Cautions:
Lest anyone find themselves wondering, what follows is intended to move
towards explicit and precise language that we can all agree on.
To do that, I had to question quite a bit of your text.
The good news is that your text raised a lot of questions that I think are
basic and resolving them is likely to be extremely useful.
Your extended example are quite good at making the usage of DIX
concrete. (A minor question is how much group consensus there is that these
examples represent the range of DIX usage; I suspect the issue is not whether
the examples are "wrong" but whether they define the scope of DIX usage
sufficiently.)
I think the more terse language in the lists, at the beginning of your
message, perhaps assume too much a priori understanding/context. Therefore,
much of what I ask, in the following, is really intended to find language for
these lists that will have more common, immediate and precise meaning to a wide
range of readers.
(By the way, the cost of your sending such a lengthy and thoughtful note is a
lengthy response. Whether it, too, is thoughtful, well... it tries to be.)
Problem Statement
The Internet is host to many online information sources and services.
There is a growing demand for users to identify, and provide information
about themselves.
So, the focus of the DIX effort is about identification of users, as then being
able to (automatically) provide a range of attributes associated with those
users?
(I believe others on the list see the scope as much more broad.)
Users bear the burden of managing their own
authentication materials and repeatedly providing their identity
information. Signing in to web pages and completing user registration
forms is an example.
The examples are useful. However I clarifying what is meant by "authentication
materials".
Although I have my own guesses about what that term refers to, I suspect each of
us differs quite a bit in our guesses. And for a working group charter, such
guessing -- ie, non-overlap of basic terms of reference -- is highly
problematic.
Goals
Benefit Internet Users
Protocol adoption
Unfortunately, the two goals you cite apply to all the work ever done for IETF
standards. Hence the goals say nothing that is specific to this effort.
That leaves us with an empty list of (distinctive) Goals.
Benefits
...
Browsing Efficiency – Reuse of Identity Data and authentication
Browsing? So the focus of this group is strictly for web-based activity?
No
benefits for email, instant messaging, VOIP, etc?
Browsing Efficiency – Consistency of User Experience for providing data
What does this mean?
Reuse of Identity Data – Less data entry
Reuse of Authentication – Single Sign-On
Reuse of an Identifier – Persona and reputation building
Does the group have consensus on the definition and use of "persona"?
And what does it mean to do "persona building"?
Security – Consistent user experience
This one sounds interesting. How does user experience consistency affect
security? (Is there any empirical basis for this?)
Security – Stronger authentication more viable
Really? How? Security people are rather demanding about justifications for
such claims.
Privacy – Choice over what is stored where and released to whom
Privacy – Choice over the degree of relationship with a site: anonymous,
pseudo-anonymous, or public. [todo: see terms in Ben’s referenced
document.]
What work is DIX planning to do that will define and ensure that either of these
happen?
Reuse of Verification Processes – By moving third-party claims between
authority and site
What do you mean 'third-party claims'? I assume that 'authority' refers to
whoever is making the claims? And what do you mean 'site'?
Data quality, quantity, and richness.
Lower latency in workflows for verifying self asserted data.
Higher conversion rates
I do not understand any of these.
Identifier – an identifying attribute for a set of attributes.
A single attribute is an identifier? I think that does not match the earlier
definition. Plus, it seems a bit circular.
An identifier is an identifying attribute?
I don't really know what that means.
Identity Data – a set of attributes
Any random set, or are their constraints? I suspect you mean some specific
kinds of attributes. What are they? What attributes would NOT qualify?
For example, I suspect you mean that the attributes are associated with the
entity being identified.
1) Beth receives an email from a friend introducing her to a new
website, geeknews.com, a site that publishes techie news articles. She
browses the site and decides to read some articles. She sees an IN
button, which she clicks. [Insert step 1.1, called out as it’s reused in
many use cases.] Her identity agent displays a screen informing her that
geeknews.com is requesting some data, her first name. She enters ‘Beth’
at the prompt, provides consent and the data is sent to the site.
[Benefits: Choice of what is stored where and released to whom.
Benefits: Consistent User Experience – She sees her agent’s user
interface every time she is asked for information.]
This demonstrates how difficult it is to make the user experience "better".
If the user must enter a variety of information, where only some of that
information can be processed by DIX, then the user will experience the original
form, generated by the server, AND the client-side DIX form.
Having two different forms could be confusing and/or irritating to users,
because it entails two different styles of forms.
But notice that I said "could be". This is a usability question. I am certain
the problem is a possibility, but not certain it will occur.
1.1) Her identity agent performs an authentication process to ensure
that it is representing Beth, and not an imposter. The authentication
mechanism used is implementation dependent. The identity agent may
provide the benefit of caching the authentication for the duration of
Beth’s internet browsing session. [Benefit: Reuse of authentication,
when coupled with other aspects provides single sign-on.]
2) Beth browses to geekdate.com, she clicks an IN button. [1.1] Her
identity agent displays a screen informing her that geekdate.com is
requesting some data, her first name. From [1] her agent already has
this data. She provides consent and the data is sent to the site.
[Benefit: Less data entry. Benefit: Reuse of identity data. Benefit:
Quality data.]
"quality"? how the quality improved?
3) Beth decides to create a profile at geekdate.com. Geekdate.com
displays a registration form. One field requests a URL of a photo of
her. Beside it is a SAVE button. She enters the UTL and clicks the
button. [1.1] Her identity agent displays a screen informing her that
this data item can be stored. She provides consent and the data is
stored by her agent. [Benefit: Reuse of Identity Data. Benefits: Enabled
stateless sites that request the data they need for each session.
Benefit: Persona building. Benefit: Choice of what is stored where.]
How is this "persona building"? What does that mean?
...
Here is what I'm getting from your text:
DIX provides a standardized basis, for client-based interfaces:
1) to interact with the user and the user's environment,
2) to acquire a collection of information related to the user, based on requests
from servers, and
3) selectively provide this data to the requesting servers, based on user
permissions and contextual aggregations specific to the relationship between the
user and a particular service
Are there functions i am missing or have gotten wrong?
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
