Personal tools

Witness

From MozillaWiki

Jump to: navigation, search

"Witness" will be a web app which provides proof that person A has agreed to legal document X.

There are loads of applications for this:

  • Proof that a Mozilla contributor has agreed to our Committer’s Agreement
  • Proof that someone has agreed to the IPR policy necessary for contributing to a standards body mailing list
  • Proof that someone has agreed to a trademark licence

These things can be done without an app, but it’s dull and tedious for the person doing the paperwork. Much better to get a computer to do it.

Minimum Viable Product

  • Persona login (we need strong identity verification, and this saves us having to do the email confirmation dance ourselves)
  • Admin interface where someone (we probably need to restrict this - open question as to how) can submit a document. Define:
    • Document title
    • Document text (HTML? Some other structured text format?)
    • Document version number (string)
    • Text for 'Yes' button and 'No' button
  • Also ability to upload updated document as long as version number is also changed to new unique value for that document
  • Page for all previous versions links to latest (most recently uploaded) version
  • Users can see all documents on system, or get a URL which takes them straight to the display of a particular document
  • User clicks "I Agree" or "I Don't Agree"
  • Action is recorded in database, with:
    • Identity of user (email address and real name, if available)
    • Decision (Yes or No)
    • Text on clicked button
    • Date and time of agreement
    • Source IP address
    • Persona assertion JSON
    • Hash of text
    • Version number of text
  • User receives email telling them what they've done
  • Ability for uploader to get list of email addresses of all signers
  • Ability for user to change mind later - go back and click a different button. App records history of agreement/disagreement, not just last decision
  • Admin needs to be able to retire a document - remove it from the public list and "close" signatures on it. It should still be visible at its URL, though.
  • Users can see list of documents they've signed

Design Thoughts

  • For users, there's no need to have the concept of an "account". We get all the information we need from the Persona login and store it in the session. Once the user is gone, we don't need to remember anything about them apart from their signing actions until they come back.
  • For v1.0, could restrict admin interface via HTTP Auth with single username and password
  • No-one, not even admins, can delete entries from the signing table or change documents once uploaded (without changing the version number) once signed by at least 1 person
  • Document format needs to be more than plain text but HTML has issues unless we have a good sanitizer. Some form of structured text or wiki markup would be good; whatever's intuitive and that there's a converter to HTML for.
  • I think it's OK, and useful, to allow document uploaders to define button text, as long as button text is stored in the signing record so it's clear what the user agreed to.
  • Are we OK with just two possible decisions, Yes and No?

Possible Additional Features

  • Logging of all changes and not-already-logged actions
  • Ability for user to send URL which gives proof they've signed to a 3rd party (URL contains random value to avoid identity leak; URL given to user after signing)
  • Hash of text presented to user is calculated client-side and submitted, but checked against server-side value to make sure no discrepancy
  • App stores result of sending all action data listed above (including confirmed text hash) to a 3rd party timestamping service, for better non-repudiation
  • Ability for uploader to search list of signers
  • Ability for admin to email all signers to inform them that a document has been updated and they should come back and re-sign
  • Notifications to document uploader when someone signs it
  • Possibility of list of signers being public
  • Additional security features like making the table of signings append-only using database permissions