[OpenID] Applying the XRI synonym mechanism to OpenID/Yadis
mart at degeneration.co.uk
Thu Jan 18 20:15:31 UTC 2007
One thing I've been pondering recently is the issue of identifier
synonyms as we've discussed on several previous occasions.
XRI already offers a solution to this, so I'm wondering if we can borrow
from XRI's mechanism either fully or partially. The goal as I see it is
to map an arbitrary number of "display identifiers" to a single
canonical "key" identifier; in the XRI world the former are generally
i-names and the latter are usually i-numbers. In OpenID land they are
all just identifier URLs.
My understanding of the XRI mechanism is incomplete, so first allow me
to throw out what I currently understand and hopefully Drummond or
someone else can fill in the gaps for me or correct me as necessary:
When you resolve an XRI, you ultimately end up with an XRDS document.
Inside this document is, amongst other things, a <CanonicalID> element
which gives the i-number that the display i-name represents. Multiple
i-names can point at a single i-number, and these i-names are known as
When processing an OpenID login with an XRI, the endpoint is found via
XRI resolution instead of OpenID or Yadis discovery. In addition to
regular OpenID authentication, the RP must perform an additional step to
verify that the nominated canonical i-number agrees that it can be
represented by the given i-name. I'm not sure of the specifics of how
this step is implemented beyond the fact that it must be to avoid any
user claiming any arbitrary i-number.
So can we apply this to OpenID? Here are some initial thoughts/questions:
* The CanonicalID element in the XRD contains a URI, so there's no
syntactic reason why we can't throw http: or https: URIs in there
instead of xri: ones and include it in Yadis XRD responses.
* The main sticking point is whether we can apply the
"synonym-checking" mechanism employed for XRI to validate OpenID
* We must consider the performance implications of adding this
additional verification step to the login process.
* Since OpenID URLs are volatile and re-assignable, is it safe to
substitute them for i-numbers as used in the XRI mechanism? In
particular, what happens if the provider of my canonical identifier goes
away? Can I switch to a different canonical identifier without losing
all of my accounts, or are we just re-creating the identifier assignment
problem with a few more layers of abstraction?
* Can I use my XRI i-number as the CanonicalID for an OpenID
identifier? (i.e. can we inter-breed identifiers?)
* Can I take my several existing distinct identifers, all of which
I've previously used, and retroactively decide to make them synonyms?
What happens to my existing accounts on various sites?
I don't claim to have all (any?) of the answers, but I do think this is
an important topic to discuss, so, um... discuss?
 You also fetch an XRDS document when performing Yadis discovery.
More information about the general