XRI, XDI, and Identity

I flew down to Oakland today to attend Andy Dale's XDI Workshop (slides and video available, eventually, on the wiki). XRI's one of those things I've wanted to understand better and I decided that going to a workshop with Andy was the best way to do that. Call me lazy.

Andy subtitled his presentation "an implementor's guide" and started off with an off-the-cuff comment that XDI is mostly at a stage where it can be implemented.

Globally Unique identifiers

You can't talk about distributed management without talking about global unique identifiers (GUIs). These are things like phone numbers. Local identifiers are things like phone extensions. Web site identities are local identifiers. Email has been used as a globally unique identifier, but people are hesitant to give it out. Besides, using concrete identifiers (like email) for an abstract identifier is a flawed.

Examples of GUI's include phone numbers, email, and URLs. Other examples include DNS and XRI, but these are abstract. Their main use is to link to other concrete identifiers. Domain names are designed to map to IP numbers and little else.

I-names sit on top of XRI and expose an extensible set of service capabilities. When you resolve an i-name, you get back and XRD (eXtensible Resource Descriptor), an XML document.

I-name resolution is is left-to-right. In an i-name, a period (.) is a valid character in a name, not a delegator. The asterisk (*) is used as a delegator. There are five global roots. The equals sign (=) is the root for individuals, hence =windley identifies me. @ is the root for organizations, + is the root for tag space, $ is the root for system tags, and ! is the root for i-numbers.

Each of these spaces are hierarchical and extensible. So, =windley*friends*steve could be an identifier for my friend steve. This would be more common at the organizational level. So, @technometria*=windley could be me.

You get an i-name from an i-broker. I-brokers are the i-name equivalent to a DNS registrar. GRS is the global registry services, analogous to the DNS top-level registry services. To register @technometria*windley, I'd first register the @technometria name with a commercial i-broker. The record is then added to the GRS. Next, I'd go to a community i-broker and ask them to serve as my registry. The community i-broker, the commercial i-broker, and the registrant enter into a transaction to authenticate that it's OK. Now, anyone can show up at the community i-broker and register a name in the @technometria community subject to whatever rules I establish.

Resolving the name @technometria*windley works much like DNS. Find the GRS for @, ask it about technometria, as that about windley, get an answer. In general, the situation is analogous to DNS, but has a richer vocabulary. Neustar is the GRS for XRIs.

When you register an i-name, you always get an authentication service (ISSO - SAML 1.1 today) and a contact page. You can buy an i-name for $25 for 50 years now. When Neustar takes over that price may change.

Single Sign On

Traditionally authentication happens in a linear fashion between an user interface of some kind and a data store that stores the userid and password. With single sign on (SSO), you provide a username which is then resolved in some way to find the authentication service for that name. The application asks the authentication service to authenticate the user and gets back a token. Thus multiple Web sites and applications (service providers) can use a single authentication service (AuthN). Note that resolution of the authentication service from the name is a critical piece of the puzzle.