Difference between revisions of "Notification"
From MgmtWiki
(→Open Notice Network) |
(→Context) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | Whenever a [[Web Site]] encounters a condition that policy or legislation requires that the [[User]] be informed, or when action by the is required, the site needs to put some message in front of the user. | + | * Whenever a [[Web Site]] encounters a condition that policy or legislation requires that the [[User]] be informed, or when action by the is required, the site needs to put some message in front of the user. |
| + | * [[Notification]] is an act of synchronization to bring two or more asynchronous parallel processes back into synchronization.<ref>Vint Cert, ''On Notifications'' '''CACM''' 2025-05 https://cacm.acm.org/opinion/on-notifications/</ref><blockquote>Like many of you, I receive a variety of notifications by various means. Postal letters, email reminders, pop-ups on my laptop, audio signals on my mobile, highlighted chat application entries, text messages, phone calls, taps on the shoulder—the list is long! Thinking a bit more about this, one of the purposes of notification is to resynchronize otherwise asynchronous processes. You tell Google Assistant to set a timer for 15 minutes and go off to do something else. After 15 minutes, you get an audible reminder that the 15 minutes are up, and you should turn off the spaghetti before it turns to mush.</blockquote> | ||
==Problems== | ==Problems== | ||
| − | In [[Notification]] the concepts of [[Security]], [[Privacy]] and [[User Experience]] all collide and make any solution a compromise among competing mandates. | + | * People on the web soon learn that there are more notifications than are necessary or desired. |
| + | * In [[Notification]] the concepts of [[Security]], [[Privacy]] and [[User Experience]] all collide and make any solution a compromise among competing mandates. | ||
===Anti-Pattern=== | ===Anti-Pattern=== | ||
This example is an email from a Health-Care provider that has a variety of problems which are enumerated below. | This example is an email from a Health-Care provider that has a variety of problems which are enumerated below. | ||
| Line 22: | Line 24: | ||
==Solutions== | ==Solutions== | ||
| + | ===Notification ID=== | ||
| + | The idea of a [[Notice-centric ID]] is that some situations require notification that began with posting in the town square to sirens that literally called out to people. | ||
| + | ===FIDO=== | ||
| + | * 2025-07-30 Heads up that FIDO is talking about notification endpoints/lifecycle management for DPCs (payment credentials) | ||
| + | * See the wiki on [[FIDO 2.0]] for details on that family of standards. | ||
| + | |||
| + | How soon do we need it? | ||
| + | |||
| + | 1.1 is fine, but something that exists in priority | ||
| + | |||
| + | Suggestion post-IIW to talk about server-to-server in a dedicated call. | ||
| + | |||
| + | Suggestion using sec-events, no one has tried implementing this yet so needs more robustness. | ||
| + | |||
| + | This is 3 months, can we talk about it earlier? | ||
| + | |||
| + | Ideally yes | ||
| + | |||
| + | Some support to having a dedicated | ||
| + | |||
| + | Suggestion to work out some time in august. | ||
| + | |||
| + | Lifecycle management vs server to server? | ||
| + | |||
| + | Both? | ||
| + | |||
| + | Starting point is to establish a common reference model and objective for what ‘server to server’ means. | ||
| + | |||
| + | AI for Gareth to put together a first draft for the Open ID Foundation | ||
| + | |||
===Open Notice Network=== | ===Open Notice Network=== | ||
| − | *The project is OPN, for Open Notice (OPN) Network, its all about digital transparency | + | *The project is OPN, for Open Notice (OPN) Network, its all about digital transparency. Mark L is working on a notice receipt specification to back this up |
| − | * A notice of state is a part of like the initial services we would be showing you called Privacy Broadcasting, which uses a profile to broadcast a status. | + | ** A notice of state is a part of like the initial services we would be showing you called Privacy Broadcasting, which uses a profile to broadcast a status. |
| − | * [https://github.com/Open-Notice Open Notice Github repository] [https://github.com/peacekeeper Markus Sabadello] of did and dif is one of the contributors | + | ** [https://github.com/Open-Notice Open Notice Github repository] [https://github.com/peacekeeper Markus Sabadello] of did and dif is one of the contributors |
| + | ** [https://drive.google.com/file/d/1p7oadr89gFloaUKEheXfGFH9zNIPQ67Z/view OPN: Open Notice Receipt Schema] paper from Mark Lizar and H J Pandit | ||
==References== | ==References== | ||
Latest revision as of 14:37, 5 August 2025
Contents
Full Title or Meme
Several best practices and laws require that users are informed of a change of state, or a periodic confirmation of state, then user Notification is required.
Context
- Whenever a Web Site encounters a condition that policy or legislation requires that the User be informed, or when action by the is required, the site needs to put some message in front of the user.
- Notification is an act of synchronization to bring two or more asynchronous parallel processes back into synchronization.[1]
Like many of you, I receive a variety of notifications by various means. Postal letters, email reminders, pop-ups on my laptop, audio signals on my mobile, highlighted chat application entries, text messages, phone calls, taps on the shoulder—the list is long! Thinking a bit more about this, one of the purposes of notification is to resynchronize otherwise asynchronous processes. You tell Google Assistant to set a timer for 15 minutes and go off to do something else. After 15 minutes, you get an audible reminder that the 15 minutes are up, and you should turn off the spaghetti before it turns to mush.
Problems
- People on the web soon learn that there are more notifications than are necessary or desired.
- In Notification the concepts of Security, Privacy and User Experience all collide and make any solution a compromise among competing mandates.
Anti-Pattern
This example is an email from a Health-Care provider that has a variety of problems which are enumerated below. The first four problems are security issues, others are user experience issues:
- The sender of the Notification is not clearly shown. Specifically there is no legal entity identified that is responsible for the email.
- There is not the slightest attempt made to prove the trustworthiness of the Notification.
- There is a link to a web site which creates two security issues:
- The site may infect the user with malware and no legal entity is identified that would be responsible.
- The user is encouraged to click on a link that is not known to be trustworthy which re-enforces a bad security practice by the user.
- The first and last sentence are contradictory, but apply to an action that the user should be able to perform; that is to contact the sender if the message is sent in error!
- The importance of the message is not indicated, nor is there any indication if user action is required.
- The provider is not identified, probably for privacy reasons, but if the user has more than one family member using more than one provider, the messages is completely unhelpful in any disambiguation. (Theoretically the message ID should do that, but the creator of that ID is not knowable from the rest of the message.)
Solutions
Notification ID
The idea of a Notice-centric ID is that some situations require notification that began with posting in the town square to sirens that literally called out to people.
FIDO
- 2025-07-30 Heads up that FIDO is talking about notification endpoints/lifecycle management for DPCs (payment credentials)
- See the wiki on FIDO 2.0 for details on that family of standards.
How soon do we need it?
1.1 is fine, but something that exists in priority
Suggestion post-IIW to talk about server-to-server in a dedicated call.
Suggestion using sec-events, no one has tried implementing this yet so needs more robustness.
This is 3 months, can we talk about it earlier?
Ideally yes
Some support to having a dedicated
Suggestion to work out some time in august.
Lifecycle management vs server to server?
Both?
Starting point is to establish a common reference model and objective for what ‘server to server’ means.
AI for Gareth to put together a first draft for the Open ID Foundation
Open Notice Network
- The project is OPN, for Open Notice (OPN) Network, its all about digital transparency. Mark L is working on a notice receipt specification to back this up
- A notice of state is a part of like the initial services we would be showing you called Privacy Broadcasting, which uses a profile to broadcast a status.
- Open Notice Github repository Markus Sabadello of did and dif is one of the contributors
- OPN: Open Notice Receipt Schema paper from Mark Lizar and H J Pandit
References
- ↑ Vint Cert, On Notifications CACM 2025-05 https://cacm.acm.org/opinion/on-notifications/
