Mike has clearly been doing some heavy thinking and his recent post on his Law of Relational Risk is evidence of that. Mike’s last idea in the piece caught my attention, the notion of Relational Continuity Sockets Layer. The idea is that:
It would allow multiple participants to interact on a channel that is secure for the duration of the relationship or at least one risk cycle (this means longer-lived sessions than SSL) and allows for relation IDs (similar to session IDs).
For such a connection to be created a myriad of problems have to be solved. Just a couple off the top of my head:
- A method for describing a risk-based relationship in terms more meaningful to humans than what kind of authentication you prefer. Said another way, my selection in authentication type and method is not a good indicator of the level of risk I am prepared to accept.
- A way to describe the longevity of the relational connection and context. I, as a participant, need a way to say, “This relationship is over.” I can do that in a variety of ways in the real world, and need an analogous way to do that in the virtual world. Further, if my SSL connection is closed, but I am still connected to the RCSL by a tendril of a relationship, what does that mean?
Privacy statements and data retention policies become even more “interesting” in this proposed environment. At the bottom of a relationship is an agreement, either explicit or implicit. In an on-line world, these agreements are usually the things that an end-user doesn’t read and checks the box saying, “Yup, I agree.” I wonder what all the terms and conditions would look like for businesses establishing an RCSL-based relationship.
As identity management systems become part of the core infrastructure of business, policy management becomes a harder and harder job. We’re going to have to tackle it someday…