XDI Link Contracts (W1K)

From IIW

Session Topic: XDI Link Contracts (W1K)

Convener: Mike Schwartz

Notes-taker(s): Joe Savak

Tags for the session - technology discussed/ideas considered:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The internet is broken

  • URIs are not persistent.
  • XRI is an abstraction layer on top of URI. Resolving an XRI will get a URI.

Internet != Web.

Internet needs a better infrastructure for naming to secure data. It wasn’t designed for security. It’s hard to make sense of the data on the internet.

Security must be portable and interoperable.


XRI 3.0: extensible resource identifier. New standard

XDI 1.0: extensible data


Who maintains registry: Neustar keeps names to identifiers persistent.

IName = !gluu assigned to INumber = @!DA….


IName could be @gluu, @gluu*mike; =Schwartz.

Parentesis around URI cross references it for XRI


XDI says if we want to represent personal data, we can do it in multiple ways. Need to put data in the right way in the first place. Graph gave us the most flexible system to ask the hard questions.


XRI are the points. XDI connects these points to make a graph. Ex: =schwarts/+age/data(+41)


Semantics – allows interdomain security. Semantics delayed the spec for years.


Hardcoded security rules in social networks – previous standards not good to help people make their own rules. Working with IDQ at MIT for declarative security.


OxGraph – browser for XDI (produced through openXDI) – create memory model for XDI to prove the spec.


OpenXDI project:

  • language bindings
  • Server (J2EE/LDAP)
  • oxGraph
  • oxAuth: oauth 2.0 authZ server using XDI graphs to persist tokens;
  • oxTrust: UI for org IDP;
  • oxModel: ReST interfaces

XDI 1 standard; XRI 3 is ready to go. Need to get it to OASIS. Need funding to write standard.


White listing in XDI? –

When you make an XDI message from a client to a server, need to reference link contract (XRI address) and must be pre-specified (or can do discovery). The other thing it’ll look for is an access token. XRI registry would return service endpoints originally – but this point we resolve to URI and can use XDI to query for authN preferences.


XDI for Mom & Pop shops?

No – initially it should be for businesses – but it really isn’t that complicated.


The architectures that arise organically from XDI/XRI could become complicated. Maybe the right tools would help. Allowing someone to write rules right for them is powerful. What likelyhood near term for XDI?

MIT was interested in this project – it’s a framework really right now. The current solutions are complicated themselves. Really we need to spread the word and get people more familiar with it to make it simpler. XDI/XRI isn’t really that hard.


We just need to hide it from the user more.

Users aren’t even using the ReST interfaces. Tools to write the rules instead of writing rules themselves. Graphs can be made, but making it easier for users to make the graphs is a harder problem. Even app developers wouldn’t make the graphs. They will be using the ReST interfaces to make the graphs.