2. What is a Nōtif?
• Nōtif : notification :: app : application
• Tell a user that something they’re
interested in is happening or has happened
• Requested by the user
• Typically short
• Typically time-sensitive, perishable
2
3. What a Nōtif isn’t
• Anything unsolicited
• correspondence
• spam
• Addressed by a human
• addresses are unsuitable for that
• Two-way
• Multihop
3
5. Notification examples
• Emergency bulletins
• Advertising / special
offers
• Event invitations
• Approval requests
• Tech support
• Password resets
• Fraud alerts (bank, etc.)
• Alerts from
“things” (IoT)
• Newsletter availability
• Social media alerts
• Burglar/fire alarms
5
6. Nōtifs Manifesto
• Users:
• Should have control over what nōtifs they receive
• Should be able to know that the nōtifs they receive are genuine
• Should have control over if and how they are alerted when
nōtifs arrive
• Should not have to reveal information about themselves just to
receive nōtifs
• Notifiers:
• Should not have to guess whether nōtifs are being delivered
• Should not have to employ intermediaries to get nōtifs delivered
• Should be able to amend or delete nōtifs to keep them relevant
• Nōtifs:
• Should expire and hide when no longer relevant
6
7. Nōtif characteristics
• Opt-in
• Typically short
• Modifiable/deletable (best effort)
• Acknowledged delivery
• Domain-signed
• Encrypted in transit (use TLS)
• Priority tagged
• Expires at specified date/time
7
9. Notifiers
• Typically not operated
by user
• Opt-in by user through
authorization ceremony
• May or may not know
much about the user
• Examples:
• Emergency services
• E-Commerce sites
• Social media
• Enterprise services
• Reminders
9
10. Nōtif Agents
• Operate on behalf of
user
• Cloud-based
• User-chosen,
decentralized
• Store notifications for
retrieval by user
• Manage authorizations
for user
• Alert user to specific
notifications of
particular interest or
urgency
10
11. Nōtif Authorizations
• A record of a relationship between a notifier and a user
• Contains:
• Notification address
• Notifier’s domain
• Description (provided/edited by user)
• Max authorized priority
• Tags
• Flags (active, deleted, etc.)
• Statistics (count, etc.)
• Link to user (internal)
11
12. User endpoints
• Push
• Mobile device app
(push notification)
• SMS
• Voice (telephone)
• Desktop app
• Email (!)
• Pull
• Web interface
• Mobile app (via API)
12
14. Protected Header
• Public key from DNS TXT record ala DKIM
• Algorithm must agree with that specified by key
record
{"alg": “RS256",
"kid": "shiny"}
Public key obtained from DNS:
<kid>._domainkey.<notifier-domain>
Signing and hashing algorithms
14
15. Nōtif Body
• You can’t spoof what isn’t there:
• From address/domain (comes from
authorization)
• To address (part of the envelope)
{"origtime": “2015-04-04T16:17:00.242181Z",
"priority": 4,
"expires": “2015-04-05T16:17:00.242193Z",
"body": "It is now 09:17 and all is well”,
"subject": "It is now 09:17"}
15
22. Current status
• Prototype Nōtif agent up and running
• Linux/MongoDB/Go
• Prototype user/authorization/nōtif management
• Linux/MongoDB/Python/Django
• Notifier SDK (Python)
• Sample “clockwatcher” notifier running
22
23. To Be Done
• Open-source the code (when I’m
reasonably happy with it)
• Write an API/Protocol Specification
• Mobile app
• Connectors: Generate notifs from legacy
services
23