[OpenID] Applying the XRI synonym mechanism to OpenID/Yadis

Martin Atkins mart at degeneration.co.uk
Thu Jan 18 20:15:31 UTC 2007

Hi all,

One thing I've been pondering recently is the issue of identifier 
synonyms as we've discussed on several previous occasions.

XRI already offers a solution to this, so I'm wondering if we can borrow 
from XRI's mechanism either fully or partially. The goal as I see it is 
to map an arbitrary number of "display identifiers" to a single 
canonical "key" identifier; in the XRI world the former are generally 
i-names and the latter are usually i-numbers. In OpenID land they are 
all just identifier URLs.

My understanding of the XRI mechanism is incomplete, so first allow me 
to throw out what I currently understand and hopefully Drummond or 
someone else can fill in the gaps for me or correct me as necessary:

When you resolve an XRI, you ultimately end up with an XRDS document[1]. 
Inside this document is, amongst other things, a <CanonicalID> element 
which gives the i-number that the display i-name represents. Multiple 
i-names can point at a single i-number, and these i-names are known as 

When processing an OpenID login with an XRI, the endpoint is found via 
XRI resolution instead of OpenID or Yadis discovery. In addition to 
regular OpenID authentication, the RP must perform an additional step to 
verify that the nominated canonical i-number agrees that it can be 
represented by the given i-name. I'm not sure of the specifics of how 
this step is implemented beyond the fact that it must be to avoid any 
user claiming any arbitrary i-number.

So can we apply this to OpenID? Here are some initial thoughts/questions:

  * The CanonicalID element in the XRD contains a URI, so there's no 
syntactic reason why we can't throw http: or https: URIs in there 
instead of xri: ones and include it in Yadis XRD responses.

  * The main sticking point is whether we can apply the 
"synonym-checking" mechanism employed for XRI to validate OpenID 
URL-based synonyms.

  * We must consider the performance implications of adding this 
additional verification step to the login process.

  * Since OpenID URLs are volatile and re-assignable, is it safe to 
substitute them for i-numbers as used in the XRI mechanism? In 
particular, what happens if the provider of my canonical identifier goes 
away? Can I switch to a different canonical identifier without losing 
all of my accounts, or are we just re-creating the identifier assignment 
problem with a few more layers of abstraction?

  * Can I use my XRI i-number as the CanonicalID for an OpenID 
identifier? (i.e. can we inter-breed identifiers?)

  * Can I take my several existing distinct identifers, all of which 
I've previously used, and retroactively decide to make them synonyms? 
What happens to my existing accounts on various sites?

I don't claim to have all (any?) of the answers, but I do think this is 
an important topic to discuss, so, um... discuss?


[1] You also fetch an XRDS document when performing Yadis discovery.

More information about the general mailing list