Gluu Blog

Follow us:
Back to Blog

Ring not Rev : A proposal for the Global Registry Service

Mike S. July 12, 2012

Background

Since becoming a trustee of XDI.ORG, I have been engaged in a conversation for how to “rev” the XDI.ORG Global Registry Service (“GRS”). Rev means update the revision, which is necessary to adapt to changes of the last few years. Should we repair a sinking ship, or should we launch a new ship?

While some XDI board members and staff have described the “smallness” of the effort required to just patch the existing Registry, there are still several considerations:

  1. Drafting an interim agreement or letter of intent with Neustar for 2012
  2. Formalizing a relationship between XDI.ORG and Neustar for 2013 and beyond
  3. Updating the GRS legal infrastructure if necessary
  4. Figuring out a new business model to support the perpetuity of the XDI Registry
  5. Creating a marketing campaign to back up the re-launch of a new GRS Service, i.e. launch an updated XDI.ORG web site with relevant information
  6. Communicating and coordinating with the existing i-brokers or other GRS stakeholders
  7. Documenting the design of the GRS, especially as XDI.ORG will be taking over operational oversight.
  8. Keeping the XDI.ORG board appraised of progress, and getting consensus

Let’s review the reasons why global i-names and i-numbers would be a good thing, and the associated pro’s and con’s:

  1. i-names are shorter
    • PRO: The OpenID Connect 1.0 Discovery spec has reserved identifiers starting with “@” or “=” for XRI discovery, and using them would be shorter than their email address equivalent. For example, “=username” is half the characters of username@gmail.com”.
    • CON: Without the organizational component, with all users forced into one flat namespace, you probably won’t be able to get a nice short XRI anyway. And @gluu*mike might as well be mike@gluu.org
  2. XDI.ORG is a non-profit that enables people to fairly manage this shared flat namespace (“=” and “@”)
    • PRO: Clearly, a non-profit with a board looking our for interests of registrants is better than a single for-profit entity (Twitter for example with their “@” identifiers). If we’re going to use this flat namespace, it might as well be fairly managed, like DNS domain names.
    • CON: This is a problem of our creating by not using the organizational component (i.e. “gluu.org”) where each domain would not have to worry about overlapping usernames.
  3. i-numbers provide a unique, stable, persistent identifier
    • PRO: Drummond’s summary: “XDI.org is the only non-profit org dedicated to ensuring that individuals have lifetime (or even better, longer-than-lifetime) persistent, portable, digital identifiers that they can control and use to be global citizens independent of any country, company, community or organization.” Putting my XDI technical hat on, I would also add that if you set out to merge the graphs of every entity on the Internet, it would be nice if each entity would have its own “DNA” and would not intersect with any other entity’s graph.
    • CON: There are many attributes that can be used to identify an entity, the DNS based identifiers are just one. Also, where necessary certificates or other trust models can be used to ensure that you are in fact interacting with the same DNS endpoint.
  4. XRI’s provides an abstraction layer on DNS based identifiers
    • PRO: DNS domain names seem to change a lot. XRI’s enable us to offer a more stable network identifier.
    • CON: There seem to be a lot of ways to work around this problem on the client itself that don’t involve launching the GRS.
  5. XRI’s are portable
    • PRO: Modeled on the DNS domain name registry, Registrars interact with customers and use the Neustar API to commit record updates to the Registry Database. Operational readiness has been demonstrated by Neustar.
    • CON: This extra layer of complexity is completely unwarranted. It was deemed necessary due to a gargantuan miscalculation for demand for i-names.

This analysis of how to best “rev” the GRS has lead me to repeatedly question if XDI.ORG’s mission to operate a GRS still makes sense. What would rev’ing the GRS accomplish? When I asked the XDI.BOARD in email if anyone had a good justification for why XRI’s were still needed, only one trustee and one officer responded in support. However, not being able to imagine XRI without a global registry does not intrinsically justify the endeavor. What has changed since the initial launch to make i-names or i-numbers any more compelling? The GRS puts the cart before the horse: there is still no killer app for XDI. What good is a phone number if there are no phones?

So now that your head is totally swimming from considering this simple little task of “rev’ing” the GRS, what is the right thing to do? And if the GRS is not needed, why do we need XDI.ORG ? I went back to XDI.ORG’s website to remind myself of the organization’s mission. Three goals are listed on the About page,

  1. Manage the intellectual property rights for a new data interchange protocol
  2. Contribute these rights to open, public, royalty-free standards
  3. Offer public global services that help individuals and communities interoperate using these standards

Proposal

My net reaction to the above background was that rev-ing the GRS was not ambitious enough. If we are going to put the time into fixing the GRS, we should do it right the first time, not improve it incrementally. Here is the solution I am proposing to the XDI.ORG board. Not surprisingly it advocates launching a new ship built with OX software:

  1. Shutter existing XRI 2.0 GRS

When you make a mistake, admit it, stop it, and, most importantly, don’t repeat it. As I mentioned above, the design of the GRS was driven by a miscalculation about the demand for i-names. Risks and mistakes go together, and honest mistakes can be fixed. i-names have not become a part of the Internet architecture, like domain names. In fact, consensus in the industry right now is that the email address is the best identifier for Internet discovery.

