We have been busy working on SXIP 2.0, taking into account feedback that we have received over the past year. Probably the biggest change in the architecture is that the Rootsite is no longer required. Delegation of authority is now decentralized. Building on LID and OpenID, personas are now identified by URLs, rather than a number managed by the Rootsite. I like to call them PURLs. The document at a PURL contains microformat tags that list which Homesites are authoritative for the PURL, allowing multiple Homesites to be authoritative for a PURL.

The next big change is dropping PKI for message verification. The Membersite still sends the request through the browser to the Homesite, and the response from the Homesite to the Membersite also goes back through the browser. But rather than digitally signing the message, the Homesite sends a cookie which is a function of the message and a secret. The Membersite verifies that the Homesite is authoritative for the PURL, and then sends the cookie and a digest of the message directly to the Homesite to verify the message was not modified. The Homesite does not need to share its secret with anyone, and the whole protocol is stateless, allowing it to map well to RESTful interactions.

As the subject line suggests, this post is a teaser! Stay tuned for draft specifications!