Rick van Rein

Fri 24 April 2015


Identity 4: Tips and Tricks

The various forms of identity offered under the InternetWide Architecture can sometimes be used in clever ways, for example to construct identities with limited access or temporary validity. A number of possible tricks follow.

Earlier parts of this series covered lessons learnt to this series and presented various forms of identity usable under our bring your own identity policy. We now turn to a number of tricks that can be nicely positioned in this framework.

Collections of Roles

It may seem awkward that we decided to reveal a user's base identity as part of a role. The shared key material explains it technically, but still it may seem awkward to conceal john@example.com as john+singer@example.com.

Where this is considered problematic, it may help to create a group or pseudonym next to the primary identity, for instance artist@example.com and define roles such as artist+singer@example.com as totally independent of john@example.com.

When artist@example.com is a group that contains john@example.com, then he will be able to access communication to the group without separate login; if artist@example.com is created as a pseudonym, it will require separate login.

Regardless of the use of role, group or pseudonym, there will be separate access control for each new identity (although the role inherits white and black lists from its base identity, and expands on them).

Temporary Identities

A portion of the framework can be setup to permit only temporary identities. These identities can be useful to deal with remote services that need a one-shot treatment or those that insist on sampling an email address. Of course, for longer-used services, a role is better because it reserves an identity for a longer term.

A temporary identity can take various forms; a few could be


The interpretation would be dependent on the part before the plus sign. For example,

  • timed+1430049266 may indicate an identity that times out at the given timestamp, which is a few days after publication of this blog article;

  • code+3bae0bcfacd8fc07f08f19f6b7efc29f might incur a check on the messages passed, for instance to see if an email quotes a particular Message-Id or related header.

  • tmp+xxyyaa@orvelte.nep could be a simple account setup under a temporary name xxyyaa and that will only pass traffic for as long as a client is listening. When the client logs off, the identity is retracted from service.

Generic Names

Many sites choose to setup local names such as info@ and sales@, so they can be reached by guessing customers. Given some attention to spam filtering and perhaps to staff removing false positives, this may make sense.

Such generic names can be setup as a group name and address any number of members, or they can be setup with a foreign identity to which theh traffic is relayed, in a bidirectional manner. The result of this is that traffic sent to these generic names are also replied from those generic names.

Go Top