The PDS provides most of the functionality, though the CDS is critical as a way to bootstrap the discovery of a user's PDS.
Industry standards will be needed for some features the PDS supports, however there is plenty of opportunity for a PDS to innovate as a way to differentiate themselves and convince end-users to subscribe to that PDS.
Some of the initial requirements of the PDS are the following.
- The PDS MUST support cross-site preference lookups by any website to get a JSON blob in a standardized (but extensible) XML format with the user's preferences.
- The PDS SHOULD attempt to list itself on the CDS of each computer the user visits, as long as their is user consent. For example, the PDS might ask one-time if the user would like their PDS advertised on all the computers where the user logs into the PDS
- That standard XML formal would also allow the PDS to publicize an OAuth endpoint that could be used to request more detail about the user if the cross-site request was becoming too large, or the user wanted more privacy controls.
- That XML format SHOULD try to avoid ever storing any globally unique information such as blog/profile URLs, phone #s, or E-mail addresses.
- The PDS SHOULD also support a standardized user approval flow to add preferences to a user's list, such as the fact that they are a Facebook user or that one of their PortableContacts providers is MySpace, or that their default OpenID provider is Gmail. Other website can redirect the user to the PDS with a request to be added to the user's list. The user will be asked to confirm the addition.
- Prior registration of the originating website for the approval flow SHOULD NOT be required, because the user can be asked to approve exactly what is being published.
- The PDS MUST support some preferences for user's in particular countries, such as particular privacy settings
- The PDS SHOULD support the ability for a website to store per-website preferences that are only returned to that website, such as the fact that the user chose to lower their privacy controls on that website, even though their default preference is to request high privacy controls (such as not using cookies)
- The PDS SHOULD notify the CDS if the user logged into the PDS with only a session cookie so the CDS can similarly set a session cookie
- The PDS MAY charge extra for websites that want to have faster lookups of the user's preferences
- The PDS MAY advertise/monetize this service however they want.
- The PDS may be asked to store large amounts of information, so server-side storage and scalability will be required.
- It is RECOMMENDED that a PDS service expose the collection of per-site preferences as an OAuth-protected resource to facilitate user migration to a new PDS service. It is similarly RECOMMENDED that PDS services have the ability to consume such resources from other PDSes.