« OAI ORE specification roll-out meetings | Main | Why federated access management? »

January 24, 2008

XRI and OpenID

A post by Drummond Reed to the openid-general mailing list reminded me that the Extensible Resource Identifier (XRI) now features in OpenID 2.0.  I've never really understood why we needed XRIs and reading the opening of the syntax specification left me not a whole lot wiser, especially since the opening sentence:

Extensible Resource Identifiers (XRIs) provide a standard means of abstractly identifying a resource independent of any particular concrete representation of that resource—or, in the case of a completely abstract resource, of any representation at all

could equally be applied to URIs (or IRIs).

I subsequently came across the XRI and OpenID page in the inames wiki.  This goes someway towards explaining why XRIs are of interest, at least in the context of OpenID, including the following:

Why is this so important? If you as an individual begin using a domain-name based URL as your OpenID at websites across the net, and at some point in the future you lose that domain name to someone else (it expires and is not renewed, you lose it in a domain name dispute, you pass away), whoever the new registrant is now completely controls your OpenID identity. Ironically that happens because it's exactly how OpenID is designed to operate: the credentials for proving ownership of an identifier are now tied to resolution of the identifier itself, and not to the sites at which it is used.

XRI infrastructure prevents this form of identity misappropriation by automatically mapping every i-name to a synonymous persistent i-number (a non-reassignable XRI in which each subsegment starts with a !). OpenID relying parties store this i-number, rather than an the i-name, as the identifier of the user.

Another key feature of XRIs is that the entire resolution infrastructure supports HTTPS, so all XRIs can automatically use HTTPS resolution without it needed to be explicitly specified. (For technical reasons, OpenID URLs must have https:// typed explicitly by the user in order to use HTTPS resolution from the start.)

It'll interesting to see if XRIs get widely adopted within the OpenID world.  I haven't noticed it happening yet though, to be honest, I haven't looked very hard and it is early days anyway.  I'm guessing that the power and simplicity of the http and https URI will take some overcoming.


TrackBack URL for this entry:

Listed below are links to weblogs that reference XRI and OpenID:


Re-reading this today, I realise that the 'power and simplicity of the http and https URI' phrase doesn't capture what I meant. Especially since people can probably argue quite convincingly that for many users an iname is significantly 'simpler' than an https URI.

I guess what I mean is the 'ubiquity of the http and https URI' will take some overcoming. Sorry for any confusion.

Also, the W3C TAG doc "URNs, Namespaces and Registries"


(which seems to be kinda stuck in draft limbo) has a section which compares the xri: and http: URI schemes.

The comments to this entry are closed.



eFoundations is powered by TypePad