So the idea behind the Identity Oracle seems to be a service that can answer questions about an identity without giving away personal information. The example Bob gives is the person’s age:
Instead, GiCorp’s request looks like this:
“I am allowed to extend service to Bob only if he is above the legal age for this service in the jurisdiction in which he lives. Am I allowed to extend service to Bob?”
And the Identity Oracle’s response looks like this:
It pains me to disagree with someone who I respect as much as Bob Blakley, but I don’t think there is much promise in this idea. Of course Bob uses the age example, which is the “Hello World” of identity information. What other useful answers could an Identity Oracle provide? The usefulness of this seems limited to personal information that is a simple attribute to which a boolean test could be applied. That seems a pretty small and not very useful set.
Say for instance I want order some chocolate. The conversation between my Chocolate Provider and my Identity Oracle might sound something like:
Chocolate Provider: Jeff has ordered our Gut Buster size chocolate sampler. Could you give me his home address so we can ship it?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is over 18?
Chocolate Provider: No thank you. We pretty much sell to anyone who can pay for it. I really need his address.
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if he is a resident of a specific state or country?
Chocolate Provider: That’s not really specific enough to ensure delivery. Could you give me his phone number?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy. Would you like to know if his medical condition allows him to eat chocolate?
Chocolate Provider: We don’t care if he actually eats it so long as we get paid. Can you give me his email address?
Identity Oracle: I can’t give you that information without violating Jeff’s privacy.
Chocolate Provider: I thought so. Is Jeff bigger than a bread box?
Identity Oracle: Yes! Do I get paid now?
Chocolate Provider: No, just kidding. We’ll cancel his order.
OK this is a silly example, but I just can’t see much besides age that would fit the Identity Oracle model. I do recognize that many of the companies I do business with collect more information than they really need. But the solution to that is very simple; just don’t collect what you don’t need. But for the information they need, they need the information, not an answer based on that information.
I just can’t see how I could use an Identity Oracle in practice, much less be willing pay for it.