Here's a more formal write up the use cases that I posted to the list
just before
the BOF. They cover all the browser based 'Eliot's Dad' scenarios
that have
been on the list in the past week.
I've also written up a set of scenarios from Dick Hardt that cover
various kinds
of claims usage. The focus on these is the moving around of the claims,
rather than the claims themselves.
I've not documented Lisa and Rob's non-browser based use cases for DIX
over HTTP and other protocols, as I'm not necessarily familiar enough
with
each case to do them justice. I would however encourage the group to
write them up though. Volunteers?
There seem to be strong opinions on whether we should or should not
be considering non-browser based applications. My opinion is that we
have enough of a challenge agreeing on a protocol for browser based
applications. I'd propose that we deal with supporting this over
browsers
now and reserve non-browser based applications for future consideration.
Comments/Additions/Deletions for the following draft please.
John
Network Working Group J. Merrells
Internet-Draft Sxip Identity
Expires: September 29, 2006 March 28, 2006
Digital Identity Exchange - Use Cases
draft-merrells-use-cases-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 29, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes the motivating use cases for DIX, the Digital
Identity Exchange protocol.
Merrells Expires September 29, 2006 [Page 1]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. UC1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. UC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. UC3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. UC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.5. UC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.6. UC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.7. UC7 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.8. UC8 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.9. UC9 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.10. UC10 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.11. UC11 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.12. UC12 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.13. UC13 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.14. UC14 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.15. UC15 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.16. UC16 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.17. UC17 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.18. UC18 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.19. UC19 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.20. UC20 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.21. UC21 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.22. UC22 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.23. UC23 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.24. UC24 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.25. UC25 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.26. UC26 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.27. UC27 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 12
Merrells Expires September 29, 2006 [Page 2]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Merrells Expires September 29, 2006 [Page 3]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
2. Definitions
Digital Identity - The transmission of digital representation of a
set of Claims made by one Party about itself or another Digital
Subject, to one or more other Parties.
Identity Agent - An agent acting on behalf of the user.
Identifier - An identifying attribute for a set of attributes.
Identity Data / Identity Information - A set of attributes.
Claim - An assertion made by a Claimant of the value or values of
one or more attributes of a Digital Subject, typically an
assertion which is disputed or in doubt.
Definitions drawn from the lexicon of 'The Identity gang'.
[identitygang].
Merrells Expires September 29, 2006 [Page 4]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
3. Use Cases
The use cases below describe various scenarios for the Digital
Identity Exchnage (DIX) protocol [dmd0]. Some use cases are
dependant upon others, so should be perused in order. Beth is our
protagonist throughout; a typical Internet user, but she's a bit of a
geek.
3.1. UC1
Beth receives an email from a friend introducing her to a new
website, geeknews.com, a site that publishes techie news articles.
She browses the site and decides to read some articles. She sees an
IN button, which she clicks. Her identity agent performs an
authentication process to ensure that it is representing Beth, and
not an imposter. Her identity agent displays a screen informing her
that geeknews.com is requesting some data, her first name. She
enters 'Beth' at the prompt, provides consent and the data is sent to
the site.
3.2. UC2
Beth browses to geekdate.com, she clicks an IN button. Her identity
agent displays a screen informing her that geekdate.com is requesting
some data, her first name. Her agent already has this data. She
provides consent and the data is sent to the site.
3.3. UC3
Beth decides to create a profile at geekdate.com. She sees an IN
button, which she clicks. Her identity agent displays a screen
informing her that geekdate.com is requesting some data, an
Identifier. She instructs her identity agent to create an identifier
specific to her relationship with geekdate.com. She provides consent
and the data is sent to the site.
3.4. UC4
Beth decides to flesh out her profile at geekdate.com. Geekdate.com
displays a registration form. One field requests a URL of a photo of
her. Beside it is a SAVE button. She enters the URL and clicks the
button. Her identity agent displays a screen informing her that this
data item can be stored. She provides consent and the data is stored
by her agent.
3.5. UC5
Geeknews.com offers Beth the option to build up a readership
Merrells Expires September 29, 2006 [Page 5]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
preferences profile over time, the benefit being that the site will
tailor its content to her interests. She decides to take up the
offer, she sees an IN button, which she clicks. Her identity agent
displays a screen informing her that geeknews.com is requesting some
data, an Identifier. She selects an existing identifier that
represents a subset of her identity, which is used for a subset of
the sites she has a relationship with. She provides consent and the
data is sent to the site.
3.6. UC6
[Assumptions: Beth has visited geeknews and geekdate before and has
informed her identity agent that she consents to a relationship with
them.] Beth starts her day with a strong coffee and a perusal of
geeknews.com. She starts her computer and authenticates herself to
the operating system. By that authentication mechanism she has also
authenticated herself to her identity agent, as her vendor of that
system has hooked it into the operating system's authentication
system. She browses to geeknews.com and clicks the IN button and is
directly shown the content, no further clicks. She then browses to
geekdate.com, she clicks the IN button and is directly presented with
her profile no further clicks.
3.7. UC7
Beth's identity agent prompts her to provide a 'spoken name'. Using
the multimedia capabilities of her computer she records her spoken
name; an mp3 of her saying 'Beth'. She later browses to
voicebox.com, which runs a voicemail service, she opts to create an
account and the site requests some properties, amongst which is a
request for her spoken name. She provides consent and the data is
sent to the site.
