Comments on: The Tripartite Identity Pattern

By: Orthomentor

Orthomentor — Thu, 04 Mar 2010 21:22:21 +0000

So I can trust my identity morph to you or manage it myself, right?

By: F. Randall Farmer

F. Randall Farmer — Wed, 12 Nov 2008 15:01:54 +0000

Thanks Kevin! I’ll try to corner Joseph when I see him later today.

By: Kevin Marks

Kevin Marks — Wed, 12 Nov 2008 00:39:10 +0000

This seems to map quite well to the account element in PortableContacs/OpenSocial/SGNodeMapper where username and userid are used for the two parts you call Login ID and Account ID, and displayName is used for what you call Public ID http://portablecontacts.net/draft-spec.html#account_element

By: Reed

Reed — Mon, 20 Oct 2008 13:33:45 +0000

Thanks, the changed image makes it much clearer. I wasn’t sure if you meant that there could simultaneously be more than one ID, or whether there were multiple options for what form that ID could take.
I would make the internal account ID be either completely private (so you can change it someday if needed), or give it some globally unique property (i.e. based on a URI or a GUID or whatever) (so you wouldn’t have to change it).
For public APIs, you can generate a key or id from the account ID, specifically for the user to give to another application that is going to use the API. You can generate a new key like this for each third party service, which would also allow the user to disable them selectively or set different access options for each of them. So this would be a third branch of external identifiers.

By: F. Randall Farmer

F. Randall Farmer — Sat, 18 Oct 2008 17:27:56 +0000

Reed’s scanning error was common when I first published this model inside of Yahoo! I was in a hurry to post the article in time for an upcoming identity standards related event and used an accurate, but perhaps oversimplified,image.
This has been corrected.
Now if you only look at the picture instead of reading the text completely, you’ll be able to see that the pattern supports multiple Login IDs and Public IDs.

By: F. Randall Farmer

F. Randall Farmer — Sat, 18 Oct 2008 16:16:46 +0000

Reed,
Glad you liked the post. It may be short, but folds in almost 5 years of refinement and insight.
1. I agree, as I said in the post above “Lastly, a service could provide the opportunity to attach multiple different login identifiers to a single account” and also “A … service… may wish to offer multiple public identifiers when a specific context requires”
2. Actually, the Account ID is a key that can be shared for API use, hashed for URLs, etc. as long as it has no inherent capabilities. Spoofing is a minor threat, and the account ID could be used to differentiate without displaying it.
For example if two folks with the public ID James (and the same photo, age, location, etc.) post to a forum, the page display logic could differentiate them as James(1) and James(2) consistently.
Of course, the community might have something to say about anyone who is trying to spoof another person.

By: Reed Hedges

Reed Hedges — Sat, 18 Oct 2008 11:47:05 +0000

Hi Randy,
Two observations:
1. There could be multiple login IDs associated with an account ID, right? This would allow services or users to easily reuse external authentication services (OpenID) but not be locked in to them. This also facilitates mergers of different services into the same user pool (due to acquisition, service redesign, etc.)
There could also be multiple public IDs, used in different contexts.
2. Should the account ID never be shown publicly? If the only publicly shown identifier is the user-controlled public ID, then it’s easy for trolls etc to manipulate what others think their identity is. (Though different communities will have different needs here and different weights for this potential problem.)