Network Working Group J. Merrells Internet-Draft Sxip Identity Expires: September 29, 2006 March 28, 2006 Digital Identity Exchange - Use Cases draft-merrells-use-cases-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 29, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes the motivating use cases for DIX, the Digital Identity Exchange protocol. Merrells Expires September 29, 2006 [Page 1] Internet-Draft Digital Identity Exchange - Use Cases March 2006 Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. UC1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. UC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. UC3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.4. UC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.5. UC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.6. UC6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.7. UC7 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.8. UC8 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.9. UC9 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.10. UC10 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.11. UC11 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.12. UC12 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.13. UC13 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.14. UC14 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.15. UC15 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.16. UC16 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.17. UC17 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.18. UC18 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.19. UC19 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.20. UC20 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.21. UC21 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.22. UC22 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.23. UC23 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.24. UC24 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.25. UC25 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.26. UC26 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.27. UC27 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 12 Merrells Expires September 29, 2006 [Page 2] Internet-Draft Digital Identity Exchange - Use Cases March 2006 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Merrells Expires September 29, 2006 [Page 3] Internet-Draft Digital Identity Exchange - Use Cases March 2006 2. Definitions Digital Identity - The transmission of digital representation of a set of Claims made by one Party about itself or another Digital Subject, to one or more other Parties. Identity Agent - An agent acting on behalf of the user. Identifier - An identifying attribute for a set of attributes. Identity Data / Identity Information - A set of attributes. Claim - An assertion made by a Claimant of the value or values of one or more attributes of a Digital Subject, typically an assertion which is disputed or in doubt. Definitions drawn from the lexicon of 'The Identity gang'. [identitygang]. Merrells Expires September 29, 2006 [Page 4] Internet-Draft Digital Identity Exchange - Use Cases March 2006 3. Use Cases The use cases below describe various scenarios for the Digital Identity Exchnage (DIX) protocol [dmd0]. Some use cases are dependant upon others, so should be perused in order. Beth is our protagonist throughout; a typical Internet user, but she's a bit of a geek. 3.1. UC1 Beth receives an email from a friend introducing her to a new website, geeknews.com, a site that publishes techie news articles. She browses the site and decides to read some articles. She sees an IN button, which she clicks. Her identity agent performs an authentication process to ensure that it is representing Beth, and not an imposter. Her identity agent displays a screen informing her that geeknews.com is requesting some data, her first name. She enters 'Beth' at the prompt, provides consent and the data is sent to the site. 3.2. UC2 Beth browses to geekdate.com, she clicks an IN button. Her identity agent displays a screen informing her that geekdate.com is requesting some data, her first name. Her agent already has this data. She provides consent and the data is sent to the site. 3.3. UC3 Beth decides to create a profile at geekdate.com. She sees an IN button, which she clicks. Her identity agent displays a screen informing her that geekdate.com is requesting some data, an Identifier. She instructs her identity agent to create an identifier specific to her relationship with geekdate.com. She provides consent and the data is sent to the site. 3.4. UC4 Beth decides to flesh out her profile at geekdate.com. Geekdate.com displays a registration form. One field requests a URL of a photo of her. Beside it is a SAVE button. She enters the URL and clicks the button. Her identity agent displays a screen informing her that this data item can be stored. She provides consent and the data is stored by her agent. 3.5. UC5 Geeknews.com offers Beth the option to build up a readership Merrells Expires September 29, 2006 [Page 5] Internet-Draft Digital Identity Exchange - Use Cases March 2006 preferences profile over time, the benefit being that the site will tailor its content to her interests. She decides to take up the offer, she sees an IN button, which she clicks. Her identity agent displays a screen informing her that geeknews.com is requesting some data, an Identifier. She selects an existing identifier that represents a subset of her identity, which is used for a subset of the sites she has a relationship with. She provides consent and the data is sent to the site. 3.6. UC6 [Assumptions: Beth has visited geeknews and geekdate before and has informed her identity agent that she consents to a relationship with them.] Beth starts her day with a strong coffee and a perusal of geeknews.com. She starts her computer and authenticates herself to the operating system. By that authentication mechanism she has also authenticated herself to her identity agent, as her vendor of that system has hooked it into the operating system's authentication system. She browses to geeknews.com and clicks the IN button and is directly shown the content, no further clicks. She then browses to geekdate.com, she clicks the IN button and is directly presented with her profile no further clicks. 3.7. UC7 Beth's identity agent prompts her to provide a 'spoken name'. Using the multimedia capabilities of her computer she records her spoken name; an mp3 of her saying 'Beth'. She later browses to voicebox.com, which runs a voicemail service, she opts to create an account and the site requests some properties, amongst which is a request for her spoken name. She provides consent and the data is sent to the site. 3.8. UC8 Beth purchases a book from an online store, as she's checking out the store makes her an offer: 10% off for completion of a demographic survey. She's tempted, but how many data fields are there? One hundred! Too many to be worth the effort. But it happens to be commonly requested data, which she has already entered during previous exchanges with other sites. So, she completes the remaining fields, saving them to her identity agent for future reuse. She provides consent and the data is sent to the site. 3.9. UC9 Beth has invested significant effort in building up a persona and reputation around a specific identifier, her 'home' identifier. But, Merrells Expires September 29, 2006 [Page 6] Internet-Draft Digital Identity Exchange - Use Cases March 2006 she has become dissatisfied with her identity agent and so decides to switch vendors. She establishes the new agent and migrates her identity data from the old one to the new one. She then administers her identifier so that her new identity agent is authoritative for authentication and provision of identity data. 3.10. UC10 Whilst in town Beth stops off at an Internet Cafe to check her email. She goes to her webmail account, which requires that she identity herself. Her Identity Agent prompts her for consent and provides her identifier so that she can gain access to her email. 3.11. UC11 Beth visits a website that requests some identity information. Her Identity Agent warns her that satisfying the request would contravene her established privacy policy. 3.12. UC12 Beth moves house, so she changes the home address information stored by her Identity Agent. Her Identity Agent offers to notify all relying parties to whom she has previously provided her home address. 3.13. UC13 Beth is a frequent traveler on Galactic Air, whose site offers a claim of membership for use at affiliate sites. She acquires a membership claim, which her Identity Agent stores for her. 3.14. UC14 Beth visits a Galactic Air affiliate site that provides discounted travel insurance for frequent travelers. She presents her Galactic Air membership claim and receives a discount. 3.15. UC15 Beth leaves work and goes to the bus stop. Whilst waiting for the next bus home she uses her smart phone to browse geeknews.com. Her Identity Agent provides her with the same clickless browsing that she experiences on her work and home computers. 3.16. UC16 Beth is ending her day at work. She leaves work and waits for the next bus home. Her friend calls and invites her to the movies. She Merrells Expires September 29, 2006 [Page 7] Internet-Draft Digital Identity Exchange - Use Cases March 2006 uses her phone to browse to the movies.com to find out what's playing. The site requests her current location, which she consents to release via her Identity Agent. 3.17. UC17 Beth signs up with a financial services site, BigPicture.com, which provides an aggregate view of her finances. She provides the site with agency rights over each of her existing bank accounts. 3.18. UC18 Beth goes to an auction side, ibay.com. Her Identity Agent shows a signed graphic of ibay.com for releasing data. Beth knows that she's dealing with ibay.com, and not an imposter. 3.19. UC19 Beth visits her online bank, which requires the use of a strong authentication mechanism. She authenticates to her Identity Agent using a two-factor device indicated by the bank to be an acceptable mechanism. 3.20. UC20 Adam uses a service to acquire a verified email claim. With it he can prove that he owns his email address, Adam@example.com, without having to go through a verification process. 3.21. UC21 Beth gives her friend, Adam@example.com, access to her photos. Adam receives an email from Beth inviting him to view her photos. He goes to the site, which requests a verified email claim. He presents his claim and gains access to the photos Beth has published for him. 3.22. UC22 Adam visits a site that requires that he prove he is over 21. He provides the site with a claim that he is over 21 from the government of his country of residence, gov.ca. The site is unable to find out who Adam is from gov.ca. 3.23. UC23 Adam returns to the same site. He must again prove that he is over 21. He provides a claim, but the site cannot tell that it is Adam that has returned again to the site. Merrells Expires September 29, 2006 [Page 8] Internet-Draft Digital Identity Exchange - Use Cases March 2006 3.24. UC24 Adam heavily frequents two gambling sites, goldenslots.com and luckydice.com. He uses the same identifier accross both sites, so that they know he is the same person. 3.25. UC25 Beth's employer has partnered with a local university to provide it's staff with access to online courses. She signs up for some modules at the university admissions website acquiring an enrollment claim. She then browses to the computer science school website to sign up for an advanced programming course. The site requests claims that she is an employee, that she has previously completed some basic introductory modules, and that she has been enrolled. 3.26. UC26 Beth is shopping online for a new laptop computer. She visits an online site that caters to recently graduated professionals. She selects a machine and investigates the lease options available. To work out the monthly payment the site requests some claims: A claim that she's an alumni of a university, so that the site can include an appropriately branded tote bag. A claim that she's a member of Galactic Air, so that she can be credited with airmiles for her purchase. And, a claim from a credit scoring agency that she has a 'good' credit rating. 3.27. UC27 Beth is at home checking her work email, she has an email from a colleague assigning a customer support issue to her. The company help desk system is provided by helpdesk.com, an on-demand application provider. She clicks through a link in the email to the page that describes the issue. Helpdesk.com requests a claim that Beth is an employee of 'Nano Software Inc', which she provides from her Identity Agent, and she gains access to the page. Merrells Expires September 29, 2006 [Page 9] Internet-Draft Digital Identity Exchange - Use Cases March 2006 4. Security Considerations None. 5. References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [dmd0] Merrells, J., "draft-merrells-dix-00.txt", March 2006. [identitygang] The Identity Gang, "http://identitygang.org/Lexicon", March 2006. Merrells Expires September 29, 2006 [Page 10] Internet-Draft Digital Identity Exchange - Use Cases March 2006 Author's Address John Merrells Sxip Identity 798 Beatty Street Vancouver, BC 94110 Canada Email: merrells@sxip.com URI: http://sxip.com/ Merrells Expires September 29, 2006 [Page 11] Internet-Draft Digital Identity Exchange - Use Cases March 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Merrells Expires September 29, 2006 [Page 12]