Using GRDDL to ground OpenID in URI space

Dan Connolly

OpenID origins: blog comments

Alice wants thoughtful comments from Bob; she doesn't want spam.

On the other hand...


  1. What stops Charlie from forging a comment using Bob's page?
  2. Who is Charlie anyway? Is he just a google karma fraudster?

OpenID solves #1, but only paves the way to #2.

Why OpenID is great

How OpenID works

  1. Alice's blog prompts for an OpenID (URL/URI) in the comment form
  2. Bob submits a comment with his OpenID
  3. Alice's blog GETs Bob's OpenID page, finds a pointer to an auth service, redirects Bob to the auth service
  4. Auth service authenticates Bob (using anything from passwords to smartcards)
  5. Auth service redircts Bob to Alice's blog with a "yes, that's him" cookie.

A mix between kerberos and email callback, if you like.

OpenID pointer markup

What does the pointer look like?

<link rel="openid.server" href="">

Hello-world example from the OpenID spec.

HTML Tag Wars, thinly diguised

<link rel="openid.server" href="">

Grounding HTML link relationships with profiles

OpenId Simple Registration

Do these look familar?

Any UTF-8 string that the End User wants to use as a nickname.
The email address of the End User as specified in section 3.4.1 of [RFC2822] (Resnick, P., Internet Message Format, .).
UTF-8 string free text representation of the End User's full name.
The End User's date of birth as YYYY-MM-DD. Any values whose representation uses fewer than the specified number of digits should be zero-padded. The length of this value MUST always be 10. If the End User user does not want to reveal any particular component of this value, it MUST be set to zero.
For instance, if a End User wants to specify that his date of birth is in 1980, but not the month or day, the value returned SHALL be "1980-00-00".
The End User's gender, "M" for male, "F" for female.
UTF-8 string free text that SHOULD conform to the End User's country's postal system.
The End User's country of residence as specified by ISO3166.
End User's preferred language as specified by ISO639.
ASCII string from TimeZone database
For example, "Europe/Paris" or "America/Los_Angeles".

source: OpenID Simple Registration Extension 1.0 June 2006

Other data on my homepage

My homepage is my OpenID and my FOAF file, my hCard, my travel schedule, etc.

         openid:delegate <>;
         openid:server <>;
         dc:created "1994-02";
         dc:license <
         foaf:primaryTopic <> .

         foaf:img <>;
         foaf:mbox <>;
         foaf:name "Dan Connolly";
         vcard:email <>;
         vcard:fn "Dan Connolly";         vcard:n  [
              a vcard:Name;
              vcard:family-name "Connolly";
              vcard:given-name "Dan" ];
         vcard:photo <>;

    <>     a :Vevent;
         :attendee <>;
         :dtstart "2007-05-06"^^xsdt:date;
         :dtend "2007-05-13"^^xsdt:date;
         :location "Banff, Canada";
         :status "tentative";
         :summary "W3C AC meeting, WWW2007";
         :url <> .

Microsoft InfoCard claims exchange

At least these are URIs...

  <IC:add claimType=""
      optional="false" />
  <IC:add claimType=""
      optional="false" />
  <IC:add claimType=""
      optional="false" />

source: my notes on the W3C Security workshop where InfoCard, SXIP, etc. were presented

Policy Design: Source of claims, ...

Have only just started noodling on these...