Are Identity Oracle's Authoritative?
By Independentid-Oracle on Oct 13, 2007
There has been a lot of discussion recently about Bob Blakley's post on the Identity Oracle. Kim Cameron, in particular has made a couple of posts. Egged on by a post from Dave Kearns, Kim today responds with one more on taxonomy - trying to sort out the difference between systems.
But the real surprise was Kim's conclusion near the end of today's blog entry. Identity Oracle's can have greatly increased risk...
For example, consider a health-related Identity Oracle that could
answer the question, "Can Kim take drug X without fear of drug
interactions?". The resultant "yes" or "no" would be a lot more
privacy friendly than releasing all of Kim's drug prescriptions and the
medical information necessary to adequately answer the question.
However, the Identity Oracle presumably assumes more liability by "selling" its "yes" or "no" conclusion that it would by releasing
simple facts (assuming the right permissions and use restrictions were
For a long time now, Prateek Mishra and I have been talking about "attribute authorities". Attribute authorities speak to the idea that providers of information (e.g. Identity Oracles) need to be authoritative about the information they provide. Authoritative can mean for example that the business had some participation in generating the information, performed some form of validation, etc. Any time a service provider is collecting information that it does not have direct interest in, problems are going to arise. In Kim's example, is the Identity Oracle drawing these conclusions because it has amassed such an incredible amount of information about "Kim" (a scary thought)? Or, is it in the business of answering questions about prescriptions?
In Kim's example above, the only type of business that could answer that question would likely be a pharmacist's service or a medical business that is in the business of knowing about drug interactions. For example, could HealthVault be in this business? Probably not - it simply isn't authoritative about drawing conclusions based on the evidence it has - regulatory issues not withstanding.
Instead of uber, all-knowing systems, a better approach would be thinking in terms of an identity meta-system consisting of many authoritative providers of different types of claims. Each provider only asserts claims over which it has some authority and/or business interest in doing so. In this case, providing regulations permit it, only an online drug pharmacist service would be capable of generating such an assertion (if at all).