Overview of XRI, XDI, I-Names, and OpenID Collaborative Expedition Workshop: Exploring the Potentials and Realities of the Identity Management Landscape February 27, 2007 at the National Science Foundation (Arlington, Virginia, USA)

2 Our Panel on: XRI, XDI, I-Names & OpenID Drummond Reed (Cordance) Les Chasen (Neustar) Andy Dale (ooTao) Owen Davis (Linksafe) David Recordon (Verisign) Moderator: Peter Yim (CIM3)

3 Four topics OpenID.net: An open community specification for Internet identity and Web authentication based on URLs/XRIs OpenID XDI.org: An open public XRI registry infrastructure based on XRI and XDI I-Names OASIS XDI Technical Committee: An open standard data interchange schema and protocol based on XRI XDI OASIS XRI Technical Committee: An open standard language for interoperable digital identifiers XRI

Part One: XRI (Extensible Resource Identifier)

5 XRI Technical Committee

6 The primary goals of XRI Develop a language for digital identifiers that can be used across all contexts and protocols –Do for identifiers what XML has done for data Provide a machine-readable dictionary of XRI identifiers that can be used to describe other identifiers of all types (identifier metadata) Enable standardized infrastructure for both reassignable and persistent XRIs

7 Local Path/Query IP Address Domain Name URI/IRI Layer XRI Layer Reassignable “i-name(s)” Persistent “i-number” XRDS Docu- ment XRI Resolution

8 Example XRIs (in XRI-normal form) $dns* i-name i-number

9 XRI resolution The goal was a simple, easily-deployed infrastructure for resolving XRIs to URIs much like resolving DNS names to IP addresses The solution was to use HTTP(S) and a very simple XML document format called XRDS (Extensible Resource Descriptor Sequence) The open source OpenXRI (openxri.org) project aims to make XRI resolution a stand- ard feature of web servers (e.g., Apache)

10 Example XRDS document for “=example” *example T09:30:10Z xri://= xri://=! A1B2.C3D4 xri://!!1000! xri://$res*auth*($v*2.0)

11 XRI adoption Boeing is standardizing on XRI for global identifiers –Published in their Enterprise Directory service for all people, applications, and devices –Deploying in new web services –Using for principals in SAML assertions OpenID 2.0 ( supports XRIs for Web authentication and XRDS for service discovery I-names uses XRI for privacy-protected global digital identity and XRDS for service discovery

Part Two: XDI (XRI Data Interchange)

13 The primary goals of XDI Develop a standardized data interchange schema & protocol based on XRIs and XML –XDI is to XML what HTML is to SGML Enable “link contracts” – machine-readable data sharing agreements that bind shared data to policies governing its use Enable machine-readable XDI dictionaries that enable for automated mapping of XRI- identified data across schemas & contexts

14 The XDI “Dataweb” model Applies the Web model to machine-readable data sharing –XDI documents are XRI-addressable the same way HTML documents are URI-addressable –XRI addressing/linking goes all the way down to the atomic element level (URI addressing/linking goes down only to the document fragment level) –XDI addressing can reference and link elements across XDI documents just like HTML hyperlinks

15 XDI and RDF XDI documents are collections of RDF statements using XRIs instead of URIs –Using XRI cross-reference syntax, all XDI RDF statements are expressable as XRIs –XDI RDF vocabulary consists of five core XRIs to describe resource relationship types Dramatically simplifies/standardizes cross- domain data description and exchange XDI dictionaries function as machine- readable, self-describing RDF vocabularies

16 XDI link contracts A link contract is an XDI document governing an XDI data sharing relationship between two XDI data authorities –It “binds” XRI-addressable data to XRI- addressable policies governing its use Link contracts can cover any type of XDI data (including other link contracts) Link contracts can associate any type of data sharing policy

17 XDI adoption First XDI engine implemented by Ootao ooTao and Kintera ( have announced a major XDI data sharing project for La Leche League –100K+ data sharing accounts XDI will be a primary data sharing protocol supported by the Higgins Project (

Part Three: I-Names

19 I-names (and i-numbers) I-names is a new public XRI registry service for privacy-protected digital identifiers These registries are operated by XDI.org, an international public trust organization Registrations include both an i-name (reassignable) and an i-number (persistent) There are three registries: = for for organizations of any kind ! for XDI.org-accredited i-brokers (i-numbers only)

