As both a Liberty Dude and an Info Cardian, I am really enjoying a recent thread (Pamela’s post is here, and Paul’s response is here) that covers trust issues and level of assurance for authentication. But then Phil Hunt has to go and bring the Identity Oracle into it.
Phil makes some good points here, but he is conflating different kinds of claims about a person. Specifically he is conflating claims that a person can make about themselves and claims that must be made by a third party.
First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario.
Let me put this in a personal way. I own my personal data. I don’t want to depend on a third party to decide who gets my personal data and who doesn’t. I don’t want a third party involved and I see no reason they should be. If that’s not user-centric, then I don’t want user-centric.
And Phil also makes a mistake I have seen often when discussing Identity Oracles and credit scores. The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say “Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount”, then you have for practical purposes divulged Jeff’s credit score.