search

consumer-reports-innovation-lab / data-rights-protocol

The technical standard for exchanging data rights requests
https://datarightsprotocol.org
Apache License 2.0
59 stars 12 forks source link

Shifting toward JSON-LD? #72

Open rrix opened 1 year ago

rrix commented 1 year ago

Trying to capture datarightsprotocol-tech discussion w/ dschmudde

As of 0.9 we moved away from JWT/IANA specification of identity attributes and toward schema.org/Person. Schmudde rightfully asks why we aren't evaluating moving more of the DRP data model toward schema.org ontology. for example schema.org/Organization for describing entities in the service directories, or even schema.org/DeleteAction and similar Actions for expressing the rights themselves.

But I'm wondering if there was a formal decision about interoperable schemas?

The objects defined on schema.org would need to be extended with our own vocabulary, but why shouldn't/couldn't we do this? It's worth trying to bend future versions of the protocol toward LD structures which can be validated and even extended with non-normative vocabularies. The action schemas, for example, they would also need to be extended 1) with attributes to describe the Agent's involvement in a request and 2) the legal basis for them.

JWT (we had some haughty ideas that some day consumer services or centralized OIDC providers or trusted KYC groups could create and sign these tokens for Agents) and so we recommended JWT registered claims from https://www.iana.org/assignments/jwt/jwt.xhtml

DRP v0.9 is far too late to re-start these conversations. I am only wondering if we could take small bites at the apple in the future. Would be great if the DRP endpoint is increasingly generic but the data is increasingly descriptive. Such a roadmap wouldn't break v0.9 API. Rather it builds on top of the work already presented.

I think as we go forward it is worth keeping this in mind. starting with the service directory seems like a really viable path toward creating a standard vocabulary for these requests and slowly lift stuff out of my markdown tables in to a verifiable schema.

Without diving into the non-normative, non-standard attribute specifics - things that are good at describing a person's identity or their relationship to organizations are in short supply. So it may be worth the effort to offer DRP as a standard vocabulary for the benefit of the whole community.

When I looked at this question originally, I felt that we would be bending DRP toward schema.org in an awkward fashion, but with JSON-LD we could be defining our own base schemas which include schema.org/Organization or whatnot and should keep considering this in future work.

rrix commented 1 year ago

dschmudde's example schema showing a delete request:

{"@context": "https://schema.org/",
 "@type": "DeleteAction",
 "agent": {"name": "Data Rights Protocol",
           "@type": "Organization",
           "@id": "http://datarightsprotocol.org/some-delete-request-endpoint",
           "identifier": [{"@type": "PropertyValue",
                           "value": "yyyyy-zzzz-bbb-aaaa-xxx",
                           "propertyId": "token"}]},
 "participant": {"@type": "Person",
                 "email": "me@example.com",
                 "identifier": [{"@type": "PropertyValue",
                                 "value": "972c082c-07ef-497d-b1bb-xxx",
                                 "propertyId": "UserId",
                                 "url": "https://yorba.app/profile"}]},
 "object": {"@type": "Service",
            "provider": {"@type": "Organization",
                         "url": "https://myspace.com/",
                         "name": "MySpace"},
            "serviceType": {"@id": "https://yorba.app/accounts/logins"}},
 "targetCollection": {"name": "Accounts With Logins: Deleted",
                      "url": "https://yorba.app/accounts/logins-deleted"},
 "endTime": "2023-09-08T07:44:22.989687Z"}
schmudde commented 1 year ago

@rrix mentioned one important detail I don't want to lose in this discussion:

The service directory stuff is probably the easiest to bend toward this idea first, since it's hardly defined/managed in the soon-to-be-1.0 DRP spec as it is, That is, to spell out the delta between schema.org/Organization and what would live in our Agent or Business directories, and then prototype a service directory powered by linked-data documents.

I like this as a starting point. As legal constructs, Organizations are easier to define than people.