Friday, January 20, 2006

Testing, testing

In the Liberty Web Services Framework, the Data Services Template provides a design-pattern for identity services to (optionally) avail themselves of. At its most basic, DST defines a CRUD pattern so that specifications for individual identity services (e.g. for calendar data, for geolocation, for presence etc ) don't have to reinvent the wheel.

A key piece of upcoming functionality in DST is the ability to test identity attributes without necessarily actually sharing them. In many situations, a request for a user's identity is motivated by the requestor wishing to ask a question about the data rather than needing to know it's actual value. Examples include 'Is this person under 18?' (or more generally 'Is this person a minor'?), 'Is this person a Gold-Level Frequent Flyer' etc.

While the requestor could ask for the data itself and then determine the answer, this means sharing the attribute when such sharing isn't necessary. Minimal disclosure (surely some sort of Identity Law) dictates that a requestor should ask for, and a provider subsequently release, only the minimally acceptable amount of identity.

If, in order to deliver some service, all a provider needs to know is whether I'm over 18 years old, telling it that I'm (a spry) 42 breaks the principle. If, in order to bombard me with unwanted mobile coupons for a muffin, all a coffee shop chain needs to know is when I'm within 500 m of one of its stores, my mobile provider telling it my actual location (even if obfuscated through accuracy limitations) unnecessarily shares my identity info.

I expect there is an 'Identity Corollary' in here.

No comments: