[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-general
Subject: Re: [OpenID] XRI semantics and heavweight identity management
From: "Drummond Reed" <drummond.reed () cordance ! net>
Date: 2008-04-22 1:37:32
Message-ID: 06ec01c8a419$7062a5f0$0800a8c0 () ELROND
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Peter,
You ask a good question. OpenID and XRI are adjacent, complementary
technologies. OpenID is one authentication option for a resource identified
by an XRI, and XRI is one identifier option for a resource that wants to use
OpenID authentication.
XRI Resolution 2.0 does support several trust models, including trusted
resolution and trusted synonyms, for resolution of an XRI. Due to the
extensibility of XRDS service types, it supports an even wider
(theoretically infinite) variety of authentication options. (It is ironic
that for 2+ years before OpenID came alone, we assumed SAML would be the
defacto authentication service for XRI-identified resources.)
In any case, one of the mantras of OpenID authentication has been that
"trust (between RPs and OPs) is out of scope". So using XRI
identification/resolution relationships to create an RP/OP trust model seems
as legitimate as any other approach. I know of several communities doing
just that (and ironically they consider it a relatively lightweight solution
vs. more heavyweight PKI-based approaches).
At the same time, it's only one approach, so it's hard to give much guidance
beyond that.
Hope this helps,
=Drummond
_____
From: general-bounces@openid.net [mailto:general-bounces@openid.net] On
Behalf Of Peter Williams
Sent: Saturday, April 19, 2008 10:28 PM
To: general@openid.net
Subject: [OpenID] XRI semantics and heavweight identity management
I'm reading
<http://docs.oasis-open.org/xri/xri-resolution/2.0/specs/cd03/xri-resolution
-V2.0-cd-03.pdf>
http://docs.oasis-open.org/xri/xri-resolution/2.0/specs/cd03/xri-resolution-
V2.0-cd-03.pdf very carefully, aiming to fully understand OpenID2. My goal
is to then go enhance my RDF server so it can respond with some simple XRDS
files, augmenting its native metadata about service endpoints with FOAF data
(to allow for intelligent RDF-driven RPs). I don't aim to actually implement
XRI Resolution. I just want pretend to do so, for some simple XRDs and xri
queries. Its a good learning exercise; a good first step to get a feel for
the algorithm and how one tunes it all.
There are a lot of procedures and identity semantics in the specification.
Its essentially a toolkit. How literally should I take all the options, as
they reflect on OpenID2? Can any and all of the options in the document be
leveraged when building an actual OP->RP relationship? Are any and all the
options "compatible" with OpenID infrastructure vision?
For example, as a solution architect, I could specify that an OP will
operate a regime requiring only this or that durability of resources, that
equivID will be used in way X to accomplish Y per the spec, that child and
parent authorities will and will not be able to do certain things - per
choice of policies and setup, etc, that XRI references between XRDs shall
occur in this or that way. As a result, I could easily take the toolkit and
build a very unique and particular trust model, addressing the full
lifecycle of identity management in a distributed authority model.
If I were to do all this "heavyweight identity management", can I still be
asserting at the end of the day that Im "doing OpenID", in a manner
"consistent with" the openid culture, vision and community goals?
I ask, as building such a trust model is rather different culturally to the
traditional context - in which a user goes stuff some meta tags into a
blogging HTML page, a user types in a URL at a URL, and OP->RP flows send
assertions over an authenticated channel! Such an XRI-derived
infrastructure is an entirely different kind of trust management
infrastructure, very much focused on notions of authority and is very much
contingent on RP recognizing that various third parties authorities have
various rights to speak (in different ways) for a particular user identity.
Obviously, there is no one word sentence answer to this question set. Its
guidance I'm looking for
_________________________
Peter Williams
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
h1
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:16.0pt;
font-family:Arial;}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:Arial;
font-style:italic;}
h3
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:12.0pt;
font-family:Arial;}
h4
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{margin-top:0in;
margin-right:0in;
margin-bottom:9.0pt;
margin-left:0in;
text-align:center;
font-size:16.0pt;
font-family:Arial;
font-weight:bold;}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
{margin-top:0in;
margin-right:0in;
margin-bottom:.25in;
margin-left:0in;
text-align:center;
font-size:12.0pt;
font-family:Arial;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p.Quote, li.Quote, div.Quote
{margin-top:0in;
margin-right:.5in;
margin-bottom:6.0pt;
margin-left:.5in;
font-size:12.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.Wiki, li.Wiki, div.Wiki
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.Graphic, li.Graphic, div.Graphic
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
font-size:10.0pt;
font-family:Arial;
font-style:italic;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
/* Page Definitions */
@page
{mso-endnote-separator:url("cid:header.htm\@01C8A3DE.C2651210") es;
mso-endnote-continuation-separator:url("cid:header.htm\@01C8A3DE.C2651210") ecs;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-132;
mso-list-type:simple;
mso-list-template-ids:-1328661930;}
@list l0:level1
{mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l1
{mso-list-id:-131;
mso-list-type:simple;
mso-list-template-ids:-909054546;}
@list l1:level1
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;}
@list l2
{mso-list-id:-130;
mso-list-type:simple;
mso-list-template-ids:531935922;}
@list l2:level1
{mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l3
{mso-list-id:-129;
mso-list-type:simple;
mso-list-template-ids:2046339550;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:-128;
mso-list-type:simple;
mso-list-template-ids:82112870;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l5
{mso-list-id:-127;
mso-list-type:simple;
mso-list-template-ids:-1405587484;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l6
{mso-list-id:-126;
mso-list-type:simple;
mso-list-template-ids:828961842;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l7
{mso-list-id:-125;
mso-list-type:simple;
mso-list-template-ids:1053828088;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8
{mso-list-id:-120;
mso-list-type:simple;
mso-list-template-ids:-2021464228;}
@list l8:level1
{mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;}
@list l9
{mso-list-id:-119;
mso-list-type:simple;
mso-list-template-ids:445916746;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Peter,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>You ask a good question. OpenID and XRI are
adjacent, complementary technologies. OpenID is one authentication option for a
resource identified by an XRI, and XRI is one identifier option for a resource
that wants to use OpenID authentication.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>XRI Resolution 2.0 does support several
trust models, including trusted resolution and trusted synonyms, for resolution
of an XRI. Due to the extensibility of XRDS service types, it supports an even
wider (theoretically infinite) variety of authentication options. (It is ironic
that for 2+ years before OpenID came alone, we assumed SAML would be the
defacto authentication service for XRI-identified \
resources.)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>In any case, one of the mantras of OpenID \
authentication has been that “trust (between RPs and OPs) is out of \
scope”. So using XRI identification/resolution relationships to create an RP/OP \
trust model seems as legitimate as any other approach. I know of several communities \
doing just that (and ironically they consider it a relatively lightweight solution \
vs. more heavyweight PKI-based approaches).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>At the same time, it’s only one
approach, so it’s hard to give much guidance beyond \
that.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hope this helps,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>=Drummond <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Peter Williams<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, April 19, 2008
10:28 PM<br>
<b><span style='font-weight:bold'>To:</span></b> general@openid.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> [OpenID] XRI semantics
and heavweight identity management</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div id=idOWAReplyText77426>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>I'm reading </span></font><font
color=black><span style='color:black'><a
href="http://docs.oasis-open.org/xri/xri-resolution/2.0/specs/cd03/xri-resolution-V2.0-cd-03.pdf"
target="_blank"><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>http://docs.oasis-open.org/xri/xri-resolution/2.0/specs/cd03/xri-resolution-V2.0-cd-03.pdf</span></font></a></span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> very
carefully, aiming to fully understand OpenID2. My goal is to then go enhance my
RDF server so it can respond with some simple XRDS files, augmenting its native
metadata about service endpoints with FOAF data (to allow for intelligent
RDF-driven RPs). I don't aim to actually implement XRI Resolution. I just want
pretend to do so, for some simple XRDs and xri queries. Its a good learning
exercise; a good first step to get a feel for the algorithm and how one
tunes it all.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>There are a lot of procedures and identity semantics in the
specification. Its essentially a toolkit. How literally should I take all the
options, as they reflect on OpenID2? Can any and all of the options in the
document be leveraged when building an actual OP->RP relationship? Are any
and all the options "compatible" with OpenID infrastructure \
vision?</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>For example, as a solution architect, I could specify that
an OP will operate a regime requiring only this or that durability of
resources, that equivID will be used in way X to accomplish Y per the spec,
that child and parent authorities will and will not be able to do certain
things - per choice of policies and setup, etc, that XRI references between
XRDs shall occur in this or that way. As a result, I could easily take the
toolkit and build a very unique and particular trust model, addressing the full
lifecycle of identity management in a distributed authority \
model.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>If I were to do all this "heavyweight identity
management", can I still be asserting at the end of the day that Im
"doing OpenID", in a manner "consistent with" the openid
culture, vision and community goals?</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I ask, as building such a trust model is rather different
culturally to the traditional context - in which a user goes stuff some meta
tags into a blogging HTML page, a user types in a URL at a URL, and
OP->RP flows send assertions over an authenticated channel! Such an
XRI-derived infrastructure is an entirely different kind of trust
management infrastructure, very much focused on notions of authority and is
very much contingent on RP recognizing that various third parties authorities
have various rights to speak (in different ways) for a particular user
identity.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>Obviously, there is no one word sentence
answer to this question set. Its guidance I'm looking \
for</span></font><o:p></o:p></p>
</div>
</div>
<div id=idSignature3950>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=1 color=black face=Arial><span style='font-size:
7.5pt;font-family:Arial;color:black'>_________________________<br>
</span></font><b><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black;font-weight:bold'>Peter \
Williams<o:p></o:p></span></font></b></p>
</div>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic