Authentication and authorization are two things that, in a perfect world, most users would never have to ponder. When a user requests access to a service, a confluence of security-related attributes come into play.
Did the user authenticate via password, certificate or one-time code? Is this user within the corporate network or coming in externally? Which training level or security clearance is required? Perhaps attribute-level permission is involved, such as LDAP group membership. When these questions are satisfied, the user checks out and the service is provided.
Often such permissions are inherently coarse-grained, and not dependent on other criteria such as environment or time. Add a user to an LDAP group, and they gain access to a service until the user is removed from the group. Or a user provides a username/password that continues to provide access until the password is changed or expires.
Finer-grained access control can be achieved using a token-based authorization system such as OAuth. OAuth allows a user to grant fine-grained authorization to services, such as allowing a merchant to charge up to $10 to a particular bank account for the next three minutes. Perhaps a user will grant read-only access to their Yahoo mail address book for a few minutes to another service.
Wouldn't it be great to be able to temporarily grant fine-grained authorization to social interactions? Imagine that, instead of giving out your personal details, you just authorize an entity to have access to the appropriate bits of your information for a given duration.
For example, you grant temporary access to attributes such as your calendar, GPS coordinates, food allergies, favorite colors, gift wish list, mobile phone number, and car license plate. Standard profiles such as "First Date," "Business Lunch," and "Attend Conference" could detail standard workflows of what is shared, and for what duration.
The access is automatically removed after the event has concluded: Identity as a Rental.
In the next post, I will walk through use cases for the concept of IDaaR. Imagine an extension of today's federation capabilities by integrating data from social cloud services with personal data not normally warehoused by an Identity Provider.