Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2009 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Novell's New CTO | Main | SOA Governance Article »

XRI, XDI, and Identity

I flew down to Oakland today to attend Andy Dale’s XDI Workshop (slides and video available, eventually, on the wiki). XRI’s one of those things I’ve wanted to understand better and I decided that going to a workshop with Andy was the best way to do that. Call me lazy.

Andy subtitled his presentation “an implementor’s guide” and started off with an off-the-cuff comment that XDI is mostly at a stage where it can be implemented.

Globally Unique identifiers

You can’t talk about distributed management without talking about global unique identifiers (GUIs). These are things like phone numbers. Local identifiers are things like phone extensions. Web site identities are local identifiers. Email has been used as a globally unique identifier, but people are hesitant to give it out. Besides, using concrete identifiers (like email) for an abstract identifier is a flawed.

Examples of GUI’s include phone numbers, email, and URLs. Other examples include DNS and XRI, but these are abstract. Their main use is to link to other concrete identifiers. Domain names are designed to map to IP numbers and little else.

I-names sit on top of XRI and expose an extensible set of service capabilities. When you resolve an i-name, you get back and XRD (eXtensible Resource Descriptor), an XML document.

I-name resolution is is left-to-right. In an i-name, a period (.) is a valid character in a name, not a delegator. The asterisk (*) is used as a delegator. There are five global roots. The equals sign (=) is the root for individuals, hence =windley identifies me. @ is the root for organizations, + is the root for tag space, $ is the root for system tags, and ! is the root for i-numbers.

Each of these spaces are hierarchical and extensible. So, =windley*friends*steve could be an identifier for my friend steve. This would be more common at the organizational level. So, @technometria*=windley could be me.

You get an i-name from an i-broker. I-brokers are the i-name equivalent to a DNS registrar. GRS is the global registry services, analogous to the DNS top-level registry services. To register @technometria*windley, I’d first register the @technometria name with a commercial i-broker. The record is then added to the GRS. Next, I’d go to a community i-broker and ask them to serve as my registry. The community i-broker, the commercial i-broker, and the registrant enter into a transaction to authenticate that it’s OK. Now, anyone can show up at the community i-broker and register a name in the @technometria community subject to whatever rules I establish.

Resolving the name @technometria*windley works much like DNS. Find the GRS for @, ask it about technometria, as that about windley, get an answer. In general, the situation is analogous to DNS, but has a richer vocabulary. Neustar is the GRS for XRIs.

When you register an i-name, you always get an authentication service (ISSO - SAML 1.1 today) and a contact page. You can buy an i-name for $25 for 50 years now. When Neustar takes over that price may change.

Single Sign On

Traditionally authentication happens in a linear fashion between an user interface of some kind and a data store that stores the userid and password. With single sign on (SSO), you provide a username which is then resolved in some way to find the authentication service for that name. The application asks the authentication service to authenticate the user and gets back a token. Thus multiple Web sites and applications (service providers) can use a single authentication service (AuthN). Note that resolution of the authentication service from the name is a critical piece of the puzzle.

I-names can support SSO through resolution to an XRD that indicates the authentication service. The authentication service will be the user’s i-broker and will ask for a password. Supposing that the user recognizes the “trust cues” from the i-broker, she will enter the password. The user will be returned to the SP with an authenticated session. The flow actually uses redirects through the browser. The SP and the AuthN never talk directly to each other. The weak link in SSO is the password page and possible spoofing.

There are libraries available for doing i-name SSO now (SPIT) that work in PHP, Java, Perl, Python, and Ruby. BooksWeLike is an example of a site that has implemented i-name based SSO. I went there, registered by putting my i-name and email into their registration page and now can log into their site using my i-name, authenticating though 2idi (my i-broker). I dislike the multiple pages (with buttons that say things like “click here to complete the login process”) but it’s pretty cool to see it work. Here’s my BooksWeLike page. Notice my i-name in the URL.

Moving on to XDI

While XRI is an extension of the URI concept, providing a richer set of mappings than DNS will support, XDI is the XRI Data Interchange. XDI is a set of specifications that are dependent on XRI and discuss how to share data resources that are identified using XRIs.

Why publish data from your systems? Internal and external system integration is the obvious answer. But, you can do something else at the same time: empowering you members so that you can serve them better. Say what? Here’s an example:

Today people give money online to non-profits. non-profits remember that they do this so they can ask them for more later. But when many people give money to lots of organizations, it becomes difficult, especially for smaller organizations, to manage their donors. So small non-profits sell their data to aggregators and then by data back to get a better handle on who’s giving what.

What happens if the donor ends up with an authoritative record of their giving? Then the individual can aggregate a profile of their own giving that far exceeds any data an aggregator can amass. The donors can also specify what they are interested in giving money to. Other data about the individual can be aggregated with the profile. This profile can be selectively exposed in the context of other transactions. Intermediaries can use this data to broker giving to organizations. This strikes me as the longtail of trust funds. There’s also a serious attention component here.

To enable this, the donor must receive an authoritative record of the transaction. By publishing this data back to the user, you serve your members better. The system must provide fine grained permissioning that let’s you control who has access to what. Roles-based permissioning simplifies the permissioning matrix. Service-based roles make permissioning doable for real people.

To do this, you should not only capture data at its source, but use data at its source as well. Data about me lives in lots of places. I don’t want to gather it up and put it all in one place. What I really want is to establish a database of pointers to where my data is. Note that this is a different problem than whether I have control over who sees that data or not.

XDI is to the distributed data web what ODBC and SQL were to datastores in databases. XDI takes an XRI as the query you get back and XDI doc (a well known, universal data structure with introspection).

XDI has field level security. Since the structure is hierarchical, the permissioning can be specified by a path. John has access to “a/b/f/1” for example. This path-based syntax allows fine-grained and course-grained syntax in the same model.

The IP for XDI is open and it has a social layer. The social layer is represented by “link contracts” that mediate data access. Link contracts can express conditions for data use. This could be used to require certain behaviors with respect to caching and other things. This seems like identity rights agreements.

XDI has low-level caching. This is independent of (or an augmentation of) transport level caching since the XRI syntax can be used to specify what are authoritative copies of the data and which are no longer valid.

XDI has low-level versioning. XRI has a specified versioning syntax. Values can be soft deleted. Old values can be kept addressable and can be auditable only.

Triggers can be built into XDI implementations. XDI is not yet enterprise ready. There needs to be more work on backup and recovery, clustering and fault tolerance.

Because of these properties (in particular the fine-grained permissioning), you can easily incorporate the “user” into a data integration by merely permissioning her system. What’s more, identity providers are found through resolution without having to integrate multiple IPs into each system.

At this point, a light bulb went off in my head and the information density of the next few minutes pegged my brain bandwidth. I’ll have to parse it out and write about it later.

In XRI, my email address would be represented by =windley/+email. Resolution would be able to turn that into my current email address or even a contact service. This allows you to put a wall between the resolution and the email address, allowing someone (perhaps the user) to turn off email resolution on a case-by-case basis. This allows user-controlled access to personally identifying information.

ooTao has a XDI Demo available online.

Posted by windley on December 5, 2005 4:56 PM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page