Is Jeff bigger than a bread box?
Document Actions
Is Jeff bigger than a bread box?
A thread about something called an Identity Oracle has spun out of the LLP
thread. Bob Blakley describes an Identity Oracle
here. Kim Cameron has his take here. So the idea behind the Identity Oracle seems to be a service that can answer questions about an identity without giving away personal information. The example Bob gives is the person’s age:
Instead, GiCorp’s request looks like this:
"I am allowed to extend service to Bob only if he is above the legal age for this service in the jurisdiction in which he lives. Am I allowed to extend service to Bob?"
And the Identity Oracle’s response looks like this:
"Yes."
It pains me to disagree with someone who I respect as much as Bob Blakley, but I don’t think there is much promise in this idea. Of course Bob uses the age example, which is the "Hello World" of identity information. What other useful answers could an Identity Oracle provide? The usefulness of this seems limited to personal information that is a simple attribute to which a boolean test could be applied. That seems a pretty small and not very useful set.
Say for instance I want order some chocolate. The conversation between my Chocolate Provider and my Identity Oracle might sound something like:
Chocolate Provider: Jeff has ordered our Gut Buster size chocolate sampler. Could you give me his home address so we can ship it?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is over 18?
Chocolate Provider: No thank you. We pretty much sell to anyone who can pay for it. I really need his address.
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is a resident of a specific state or country?
Chocolate Provider: That’s not really specific enough to ensure delivery. Could you give me his phone number?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if his medical condition allows him to eat chocolate?
Chocolate Provider: We don’t care if he actually eats it so long as we get paid. Can you give me his email address?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy.
Chocolate Provider: I thought so. Is Jeff bigger than a bread box?
Identity Oracle: Yes! Do I get paid now?
Chocolate Provider: No, just kidding. We’ll cancel his order.
OK this is a silly example, but I just can’t see much besides age that would fit the Identity Oracle model. I do recognize that many of the companies I do business with collect more information than they really need. But the solution to that is very simple; just don’t collect what you don’t need. But for the information they need, they need the information, not an answer based on that information.
I just can’t see how I could use an Identity Oracle in practice, much less be willing pay for it.
_____
tags:
Oracles
Posted by
Dave Kearns
at
2007-10-10 19:20
Actually, Jeff, the chocolate company doesn't need your address (unless they're running their own trucks), the shipping company does. So UPS can ask the Oracle for Jeff's address, the chocolate company only needs to know the preferred shipper...
More examples
Posted by
Eric Norman
at
2007-10-10 19:30
The question that a service provider really wants the answer to is, "Should I honor this request". In that light, here are some other examples of questions that might be asked of an identity oracle that aren't as simple as age.
Should I accept this credit card?
Should I fill this prescription?
Should I sell this customer this firearm?
All of the above are about reducing risk to the RP, and the RP just might be happy to pay for that.
Should I accept this credit card?
Should I fill this prescription?
Should I sell this customer this firearm?
All of the above are about reducing risk to the RP, and the RP just might be happy to pay for that.
