idtrust symposium march 4 6 2008 drummond reed cordance les chasen neustar william tan neustar n.
Skip this Video
Loading SlideShow in 5 Seconds..
OpenID Discovery Using XRI and XRDS PowerPoint Presentation
Download Presentation
OpenID Discovery Using XRI and XRDS

Loading in 2 Seconds...

play fullscreen
1 / 34

OpenID Discovery Using XRI and XRDS - PowerPoint PPT Presentation

  • Uploaded on

IDtrust Symposium, March 4-6, 2008 Drummond Reed, Cordance Les Chasen, NeuStar William Tan, NeuStar. OpenID Discovery Using XRI and XRDS. Overview. The OASIS XRI and XRDS specifi-cations played a key role in identity discovery for OpenID 2.0

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'OpenID Discovery Using XRI and XRDS' - euphemia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
idtrust symposium march 4 6 2008 drummond reed cordance les chasen neustar william tan neustar
IDtrust Symposium, March 4-6, 2008

Drummond Reed, Cordance

Les Chasen, NeuStar

William Tan, NeuStar

OpenID Discovery UsingXRI and XRDS

  • The OASIS XRI and XRDS specifi-cations played a key role in identity discovery for OpenID 2.0
  • We’ll explain the five key discovery challenges they helped solve
  • We’ll suggest potential interoperability with other identity protocols/frameworks
what is xri extensible resource identifier
What is XRI (Extensible Resource Identifier)?
  • An OASIS Technical Committee
    • Started January 2003
  • An open standard language for abstract structured identifiers
    • Identifiers that are independent of domain, application, protocol, or language
    • Identifiers that resolve to other identifiers
  • “XML for identifiers”


XRI Layer





Domain Name




IP Address

Local Path/Query


what is openid
What is OpenID?
  • An open community specification for user-centric Internet authentication
    • Based on the concept that users have their own globally-resolvable identifier and OpenID authentication service
  • Prime use case: eliminate the need for separate usernames and passwords for different websites

Relying Party(RP)


OpenID Provider(OP)

evolution from openid 1 x to 2 0
Evolution from OpenID 1.x to 2.0
  • OpenID 1.0 “hardwired” a URL to an OpenID identity server
  • This was very rigid and not extensible
  • As the OpenID 2.0 tent grew, it needed a more flexible and robust discovery layer
the challenges for openid 2 0 identity discovery
The challenges for OpenID 2.0 identity discovery
  • Service description
  • OpenID recycling
  • Resolution integrity and trust
  • Privacy and non-correlation
  • Extensibility
challenge 1 service description
Challenge #1:Service description
  • Describe what versions of OpenID an OpenID identifier supports
  • Enable redundant, prioritized OpenID provider endpoints
  • Describe what other authentication protocols may be available (e.g., LID, SAML)
service description the solution
Service description: the solution
  • XRDS (Extensible Resource Descriptor Sequence) documents
  • The XML analog of DNS resource records
  • Very simple set of elements describing
    • Synonyms for an identifier
    • Service endpoints for an identifier
    • Expiration and trust verification metadata

<XRDS xmlns=“xri://xrds”>

<XRD xmlns=“xri://xrd*($v*2.0)”>







<Type>xri://$res*auth*($v*2.0)</Type> <URI>!1234.5678.a1b2.c3d4/</URI></Service>

<Service><Type></Type> <Type></Type> <Path>+openid <URI></URI> </Service>



challenge 2 openid recycling
Challenge #2:OpenID recycling
  • With usernames/passwords usernames can be recycled
    • The service provider controls the binding with the credential
  • With OpenID, that’s no longer true
    • The user controls the binding to the credential
    • Losing control of the identifier = losing control of the credential
challenge 2 openid recycling1
Challenge #2:OpenID recycling
  • Service providers with large name-spaces can’t afford to assign names once and lock them up forever
    • Examples: AOL, Yahoo
  • DNS names are inherently recyclable – an entire industry exists to serve the secondary domain name market
openid recycling the solution
OpenID recycling: the solution
  • Synonyms
    • Support the binding of a recyclable identifier with a non-recyclable synonym
    • Authenticate based on the persistent synonym
    • Treat the recyclable identifier as only a temporary handle for the persistent synonym
openid recycling the solution1
OpenID recycling: the solution
  • Persistent synonyms is a primary raison d’être for XRI
    • XRI distinguishes between reassign-able “i-names” and persistent “i-numbers” at the syntax level
    • XRDS documents provide automated synonym mapping
    • XRI Resolution 2.0 includes automated synonym authorization verification

<XRDS xmlns=“xri://xrds”>

<XRD xmlns=“xri://xrd*($v*2.0)”>







<Type>xri://$res*auth*($v*2.0)</Type> <URI>!1234.5678.a1b2.c3d4/</URI></Service>

<Service> <Type></Type> <Type></Type> <Path>+openid <URI></URI> </Service>



challenge 3 resolution integrity trust
Challenge #3:Resolution integrity/trust
  • OpenID could not specify HTTPS resolution for all OpenID URLs
    • Too many users do not have access to HTTPS certs or infrastructure
    • Thus the default had to be HTTP
    • This forces users with HTTPS URLs to have to type the entire string, e.g., https://my.openid.identifier.tld
resolution integrity trust the solution
Resolution integrity/trust: the solution
  • As abstract identifiers, XRIs always map to concrete service endpoints
  • XRI resolution offers three trusted modes:
    • HTTPS, SAML, or both
  • Thus all XRI i-names can use HTTPS resolution as the default
    • No need for users to know/do anything
challenge 4 privacy non correlation
Challenge #4:Privacy & non-correlation
  • OpenID 1.x assumed users would share the same identifier(s) with every RP
  • Violates the Fourth Law of Identity:
    • A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
privacy non correlation the solution
Privacy & non-correlation: the solution
  • Directed identity
    • Users can enter the URL or XRI of their identity provider
    • The discovered XRDS doc contains a directed identity service endpoint
    • The RP redirects the user to their OP to select their identifier
    • The OP can also generate a pairwise unique “per relationship” identifier
privacy non correlation the solution1
Privacy & non-correlation: the solution
  • Directed identity supports means OpenID 2.0 satisfies the Fourth Law
  • It is the only mode some large service providers currently support
    • Yahoo
  • Ideally users will have a choice of whether to use a public or directed identifier
challenge 5 extensibility
Challenge #5:Extensibility
  • OpenID is a framework for user-centric identity services
  • RPs need to be able to discover what OpenID extension specs an OP supports
    • SREG, AX, PAPE (more coming)
  • The discovery format itself needs to be extensible
extensibility the solution
Extensibility: the solution
  • XRDS documents
    • Service types are declared using URIs, IRIs, or XRIs – anyone can extend
    • Multiple types can be declared for the same service endpoint
    • Elements can be added from any XML namespace
    • XRDS documents can redirect or refer to other XRDS documents
extensibility the solution1
Extensibility: the solution
  • Example: OAuth
    • “OpenID for services/applications”
    • Allows users to authorize a website or application to access protected resources without providing their credentials directly
    • OAuth Discovery uses XRDS extensibility

<XRDS xmlns="xri://$xrds"> <XRD xmlns:oauth="" xmlns="xri://$xrd*($v*2.0)">















<oauth:RequestSignature append="head">





  • OpenID can use SAML!
    • Shown by Pat Patterson at the Internet Identity Workshop in December 2006
    • Same discovery steps, similar protocol flow, just using SAML tokens
    • Can also use XRDS documents for automated discovery of SAML metadata
information cards
Information Cards
  • Information cards can carry discoverable OpenID identifiers
  • XRDS discovery is not used in the information card flow
  • But sharing an OpenID claim can enable the RP to do XRDS discovery on other identity services
  • Higgins needed a solution for cross-domain context discovery
  • Higgins resolves a URL or XRI to an XRDS document to discover:
    • The service endpoint URI(s) for the context
    • The Higgins context configuration metadata needed to open the context

<XRDS xmlns="xri://$xrds">

<XRD xmlns="xri://$xrd*($v*2.0)">

<Query>*mycontext</Query> <Status code="100"/>



<LocalID priority="10">!12345</LocalID>

<CanonicalID priority="10">@!12345</CanonicalID>

<Service priority="10" xmlns:hconf="">


<Type match="default" />


<hconf:Configuration xmlns=""



<SettingHandler Type="xsd:string" Class="java.lang.String"



<Setting Name="TestContext" Type="htf:map">

<Setting Name="username" Type="xsd:string">dbuser</Setting>

<Setting Name="password" Type="xsd:string">dbpass</Setting>



future work
Future work
  • Caching and scalability testing
  • Proxying
    • Performance optimization
    • Integration with authority servers
  • PKI integration
  • Reputation discovery
  • OpenID may or may not become an Internet-wide authentication standard
  • But OpenID identity discovery model has already proved broad utility
  • XRDS resolution provides a common discovery format for URLs and XRIs
  • It can provide an interoperable foundation for Internet identity layer
contact us
Contact us
  • Drummond Reed, Co-Chair, XRI TC
  • Les Chasen, NeuStar, Editor, XRI TC
  • William Tan, NeuStar, Editor, XRI TC
Learn through the IDtrust Knowledgebase of educational materials and background on the standards
  • Share news, events, presentations, white papers, product listings, opinions, questions, and recommendations through postings, blogs, forums, and directories.
  • Collaborate with others online through a wiki interface