Using GRDDL to ground OpenID in URI space

Dan Connolly
W3C/ MIT

OpenID origins: blog comments

Alice wants thoughtful comments from Bob; she doesn't want spam.

• "Yet another username and password? Never mind."
• "Email callback. Bother. Never mind."
• "Oh. You want my email address. You're probably not going to give it to spammers on purpose, but I'm not going to risk it. Never mind."

On the other hand...

• "I have more to say than just this comment; read my blog/homepage..."

But...

1. What stops Charlie from forging a comment using Bob's page?
2. Who is Charlie anyway? Is he just a google karma fraudster?

OpenID solves #1, but only paves the way to #2.

Why OpenID is great

• single sign-on
  • or: as many personas as you like
• ID portability a la email DNS/MX, cellphones
• no central identiy service provider
  • competitive market: myopenid, verisign PIP, ...
• reduced liability for novel (blog/photo...) service providers

How OpenID works

1. Alice's blog prompts for an OpenID (URL/URI) in the comment form
2. Bob submits a comment with his OpenID
3. Alice's blog GETs Bob's OpenID page, finds a pointer to an auth service, redirects Bob to the auth service
4. Auth service authenticates Bob (using anything from passwords to smartcards)
5. Auth service redircts Bob to Alice's blog with a "yes, that's him" cookie.

A mix between kerberos and email callback, if you like.

OpenID pointer markup

• Alice's blog GETs Bob's OpenID page, finds a pointer to an auth service, redirects Bob to the auth service

What does the pointer look like?

<link rel="openid.server" href="http://openid.example.com/">

Hello-world example from the OpenID spec.

HTML Tag Wars, thinly diguised

<link rel="openid.server" href="http://openid.example.com/">

• Remember the HTML tag wars? table, blink, marquee, etc.
• Are values of rel= all that different from tag names?
• openid.server is less likely to collide than server, just like emacs lisp function names are less likely to collide if you prefix them with your initials. Boring
• WebArch 101: Use URIs.

  See also TAG issues URNsAndRegistries-50, standardizedFieldValues-51

Grounding HTML link relationships with profiles

• What do I mean by openid.server on my homepage?
• Follow your nose thru the profile...

  <head profile="http://dig.csail.mit.edu/2007/id/doc"
    <link rel="openid.server" href="http://pip.verisignlabs.com/server" />
  

• Semantic Web (GRDDL-aware) agents find glean_openid.xsl which gives them RDF:

  @prefix openid: <http://dig.csail.mit.edu/2007/id/doc#> .
  
  <http://www.w3.org/People/Connolly/>
           openid:delegate <http://connolly.pip.verisignlabs.com/>;
           openid:server <http://pip.verisignlabs.com/server>;
  

OpenId Simple Registration

Do these look familar?

openid.sreg.nickname:

Any UTF-8 string that the End User wants to use as a nickname.

openid.sreg.email:

The email address of the End User as specified in section 3.4.1 of [RFC2822] (Resnick, P., Internet Message Format, .).

openid.sreg.fullname:

UTF-8 string free text representation of the End User's full name.

openid.sreg.dob:

The End User's date of birth as YYYY-MM-DD. Any values whose representation uses fewer than the specified number of digits should be zero-padded. The length of this value MUST always be 10. If the End User user does not want to reveal any particular component of this value, it MUST be set to zero.
For instance, if a End User wants to specify that his date of birth is in 1980, but not the month or day, the value returned SHALL be "1980-00-00".

openid.sreg.gender:

The End User's gender, "M" for male, "F" for female.

openid.sreg.postcode:

UTF-8 string free text that SHOULD conform to the End User's country's postal system.

openid.sreg.country:

The End User's country of residence as specified by ISO3166.

openid.sreg.language:

End User's preferred language as specified by ISO639.

openid.sreg.timezone:

ASCII string from TimeZone database
For example, "Europe/Paris" or "America/Los_Angeles".

• Again, no URIs
• Overlaps with vCard, FOAF, P3P, ...

source: OpenID Simple Registration Extension 1.0 June 2006

Other data on my homepage

My homepage is my OpenID and my FOAF file, my hCard, my travel schedule, etc.

<http://www.w3.org/People/Connolly/>
         openid:delegate <http://connolly.pip.verisignlabs.com/>;
         openid:server <http://pip.verisignlabs.com/server>;
         dc:created "1994-02";
         dc:license <http://www.w3.org/Consortium/Legal/2002/copyright-documents
-20021231>;
         foaf:primaryTopic <http://www.w3.org/People/Connolly/#me> .

    <http://www.w3.org/People/Connolly/#me>
         foaf:img <http://www.w3.org/People/Connolly/9704/dan_c_thumb.jpg>;
         foaf:mbox <mailto:connolly@w3.org>;
         foaf:name "Dan Connolly";
         vcard:email <mailto:connolly@w3.org>;
         vcard:fn "Dan Connolly";         vcard:n  [
              a vcard:Name;
              vcard:family-name "Connolly";
              vcard:given-name "Dan" ];
         vcard:photo <http://www.w3.org/People/Connolly/9704/dan_c_thumb.jpg>;

    <http://www.w3.org/People/Connolly/#_5055_www2007>     a :Vevent;
         :attendee <http://www.w3.org/People/Connolly/#me>;
         :dtstart "2007-05-06"^^xsdt:date;
         :dtend "2007-05-13"^^xsdt:date;
         :location "Banff, Canada";
         :status "tentative";
         :summary "W3C AC meeting, WWW2007";
         :url <http://www2007.org/> .

Microsoft InfoCard claims exchange

At least these are URIs...

  <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress"
      optional="false" />
  <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname"
      optional="false" />
  <IC:add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"
      optional="false" />

source: my notes on the W3C Security workshop where InfoCard, SXIP, etc. were presented

Policy Design: Source of claims, ...

Have only just started noodling on these...

• Who makes the claim(s)?
  • In OpenID simple registration: the identity provider
• What claims should we trust the requestor to make?
  • if someone's home page says that they are a vegetarian, then we believe that they are a vegetarian
    • log:includes section of the cwm/N3 tutorial, Sep 2006 presentation to ACL2 seminar
  • If your homepage says you wrote ?DOC and ?DOC points to your homepage.
• See also Identity consolidation with the XFN rel="me" value in XFN: Services & Technologies

Summary:

• Use HTML profiles to ground OpenID link relationships in URI space
• Use GRDDL to look at OpenID links as RDF statements
• Explore interaction between FOAF, hCard, XFN, and OpenID