[OpenID] XRIs for authenticating non people "resources"

[Peter Williams]

Wanting to discover the practical limits of where its reasonable to go (in what timeframe) with XRI in OpenID2, I noted in wikipedia XRI article certain XRI examples that do NOT denote people. 
xri://broadview.library.example.com/(urn:isbn:0-395-36341-1)/(+hardcover)
xri://broadview.library.example.com/(urn:isbn:0-395-36341-1)/(+softcover)
xri://broadview.library.example.com/(urn:isbn:0-395-36341-1)/(+reference)
As I could not see any limits imposed on XRI name forms in OpenID2 specs, I wondered about applying the notion to US realty infrastructure issues.

In US realty, we have the data on a couple of billion current and historical listings (your homes and offices for sale, rent...) that are today referenced by a URL. Yes, of course, lots of people are then linked to those listing records (the agents, the interested parties, the buyers and sellers and the N other professionals to be used in closing residential market 6-figure transaction ..., and then all the SSO links to those N professionals' banking/insurance/recording/brokering management systems. The control system for distributing the attribute schema, attribute and object metadata and the identities of the management authorities is all run in a pure peer-peer model today (i.e. 100% distributed as PRMDs, to use an ancient ISO term), where each local authority is represented by the domain-name address of the server endpoint.

If I wanted to now make a directory forest of all the authorities (vs the listings), I suppose I'm really rebuilding the classical ActiveDirectory forest of forests model. I'm guessing it would be appropriate to exploit the form of cross-referencing XRIs given above. For each city's listing service, xri://nationalmls.com, the embedded URI in parenthesis could be todays (fully qualified) query-based URL to a particular listing authority, making such as a
xri://nationalmls.com/(http://demo.crt.realtors.org:6103/rets/search?Class=ResidentialProperty&Format=XML&Limit=1&Query=%28LN%3d0%2b%29&QueryType=DMQL2&SearchType=Property&StandardNames=0)

(Obviously, the query and querytype could easily be SPARQL instead of DMQL2, for greater interoperability with the web mashup world.)

If I wanted to reference the very framework for the web of trust for a peer-peer "trusted naming graph" representing those authoritys' actual reciprocal/data-sharing arrangements, it could presumably take such form such as 
xri://nationalmls.com/(urn:inet?url=http://localmls.com/rets/foaf/wotont.rdf&parsetype=rdf)/
Now that URN doesn't exactly look well formed, even if legal syntax. On the basis that I can similarly embed javascript (via data protocol encoding), presumably I can go one step further and just put code in the XRI name too, indirectly referencing private class namespaces that understand my private web protocol.
xri://nationalmls.com/(data:text/xml;base64,bmV3IENPTS5SQVBBVFRPTkkuUmFwTUxTLkRhdGFTb3VyY2UoImluZXQ/dXJsPWh0dHA6Ly9sb2NhbGhvc3Q6NzA1Ni9yZXRzL2ZvYWYvd290b250LnJkZiZwYXJzZXR5cGU9cmRmIik=)

As long as the trusted resolver mode of XRI is being used in the OpenID2 handshake, we could arrange for an Authenticode-like basis for accrediting the source of the javascript built into the name form. Obviously, runtime classes can be easily digitally signed these days for online-distribution, limiting their runtime privileges as appropriate. Appropriate encoding of this URI would be required of course, mitigating XSS vulnerabilities.
Anyone doing anything like this with XRI and OpenID? There may be opportunity to run a simple gateway for us, to experiment with the praxis of XRI cross-referencing as a means of implementing "forest of forest" trust models in OpenID2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080414/8799a6e3/attachment-0002.htm>