OASIS Webinar, May 6, 2008 Gabe Wachob, XRI TC Co-Chair Drummond Reed, XRI TC Co-Chair XRI and XRDS: Key Building Blocks of the Internet Identity Layer

OASIS XRI Technical Committee Started January 2003

Topics n What are XRI and XRDS? n Why have they become key building blocks of the Internet identity layer? n What synergy do they have with other OASIS TCs and specifications? n OASIS Standard vote on XRI 2.0

What are XRI and XRDS?

XRI and XRDS have become essential elements of the Higgins Project. Without them, we couldn’t fully implement the abstract data model that is the heart of Higgins and the key to user-controlled identity and data sharing. -- Paul Trevithick Higgins Project Lead

What is XRI (Extensible Resource Identifier)? n A new type of Internet identifier (URI) designed expressly for digital identity n An open standard language for abstract structured identifiers l Abstract: identifiers that resolve to other identifiers l Structured: identifiers containing self- describing “tags” – “XML for identifiers”

What is XRDS (Extensible Resource Descriptor Sequence)? n A simple, extensible XML document format for service discovery for any XRI- or URL-identifiable resource n The logical equivalent of a DNS resource record at the XRI layer of identification n The discovery format adopted for OpenID 2.0, OAuth, and Higgins

Local Path/Query IP Address Domain Name URI/IRI XRI Layer Reassignable “i-name(s)” Persistent “i-number” XRDS Docu- ment XRDS Resolution TN (Tele- phone Number) Other concrete identifier types Concrete Identifier Layer Synonyms

Examples of XRI i-names n Human-friendly reassignable identifiers +flower $xml

Examples of XRI i-numbers n Persistent identifiers (never reassigned) +!3792 +!3792!14

Examples of XRI cross-references n Identifiers reused across contexts +flower*(

Examples of XRIs transformed into URIs n XRI Syntax 2.0 defines a strict trans- formation of an XRI into an IRI and URI xri://=drummond.reed

*example T09:30:10Z xri://= xri://=!7c4.58ff.7c9a.e285 xri://$res*auth*($v*2.0) openid Query and synonyms Service #1 Service #2 Example XRDS document

XRI, XRDS, and the emerging Internet identity layer

Where are XRI and XRDS being used? n OpenID 2.0 n OAuth Discovery n Higgins Project n XDI.org i-name/i-number registries n XDI data sharing

Case Study: the top 3 problems XRI/XRDS solved for OpenID 2.0 n Extensible service discovery n OpenID recycling n Automatic secure resolution

What is OpenID? n An open community specification for user-centric Internet authentication l Based on the concept that users have their own globally-resolvable identifier and OpenID authentication service n Primary use case: eliminate the need for separate usernames and passwords for different websites

XRDS Document Relying Party (RP) OpenID Provider (OP)

Problem #1: Extensible service discovery n Describe what versions of OpenID an OpenID identifier supports n Describe what OpenID extensions it supports (SREG, AX, PAPE, etc.) n Describe what other services may be available (e.g., OAuth, SAML, XDI) n Enable redundant, prioritized OpenID provider endpoints

Solution: XRDS documents n Simple, standard discovery format n Can be hosted on any blog, web server, IdM system, etc. n Easily extensible using new URIs or XRIs to define service types n Can be extended with elements from any other namespace

*example T09:30:10Z xri://= xri://=!7c4.58ff.7c9a.e285 xri://$res*auth*($v*2.0) 7c4.58ff.7c9a.e285/ +openid

Problem #2: OpenID recycling n With usernames/passwords, usernames can be recycled l The service provider controls the binding with the credential n With OpenID, that’s no longer true l The user controls the binding to the credential l Losing control of the identifier = losing control of the credential

Solution: persistent synonyms n Bind a recyclable OpenID identifier with a non-recyclable (persistent) identifier – an XRI i-number n Authenticate based on the persistent i-number n Treat the recyclable identifier as only a temporary handle for the persistent synonym

*example T09:30:10Z xri://= xri://=!7c4.58ff.7c9a.e285 xri://$res*auth*($v*2.0) openid

Problem #3: Automatic secure resolution n OpenID could not specify HTTPS resolution for all OpenID URLs l Too many users do not have access to HTTPS certs or infrastructure l Thus the default had to be HTTP l This forces users with HTTPS URLs to have to type the entire string, e.g.,

Solution: XRI secure resolution n As abstract identifiers, XRIs always map to concrete identifiers n This mapping process - XRI resolution - offers three trusted modes: l HTTPS, SAML, or both n Thus all XRI i-names can use HTTPS resolution as the default l No need for users to know/do anything

XRI and XRDS are also building blocks for other identity solutions n OAuth l XRDS discovery format n Higgins Project l Context discovery and resolution n XDI.org XRI registries l i-name/i-number registries & resolution n SAML and Information Cards l Privacy-protected identifier claims

Synergy with Other OASIS TCs

XDI (XRI Data Interchange) n The XDI controlled data sharing protocol is based entirely on XRI l A globally addressable RDF graph where the address of every node is an RDF statement structured as an XRI subject-xri / predicate-xri / object-xri l Enables a simple portable authorization format called XDI link contracts

ORMS (Open Reputation Management Services) n New OASIS TC in the IDtrust member section n Will define neutral, vendor-independent system for exchanging reputation data n XRI and XDI TC members participating l XRI for durable subject identifiers l XDI for controlled data sharing

Other TCs in the IDtrust Member Section n Digital Signature Services eXtended (DSS-X) Advancing new profiles for the DSS OASIS Standard Digital Signature Services eXtended (DSS-X) n Enterprise Key Management Infrastructure (EKMI) Defining symmetric key management protocols Enterprise Key Management Infrastructure (EKMI) n Public Key Infrastructure (PKI) Adoption Advancing the use of digital certificates as a foundation for managing access to network resources and conducting electronic transactions Public Key Infrastructure (PKI) Adoption

The OASIS Standard Vote on XRI 2.0

Specifications n XRI Syntax 2.0 l Explicit syntax for reassignable and persistent identifiers l Global context symbols l Cross-references for identifier reuse across domains l Flexible delegation at all levels of hierarchy l Lossless transformation into IRI and URI forms n XRI Resolution 2.0 l HTTP(S)-based resolution protocol l XRDS simple XML discovery document format l Synonym management and verification l Service endpoint selection logic l Redirect and Ref processing

Conclusion n Five years and several thousand man hours has gone into XRI and XRDS n That’s what it takes to create a solid foundation for the Internet identity layer n OpenID, OAuth, Higgins, i-names, XDI are still just the start n Please support this effort with your OASIS Standard vote on XRI 2.0

Contact us n Drummond Reed, XRI TC Co-Chair l l n Gabe Wachob, XRI TC Co-Chair l l n Wikipedia l l

n Learn through the IDtrust Knowledgebase of educational materials and background on the standards n Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories. n Collaborate with others online through a wiki interface