The complexity of the GRS is unwarranted, and is in fact a distraction from XDI.ORG’s mission: promoting XDI. Ironically, XDI does not require XRI. You could use a “cross-referenced” URI is the root of your graph. This is sort of like using the IP address instead of the DNS name, its not a big deal.

Without a GRS, I propose that XDI.ORG just host its own Registry. We should deploy XDI software on cloud servers, and publish the existing XRI database in an XDI servers we control.

  1. XDI.ORG launches a Consumer OpenID Connect 1.0 Provider Service

I believe that XDI will be enabled by OpenID Connect. It is no use sending XDI messages to each other if we can’t verify who sent the messages? OpenID Connect serves consumer identity requirements well: it is secure, easy for website developers to use, and provides a handy authorization hook.

Offering people a free OpenID Connect account, not controlled by a company collecting information on you, would be deliver real value to people. If you use Google as your IDP, they know every important website you visit. Who do you want holding that information, a non-profit dedicated to preserving your privacy, or a corporate entity selling the information to the highest bidder?

In no better way can XDI.ORG support the adoption of XDI than to leverage the current Internet standard for authentication. In so doing, XDI would be able to fill in the blanks about how XDI discovery should work with OpenID Connect. A simple rule would suffice: if you see an “@” or “=” at the beginning of the identifier, you just append “@xdi.org” to the end, and treat it like any other email based discovery. For example, =foo becomes =foo@xdi.org. I understand why large consumer IDPs bristle at one organization getting special treatment. Namespaces are the airwaves of the Internet. All I can say is that it would be a lucky break for XDI if our domain became the arbiter of the “@” and “=” namespace for OpenID Connect clients.

  1. Launch Free Registration service for “=” i-names; Uses Captcha, SMS, and email verification to verify identity

This consumer registration process is effective, and its not that hard to implement. When people register, you let them choose an “=” i-name. So simple compared to the current “go to an i-broker and establish an account” signup workflow.

  1. No registration, for “@” XRI’s ! ! ! !

Although we should migrate the @ XRI’s of current Registrants, I don’t think we should register any more for at least two reasons: (1) organizational registration is well served by DNS domain names. (2) Twitter is the de facto “@” domain despot. Maybe sometime in the future we can collaborate with Twitter on interoperability, so let’s not make the problem any worse.

  1. Registrant Notification

We will need a program to try to contact existing i-name holders to tell them how to access their migrated account.

  1. XDI Ready

By updating the Registry in this way, we would be ready for XDI messaging. Finally, there will be an XDI endpoint that websites will be able to query. People with accounts on XDI.ORG will be able to send XDI messages to each other. This would put us in a place that XDI has never been, and provide the foundation to enable us to launch the next round of tools and applications that leverage the infrastructure.

  1. Project Launch Funding

This project will be funded by a CrowdTilt campaign that will close on Saturday 8/11/2012. We will try to secure pledges from corporate sponsors, but hopefully individuals will also contribute. Gluu will initially fund the project while the CrowdTilt campaign is in process, but Gluu will be paid back for its actual cost.

  1. Sustaining Business Model

XDI.ORG will be donation funded and will endeavor to provide free or inexpensive services to Registrants.

  1. Marketing

We push the concept of “The Ring” as a safe network for consumers. See my YouTube Video. The XDI.ORG website needs to be modified to communicate this vision to the public. XDI.ORG needs to reach out to industry research analysts and the press to generate buzz for the CrowdTilt campaign.

  1. Schedule

The migration would be complete by the Internet Identity Workshop on 10/23/2012 (roughly 12 weeks).

  1. Wait, what about XRI’s ?

We still like ’em… if you don’t want to use them, suit yourself. But its no different than Twitter defining their own domain specific syntax for identifiers. Your XRI is just your the OpenID Connect 1.0 user name issued by XDI.ORG.

  1. Contribution of OX XDI IP to XDI.ORG

To eliminate any perceived conflict of interest promoting the software of one vendor over another, Gluu will contribute all source code of the OX XDI software to XDI.ORG. The sofware is already packaged under “org.xdi” in the java name hierarchy. This contribution includes over 4,000 hours of work on oxServer alone by OX’s lead developer, Yuriy Zabrovarnyy, plus many contributions from other Gluu team members. The value of this contribution is well in excess of $100,000.

The above proposal is obviously offered after quite a bit of reflection. My instincts and emotions pointed me in many other directions at times. However in order to survive, XDI.ORG needs to engage the market with a much more compelling vision and roadmap for adoption. It is time to lead or get out of the way.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions