URI>http://res.example.com/=!1234.5678.a1b2.c3d4/</URI></Service> <Service> <Type>http://openid.net/openid/1.1</Type> <Type>http://openid.net/openid/2.0</Type> <Path>+openid</Path> <URI>http://authn.example.com/openid/</URI> </Service> </XRD> </XRDS>

  26. Problem #3:Automatic secure resolution • OpenID could not specify HTTPS resolution for all OpenID URLs • Too many users do not have access to HTTPS certs or infrastructure • Thus the default had to be HTTP • This forces users with HTTPS URLs to type the entire string, e.g.,https://my.openid.identifier.tld

  27. Solution:XRI secure resolution • As abstract identifiers, XRIs always map to concrete identifiers • This mapping process - XRI resolution - offers three trusted modes: • HTTPS, SAML, or both • So XRI i-names used as OpenIDs can use HTTPS resolution as the default • No need for users to know/do anything

  28. XRI and XRDS are also building blocks for other identity solutions • OAuth • XRDS discovery format • Higgins Project • Context discovery and resolution • XDI.org XRI registries • i-name/i-number registries & resolution • SAML and Information Cards • Privacy-protected identifier claims

  29. What is the relationship of XRI and XRDS with other OASIS TCs and the IDtrust Member Section?

  30. XDI (XRI Data Interchange) • The XDI controlled data sharing protocol is based entirely on XRIs • A globally addressable RDF graph where the address of every node is an RDF statement structured as an XRI subject-xri / predicate-xri / object-xri • Enables a simple portable authorization format called XDI link contracts

  31. ORMS (Open Reputation Management Services) • Newest TC in the OASIS IDtrust member section • Will define neutral, vendor-independent specs for exchanging reputation data • XRI and XDI TC members participating • XRI for durable subject identifiers • XDI for controlled data sharing

  32. PKI-Related TCs • Digital Signature Services eXtended (DSS-X)Advancing new profiles for the DSS OASIS Standard • Enterprise Key Management Infrastructure (EKMI)Defining symmetric key management protocols • Public Key Infrastructure (PKI) AdoptionAdvancing the use of digital certificates as a foundation for managing access to network resources and conducting electronic transactions

  33. Conclusion • Abstract structured identifiers offer 3 key features for the Internet identity layer • Simple, safe, strong identifiers • Simple, extensible, secure service discovery • Interoperability between multiple identity protocols and frameworks • XRI and XRDS are building blocks everyone can use

  34. Contact us • Gabe Wachob, XRI TC Co-Chair • http://xri.net/=gmw • gabe.wachob@wachob.com • Drummond Reed, XRI TC Co-Chair • http://xri.net/=drummond.reed • drummond.reed@cordance.net • Wikipedia • http://en.wikipedia.org/XRI • http://en.wikipedia.org/XRDS

  35. Learn through the IDtrust Knowledgebase of educational materials and background on the standards • Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories. • Collaborate with others online through a wiki interface http://idtrust.xml.org

  36. Q&A

  37. What is the relationship of XRI to URNs? • Uniform Resource Names are specified by IETF RFC 2141 • They are persistent (non-recyclable) identifiers • XRI combines both URNs and HFNs (human-friendly names) in one syntax and resolution protocol

  38. What is the relationship of XRI to the Handle System? • Handle is a persistent object identifier system developed by CNRI • Specified in RFCs 3650, 3651, 3652 • Handle does not include HFNs or other structured identifier features of XRI • Handle does not use XML or HTTP for resolution

  39. Does XRI introduce new Internet namespaces? • Yes. Although it can describe and reuse many types of existing identifiers, it also includes four formal namespaces at the XRI level of identification = for personal identifiers @ for organizational identifiers + for generic tags $ for specific tags

  40. Does the XRI TC specify public registry services? • No, the scope of the XRI TC is limited to the technical specifications for XRI and specified XRIs (the $ space) • XDI.org, a member of the XRI TC, offers public XRI registry services • XDI.org is a completely separate non-profit organization

  41. What IPR applies to XRI and XRDS? • The TC operates under the OASIS “RF on Limited Terms” mode (standard royalty-free terms) • This has been mandatory from the TC’s original charter • XDI.org made the initial contribution of IPR for what was then called XNS when the TC was formed in 2003

  42. How does Higgins use XRI and XRDS? • Higgins uses an abstract data model to access data in different contexts (distributed repositories) • XRI is used for addressing contexts and entities within contexts • XRDS is used to resolve the metadata a Higgins component needs to open a Higgins context

  43. What open source implementions of XRI and XRDS are available? • OpenXRI (Java) • http://www.openxri.org • Barx (Ruby) • http://xrisoft.org • MyXDI (C++) • http://www.ootao.com

More Related