Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
PDS Architecture
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
This page describes the Personal Data Store (PDS), a new work area under development for Higgins 2.0. It also includes a Building Blocks section describing some additional components.
Intro
A PDS provides a central point of control for information about a person, their lives, friends, interests, affiliations and so on. A PDS is comprised of a PDS Agent and a PDS Vault.
PDS Agent
Gives you control over your own information. It:
- Shares information about you to those with whom you wish it to be shared
- Allows you to be discoverable by others that meet criteria you specify
- Provides a web-based dashboard for your personal information that is scattered across hundreds of database silos
- Lets you define and manage a set of personas (e.g. Work, Home & Friends, Citizen, Health, Anonymous) over which you have complete control.
- Links information from your personas to accounts (profiles) that you have at services providers, websites, social networking sites, etc. and over which you share joint control and rights
- Links information from your personas with the personas of your friend's and colleague's PDSes
- Provides a run-time environment for apps that run within the PDS agent itself
PDS Vault
- Provides an encrypted "lock box" in the cloud
- Data in the PDS vault cannot be read by the PDS vault's operator
- Backs up personal data stored on your computers and mobile devices
- Synchronizes personal data to other devices and computers owned by the person using a variety of network protocols.
- Is used by the PDS agent to store certain kinds of information about you
As shown in the top-left in the diagram above, we are also developing Windows, Mac and mobile clients for the Higgins PDS. These clients have two advantages over the PDS agent. First, data stored on these devices is entirely under your control without the need to rely on third party hosted services. Second the client is closely integrated with the browser and other local apps. This allows the client to capture information about you as you browse and can augment your web experience through web augmentation (overlaying context-specific information within your browser) as well as through automatic form filling (e.g. filling in your passwords).
Information from a wide variety of data sources such as the social network, telco and health data sources shown above are virtually integrated by the PDS Agent and presented in a "dashboard" application.
A PDS that gives you control over your own information by allowing you to share selected sub-sets of your information with other people and organizations that you trust. It also allows you to advertise yourself in variable ways to different kinds of people and companies attempting to contact you.
Attribute data stored locally on the PDS are encrypted by the PDS Client using an internally managed key prior to transmission to the PDS Vault. Thus data attribute values on the PDS are blinded from the service operator offering/hosting the PDS service.
Although in principle you only need a single PDS to work on your behalf, we expect that until the time comes that most people fully trust the architecture's security and privacy characteristics, a significant number will choose to have more than one PDS account. Doing so allows them not to have to trust that the PDS architecture is capable of fully isolating the private, work, health-related, and social dimensions of their lives.
Data Representation
Within a PDS a single individual is represented as a set of containers called Contexts each of which holds a digital identity called a Person. Each person instance has a set of attributes and values. Thus one individual (natural person, data subject) is represented as multiple Person entities each in its own context-container.
The data in these Contexts adheres to the Higgins Persona Data Model 2.0, which can be used for storing arbitrary (identity and social networking) data. UDI references are used for representing links between Contexts, both inside the Personal_Data_Store_2.0 and to external data stores.
Components
PDS Agent
- An evolution of the Cloud Selector 1.1 from Higgins 1.1 with much broader functionality.
PDS Vault
- PDS Vault 2.0 - secure, encrypted storage
PDS Client
The PDS Client 2.0 is a library used to access the Personal_Data_Store_2.0.
Authentication (AuthN) Service
The IdAS Proxy Service 2.0 and Attribute Service 2.0 require access tokens minted by the Authentication Service 2.0. Eventually the I-Card Service and CardSync Service will also rely on this external authN service.
Authorization Manager
- Authorization Manager (planned) gives the user control over the flows of data from a managed relationship card provider to a relying party. We plan to use/adapt Kantara UMA protocols.
Building Blocks
This section describes the data related services, java frameworks and data models that are used by the personal data store service.
Data Models
Data models used in Higgins code and services:
IdAS Solution
The IdAS solution is a testbed for exercising the IdAS Java framework.
- Higgins 1.1: See Higgins_1.1_Plan#IdAS_Solution_1.1
- Higgins 1.0: IdAS Solution 1.0: a basic configuration of the Identity Attribute Service 1.0 (IdAS). IdAS is a java framework that provides a common interface to identity, profile, and relationship data from external data sources (e.g. websites, databases, directories).
XDI4J
XDI4J is a java library for working with XDI.
- Higgins 1.1: XDI4j 1.1