Monday, November 5, 2007

Self-Issued Cards Are More Secure?

Ben Laurie responds to Pam Dingle's post on the issue of self-issued cards vs managed cards. I have to say I disagree!

Self-asserted cards are no more user-centric than plain old web forms. There's nothing user-centric about them. There's nothing giving users more control here at all. The only difference is the convenience factor offered by streamlining the form-filling process and another might be that the authentication mechanism might be stronger.

What Pam and Ben are missing is that when there is a third party involved, then the information that needs to be transferred can be dramatically reduced due to the relationship a third party has with both a user and a potential relying party. In her example, Pam was so close to the real value point but missed it. The point is not whether you can propagate a self-issued card to make claims about your credit score, the point is that you can choose a third party (that the relying party trusts) to verify whether your credit is good. No score needs to be transferred and no personal information needs to be revealed. The only thing the relying party needs to know is that Pam's credit is "good" for the purposes identified by the provider.

What I'm talking about is the identity oracle effect. The idea that managed card providers (or more generally federated systems) have the ability to act as an Identity Oracle, minimizing the exchange of information. Instead of forcing users to provide all sorts of personal information, a provider can simply say "I know Pam, and you can trust me, her credit is good!".

Self-asserted cards do not add any trust or reliability value - just convenience. Managed cards offer the opportunity via a third-party relationship to reduce the information transferred in the first place.

No comments:

Post a Comment