3.8. UC8
Beth purchases a book from an online store, as she's checking out the
store makes her an offer: 10% off for completion of a demographic
survey. She's tempted, but how many data fields are there? One
hundred! Too many to be worth the effort. But it happens to be
commonly requested data, which she has already entered during
previous exchanges with other sites. So, she completes the remaining
fields, saving them to her identity agent for future reuse. She
provides consent and the data is sent to the site.
3.9. UC9
Beth has invested significant effort in building up a persona and
reputation around a specific identifier, her 'home' identifier. But,
Merrells Expires September 29, 2006 [Page 6]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
she has become dissatisfied with her identity agent and so decides to
switch vendors. She establishes the new agent and migrates her
identity data from the old one to the new one. She then administers
her identifier so that her new identity agent is authoritative for
authentication and provision of identity data.
3.10. UC10
Whilst in town Beth stops off at an Internet Cafe to check her email.
She goes to her webmail account, which requires that she identity
herself. Her Identity Agent prompts her for consent and provides her
identifier so that she can gain access to her email.
3.11. UC11
Beth visits a website that requests some identity information. Her
Identity Agent warns her that satisfying the request would contravene
her established privacy policy.
3.12. UC12
Beth moves house, so she changes the home address information stored
by her Identity Agent. Her Identity Agent offers to notify all
relying parties to whom she has previously provided her home address.
3.13. UC13
Beth is a frequent traveler on Galactic Air, whose site offers a
claim of membership for use at affiliate sites. She acquires a
membership claim, which her Identity Agent stores for her.
3.14. UC14
Beth visits a Galactic Air affiliate site that provides discounted
travel insurance for frequent travelers. She presents her Galactic
Air membership claim and receives a discount.
3.15. UC15
Beth leaves work and goes to the bus stop. Whilst waiting for the
next bus home she uses her smart phone to browse geeknews.com. Her
Identity Agent provides her with the same clickless browsing that she
experiences on her work and home computers.
3.16. UC16
Beth is ending her day at work. She leaves work and waits for the
next bus home. Her friend calls and invites her to the movies. She
Merrells Expires September 29, 2006 [Page 7]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
uses her phone to browse to the movies.com to find out what's
playing. The site requests her current location, which she consents
to release via her Identity Agent.
3.17. UC17
Beth signs up with a financial services site, BigPicture.com, which
provides an aggregate view of her finances. She provides the site
with agency rights over each of her existing bank accounts.
3.18. UC18
Beth goes to an auction side, ibay.com. Her Identity Agent shows a
signed graphic of ibay.com for releasing data. Beth knows that she's
dealing with ibay.com, and not an imposter.
3.19. UC19
Beth visits her online bank, which requires the use of a strong
authentication mechanism. She authenticates to her Identity Agent
using a two-factor device indicated by the bank to be an acceptable
mechanism.
3.20. UC20
Adam uses a service to acquire a verified email claim. With it he
can prove that he owns his email address, [EMAIL PROTECTED], without
having to go through a verification process.
3.21. UC21
Beth gives her friend, [EMAIL PROTECTED], access to her photos. Adam
receives an email from Beth inviting him to view her photos. He goes
to the site, which requests a verified email claim. He presents his
claim and gains access to the photos Beth has published for him.
3.22. UC22
Adam visits a site that requires that he prove he is over 21. He
provides the site with a claim that he is over 21 from the government
of his country of residence, gov.ca. The site is unable to find out
who Adam is from gov.ca.
3.23. UC23
Adam returns to the same site. He must again prove that he is over
21. He provides a claim, but the site cannot tell that it is Adam
that has returned again to the site.
Merrells Expires September 29, 2006 [Page 8]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
3.24. UC24
Adam heavily frequents two gambling sites, goldenslots.com and
luckydice.com. He uses the same identifier accross both sites, so
that they know he is the same person.
3.25. UC25
Beth's employer has partnered with a local university to provide it's
staff with access to online courses. She signs up for some modules
at the university admissions website acquiring an enrollment claim.
She then browses to the computer science school website to sign up
for an advanced programming course. The site requests claims that
she is an employee, that she has previously completed some basic
introductory modules, and that she has been enrolled.
3.26. UC26
Beth is shopping online for a new laptop computer. She visits an
online site that caters to recently graduated professionals. She
selects a machine and investigates the lease options available. To
work out the monthly payment the site requests some claims: A claim
that she's an alumni of a university, so that the site can include an
appropriately branded tote bag. A claim that she's a member of
Galactic Air, so that she can be credited with airmiles for her
purchase. And, a claim from a credit scoring agency that she has a
'good' credit rating.
3.27. UC27
Beth is at home checking her work email, she has an email from a
colleague assigning a customer support issue to her. The company
help desk system is provided by helpdesk.com, an on-demand
application provider. She clicks through a link in the email to the
page that describes the issue. Helpdesk.com requests a claim that
Beth is an employee of 'Nano Software Inc', which she provides from
her Identity Agent, and she gains access to the page.
Merrells Expires September 29, 2006 [Page 9]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
4. Security Considerations
None.
5. References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[dmd0] Merrells, J., "draft-merrells-dix-00.txt", March 2006.
[identitygang]
The Identity Gang, "http://identitygang.org/Lexicon";,
March 2006.
Merrells Expires September 29, 2006 [Page 10]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
Author's Address
John Merrells
Sxip Identity
798 Beatty Street
Vancouver, BC 94110
Canada
Email: [EMAIL PROTECTED]
URI: http://sxip.com/
Merrells Expires September 29, 2006 [Page 11]
�
Internet-Draft Digital Identity Exchange - Use Cases March 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
[EMAIL PROTECTED]
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Merrells Expires September 29, 2006 [Page 12]
�
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
