Yet Another Description of Yadis
From Yadis
This content is largely historical at this point.
- <Josh Hoyt> This is a page that I wrote to try to express what I think is the consensus about what Yadis is in order to be able to better evaluate the proposals for how Yadis is used. This page attempts to talk as little as possible about the implementation of Yadis but tries to cover all of the features and assumptions that make Yadis what it is. Please comment on the talk page.
Yadis stands for Yet Another Decentralized Identity Interoperability System. There is a loose understanding of what Yadis is trying to accomplish, based on the original specification and the discussion on the mailing list and this wiki. This document attempts to boil down that consensus into a definition that can be used to evaluate proposals for implementing Yadis.
This document attempts to describe what Yadis is as fully as possible without specifying any particular implementation.
What is a digital identity system?
Yadis is an "Identity Interoperability System" for digital identities. To understand what a digital identity system does, it's necessary to define digital identity. From http://www.identitygang.org/Lexicon:
[Digital identity is the] digital representation of a set of claims made by one digital subject about itself or another digital subject
That makes a digital identity system a system for making claims about an entity. Given that definition, Yadis is a protocol that provides interoperability between services that make claims about an entity. Yadis works by tying a set of claims to a single global identifier representing the entity. The global identifier for Yadis is a URI.
More precisely, Yadis is a protocol by which the owner of an URI can associate a certain set of digital identity services with that URI. Implementation of Yadis requires establishing a canonical form of an identity URI and then discovering the services associated with that URI and each service's identity-specific parameters.
A party that relies on Yadis will use a set protocol to discover services for an identity URI. The relying party will treat that URI as the identifier for the entity controlling it.
Yadis is fundamentally decentralized, because a digital identity service does not need to explicitly provide support for Yadis to be used with Yadis. In fact, like delegation in OpenID, there is no way that a digital identity service can prevent its use within Yadis.
How can identity services use Yadis?
In order to use a service with Yadis, there must be a convention for representing, using, and possibly verifying the service's parameters as discovered from the identity URI. That convention can be developed by the owners of the service or it may be established separately.
Yadis and TypeKey
For example, TypeKey (http://typekey.com/) is a digital identity system that provides an API for relying parties to authenticate and retrieve profile information about TypeKey users. TypeKey does not use a URI as the identifier for its users. In order to use the API, the service needs to know the TypeKey identifier of the user.
To use TypeKey to provide information for a Yadis identity, the results of the discovery process would indicate that TypeKey was a provider of information, and that the identity used a particular TypeKey identity. Concretely:
- Yadis identity URI: http://slack.example.com/bob
-
Supported Services
-
TypeKey
- Member Name: BobDobbs
-
TypeKey
A relying party that supports Yadis and TypeKey uses Yadis to associate the member name "BobDobbs" with the URI "http://slack.example.com/bob". The relying party then asks the user to authenticate with TypeKey without needing to provide TypeKey with Bob's Yadis identity URI. Once the TypeKey authentication is complete, if TypeKey indicates that "BobDobbs" has authenticated, the relying party knows that this user is the user who controls the Yadis identity URI.