The various forms of identity offered under the InternetWide Architecture
can sometimes be used in clever ways, for example to construct identities
with limited access or temporary validity. A number of possible tricks
The various forms of identity offered under the InternetWide Architecture can sometimes be used in clever ways, for example to construct identities with limited access or temporary validity. A number of possible tricks follow.
Earlier parts of this series covered lessons learnt to this series and presented various forms of identity usable under our bring your own identity policy. We now turn to a number of tricks that can be nicely positioned in this framework.
Collections of Roles
It may seem awkward that we decided to reveal a user's base identity as part of
a role. The shared key material explains it technically, but still it may seem
awkward to conceal
Where this is considered problematic, it may help to create a group or pseudonym
next to the primary identity, for instance
email@example.com and define roles
firstname.lastname@example.org as totally independent of
email@example.com is a group that contains
firstname.lastname@example.org, then he
will be able to access communication to the group without separate login; if
email@example.com is created as a pseudonym, it will require separate login.
Regardless of the use of role, group or pseudonym, there will be separate access control for each new identity (although the role inherits white and black lists from its base identity, and expands on them).
A portion of the framework can be setup to permit only temporary identities. These identities can be useful to deal with remote services that need a one-shot treatment or those that insist on sampling an email address. Of course, for longer-used services, a role is better because it reserves an identity for a longer term.
A temporary identity can take various forms; a few could be
firstname.lastname@example.org email@example.com firstname.lastname@example.org
The interpretation would be dependent on the part before the plus sign. For example,
timed+1430049266may indicate an identity that times out at the given timestamp, which is a few days after publication of this blog article;
code+3bae0bcfacd8fc07f08f19f6b7efc29fmight incur a check on the messages passed, for instance to see if an email quotes a particular
Message-Idor related header.
email@example.com be a simple account setup under a temporary name
xxyyaaand that will only pass traffic for as long as a client is listening. When the client logs off, the identity is retracted from service.
Many sites choose to setup local names such as
sales@, so they can
be reached by guessing customers. Given some attention to spam filtering and
perhaps to staff removing false positives, this may make sense.
Such generic names can be setup as a group name and address any number of members, or they can be setup with a foreign identity to which theh traffic is relayed, in a bidirectional manner. The result of this is that traffic sent to these generic names are also replied from those generic names.Go Top