20 I-brokers An i-broker is a provider of Internet identity services (“banker for data”) XDI.org accredits i-brokers to become global i-name/i-number registrars (similar to the role ICANN plays for DNS infrastructure) Accredited i-brokers are listed on the XDI.org i-names website – These i-brokers all offer a core set of identity services including OpenID authentication

21 Postal Address Phone Number Fax Number Address IM Address Domain Name i-name Antiquity I-names are the next step in digital addressing

22 I-names let individuals and organizations control their communications channels i-name 1) Simplicity one communications address that never needs to change x yahoo.com/~mary Birch Lane Berkeley, CA ) Privacy 100% control over access via any channel 3) Automated services Intelligent new communications services that save time and money

23 I-names adoption I-names are integrated into the OpenID 2.0 specification ( I-names are the basis for the new Equals communications management service from AmSoft ( I-names are the basis for two more open Internet services currently under development –Authenticated, secure (“imail”) –Authenticated, secure data sharing (“ishare”)

Part Four: OpenID

25 OpenID 2.0 OpenID 2.0 is the convergence of OpenID 1.0, LID, i-names, Yadis, and SXIP OpenID 2.0 supports both URLs and XRIs –Only XRIs support automatic mapping of an i-name to its persistent i-number to prevent an OpenID identity from being reassigned OpenID 2.0 uses the XRI XRDS format for service discovery OpenID 2.0 adds new features to its basic http(s) Web authentication protocol

26 OpenID support Microsoft announced at RSA that it will support OpenID working with CardSpace AOL just announced that it will provide OpenID service for all AOL users Yahoo is expected to follow suite shortly This will drive the market for what Gartner calls “personal identity frameworks” (PIFs) –Gartner anticipates that PIFs will integrate into enterprise IAM products in the next 2-3 years

27 OpenID adoption Widely supported throughout the blogging industry –SixApart, LiveJournal, WordPress, Technorati Spreading to other Web 2.0 sites –Wikitravel (Wikipedia), Ma.gnolia.com, Zoomr, etc. Widespread open source support –PHP, Python, Perl, Ruby, C#, Java –pyblosxom, plone, Apache, MoinMoin, mailman, mediawiki, Drupal, phbBB, openXRI

28 Links to more information OpenID I-names XDI XRI

Panel Discussion / Q&A

Supplemental Slides

31 The five key features of XRI syntax Identify the same logical resource across multiple contexts Cross-referencing Establish a standard set of global contexts Global context symbols Support both persistent and reassign- able identifiers in the same syntax Persistence & Reassignability Standardize identifier metadata such as language, version, date, and type Metadata “XML for identifiers” - enable a common identifier scheme for all resources Extensibility

32 With an XRI you can represent an identifier authority in four ways (all resolvable): IP Address$ip* /path?query DNS Name$dns*cordance.net/path?query GCS Symbol=drummond/path?query Four options for identifier

33 All XRIs can be represented as HTTP URIs using HXRI syntax: HTTP Proxy XRI (HXRI) Syntax

34 Features of XRI resolution Simple, lightweight XML document format Uses standard HTTP caching Supports three types of XRI synonyms –Local (from the same authority as the XRDS) –Canonical (preferred of all synonyms, typically an i-number) –Cross-references (from other XRI authorities) Simple service endpoint description/selection –By Type (identified by URI, IRI, or XRI) –By MediaType (IANA standard strings) –By Path (stem-based matching) Supports both local and HTTP(S) proxy resolution

35 Link contracts can include policies for: Identification Authentication Authorization and access control Privacy and usage control Synchronization Termination Recourse

36 Link contract policy references Every policy referenced by a link contract has its own XRI (or set of XRI synonyms) The policy itself need not be an XDI document; it might be: –Human-readable text document (e.g., Creative Commons licenses, or an Identity Commons identity rights agreement) –A document in machine-readable policy expression language (XACML, WS-Policy, etc.) –Any other XRI-addressable resource to which the parties can agree

37 XRI Specification status Current specs –XRI Syntax 2.0 – December 2005 –XRI Resolution 2.0 Working Draft 11 – Feb 2006 XRI $ Dictionary 2.0 specification underway –Major contributions by Boeing Complete XRI 2.0 specification suite expected in public review by late spring OASIS Standard vote expected this fall

38 XDI specification status XDI schema and addessing model complete Link contract vocabulary work underway Protocol and protocol binding work prototyped First part of XDI 1.0 specifications expected this spring Complete XDI 1.0 specifications expected this fall