Identity Oracle & authoritative data sources

October 15, 2007 at 10:27 pm 4 comments

I’ve been watching the posts on the Identity Oracle from the sidelines so far. There was the post from Bob Blakley who discussed the importance of identity metadata providers aka Identity Oracles.

This was followed by several other posts, including three from Kim Cameron: Burton Group goes to Mainstreet, Bob Blakley on the Identity Oracle, and Business, Model, Scenario and Technology.

However, what really got my attention was a comment from Frank Yeh to Bob Blakley’s post, “So in order for the Meta-Identity Service Provider to have something of value… the data must be validated by someone when entered.” In the same vein, Phil Hunt from Oracle said, “… a better approach would be thinking in terms of an identity meta-system consisting of many authoritative providers of different types of claims. Each provider only asserts claims over which it has some authority and/or business interest in doing so.”

And there you have it. These two comments neatly describe one of the core drivers for New Zealand’s IDDY Award winning concept. The working title for the concept goes by the somewhat intimidating name of GOAAMS or Government Online Attribute Assertion Meta System.

GOAAMS provides a framework by which authoritative information (including identity metadata) held by government agencies about people and organisations can be asserted directly from the source at their request, online and in real time, to other government agencies. Each agency will only assert that information for which it is the authoritative source.

Extending the concept to sources/consumers of authoritative information in the private sector is under consideration but does pose some policy and legislative challenges.

The benefits, as described in the Liberty Alliance press release are, “the convenience of being able to request and control the sending of authoritative information as well as quicker and more consistent government services and entitlement decisions within a secure and privacy-respecting framework.”

For agencies, the business benefits are, “Participating organizations can access authoritative information in real-time and directly from the source. This leads to reduced compliance costs for businesses, lower operational costs and reduces risks by avoiding paper documents as a secondary source of information.”

So, not only is the Identity Oracle a viable concept, it’s one that is actively under the consideration of the New Zealand Government.

Advertisements

Entry filed under: government, identity, igovt, Lib_Alliance, network, NZ, personal_info, strategy.

NZ’s biggest identity fraudster Privacy & culture

4 Comments Add your own

  • 1. Bob Blakley  |  October 18, 2007 at 2:46 pm

    Thanks for the commentary! I agree that there will in the long run be a variety of identity oracles, each of which has some degree of authority for a particular set of assertions.

    What I’d beg the New Zealand government and others to consider, however, is changing the model from “organizations accessing authoritative information in real-time” to “organizations receiving reliance statements in real-time from authoritative sources who are prepared to back their claims with assumption of liability in the case of inaccuracy”.

    The reason for this is simple; an authoritative source which hands out the subject’s personal information to a participating organization reduces one risk (the risk that the relying party will get inaccurate information about the data subject) but it leaves two other risks untouched: (1) the risk that the data subject’s privacy will be compromised by a failure of the participating organization’s security measures, and (2) the risk that the participating organization, having inadvertently or maliciously disclosed the data subject’s information, will be subject to reputation damage, regulatory penalties, and civil court actions.

    The idea of the Identity Oracle, at its core, is that the oracle does NOT hand out data to its relying-party customers; instead it answers their questions about what services should be extended to the data subject. It answers these questions based on its knowledge of the data subject’s personal information, but it refuses to create privacy liability for the subject and regulatory liability for the relying party by handing over the sensitive information to the relying party. In other words, it never “sends” authoritative information about data subjects to anyone; instead it “sends” its own opinions – backed by a guarantee and assumption of some amount of liability – which are based on that information.

    Reply
  • 2. Vikram  |  October 18, 2007 at 8:43 pm

    Interesting comments Bob, thanks.
    First, changing the model to receive reliance statements. Good point. I’m not sure it’s about changing the model but changing the perspective/focus to user benefits, user control, and user initiation (which is all good stuff).
    Second, the issue of liability. I think this is an area that requires further work but can see that coming up with an answer that works for everyone is central to the success of the concept.
    Finally, at least from the GOAAMS side, there seems to be need for both personal data and metadata in different circumstances. GOAAMS is designed to do both, i.e. it is not only an Identity Oracle but a way for authoritative information to also be given to the Service Provider at the request of, and under the control of, the user.
    For example, if the Service Provider requires the date of birth of the user, the user can request the authoritative source to send that. On the other hand, if the Service Provider requires proof that the person is above 18, the reply will be yes/no, not the date of birth itself.
    Also, in GOAAMS, each attribute authority will in some way need to declare the level of confidence to which it asserts the user’s attributes. This feeds into the liability model discussion based on an approach that is risk-based rather than absolute confidence.

    Reply
  • […] the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for […]

    Reply
  • […] is where GOAAMS (slides) comes […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Feeds


%d bloggers like this: