Notification

From MgmtWiki
Revision as of 07:27, 30 July 2025 by Tom (talk | contribs) (FIDO)

Jump to: navigation, search

Full Title or Meme

Several best practices and laws require that users are informed of a change of state, or a periodic confirmation of state, then user Notification is required.

Context

Whenever a Web Site encounters a condition that policy or legislation requires that the User be informed, or when action by the is required, the site needs to put some message in front of the user.

Problems

In Notification the concepts of Security, Privacy and User Experience all collide and make any solution a compromise among competing mandates.

Anti-Pattern

This example is an email from a Health-Care provider that has a variety of problems which are enumerated below. The first four problems are security issues, others are user experience issues:

  1. The sender of the Notification is not clearly shown. Specifically there is no legal entity identified that is responsible for the email.
  2. There is not the slightest attempt made to prove the trustworthiness of the Notification.
  3. There is a link to a web site which creates two security issues:
    1. The site may infect the user with malware and no legal entity is identified that would be responsible.
    2. The user is encouraged to click on a link that is not known to be trustworthy which re-enforces a bad security practice by the user.
  4. The first and last sentence are contradictory, but apply to an action that the user should be able to perform; that is to contact the sender if the message is sent in error!
  5. The importance of the message is not indicated, nor is there any indication if user action is required.
  6. The provider is not identified, probably for privacy reasons, but if the user has more than one family member using more than one provider, the messages is completely unhelpful in any disambiguation. (Theoretically the message ID should do that, but the creator of that ID is not knowable from the rest of the message.)

TerribleEmailNotification.png

Solutions

Notification ID

The idea of a Notice-centric ID is that some situations require notification that began with posting in the town square to sirens that literally called out to people.

FIDO

  • 2025-07-30 Heads up that FIDO is talking about notification endpoints/lifecycle management for DPCs (payment credentials)

How soon do we need it?

1.1 is fine, but something that exists in prioritary

Suggestion post-IIW to talk about server-to-server in a dedicated call.

Suggestion using sec-events, no one has tried implementing this yet so needs more robustness.

This is 3 months, can we talk about it earlier?

Ideally yes

Some support to having a dedicated

Suggestion to work out some time in august.

Lifecycle management vs server to server?

Both?

Starting point is to establish a common reference model and objective for what ‘server to server’ means.

AI for Gareth to put together a first draft for the Open ID Foundation

Open Notice Network

  • The project is OPN, for Open Notice (OPN) Network, its all about digital transparency and I am working on a notice receipt specification to back this up
  • A notice of state is a part of like the initial services we would be showing you called Privacy Broadcasting, which uses a profile to broadcast a status.
  • Open Notice Github repository Markus Sabadello of did and dif is one of the contributors
  • OPN: Open Notice Receipt Schema paper from Mark Lizar and H J Pandit

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Notification&oldid=24702"