Security/identity · 7 Dec 2006

Riffing on personae

I have to agree with Dave Kearns that chatting face-to-face is an extraordinarily efficient way to gain better understanding! It’s also quite pleasant. This IIW event was a blast for me. I’ve got a lot of notions bumping into each other in my brain from the experience; I’ll try a few of them on you now.

Dave was poking at my notion of a persona: He doesn’t think it needs to exist. To be honest, I don’t mean to be carrying water for the concept of a persona — I’m neutral on it until I can see it in practice. But the model I explored here helped me to imagine how it could be defined operationally (rather than in philosophical and hence somewhat vague terms), and thus how it could come into common practice someday. In the persona conversation, I’m mostly interested in how I can define policies in a way that’s reusable across multiple transactions, even when I’m not even online (e.g., in web services interactions for that “break-glass” scenario), and the notion of having alternate URLs that stand for each policy bucket (allowing me to avoid creating multiple independent identities that duplicate information) was kind of appealing. Maybe identifiers aren’t the best way to do this, though; lots of other mechanisms come to mind.

(By the way, I’m told that has implemented something like a persona feature, but I haven’t been able to get an identity going successfully over there yet. I’ll keep at it.)

Dave talks about multiple identities possibly being in the same “namespace”, which could be like the persona picture I was painting. I’m not sure what “namespace” means here, but I didn’t mean to imply anything about a namespace in which persona identifier vs. a digital identity identifier resides, other than the DNS domain (since we’re talking URL-based identifiers here). Beyond the stuff for discovering my IdP and various metadata about it, a relying party can’t safely guess whether /eve, /xmlgrrl, /eve/lowrisk, /elm, /eve-lynn, and /eves-sister correspond to one subject or not, or whether they “resolve to” a single identity’s worth of data. I do take Dave’s point here — as far as the RP is concerned, this is a digital identity. The only characteristics that make it anything more have to do with the “profile management” that happens exclusively under the control of the human and the user interface offered by his/her IdP.

Tag: iiw2006b