Here's a great comment from the smart and witty Paul Madsen. He really his the nail on the head with his “Know your Need” corollory
In announcing Microsoft's purchase of the Credentica patents (and hiring of Stefan's core team), Kim uses the ‘need to know’ analogy.
That danger can be addressed by adopting a need-to-know approach to the Internet.
(For the life of me, I just cannot get Sgt Shultz's ‘I know nothing’ out of my head.)
Credentica's U-prove technology promises to close off a (depending on the deployment environment, potentially big) ‘knowledge leak’ – if the IDP doesn't need to know what/where/why/when/who the user does with the assertions it creates, then the principle of minimal ‘need to know’ means that it shouldn't.
Cardspace seems a great application for U-Prove to prove itself. As Stefan points out, ‘its a good thing’ to influence/control both client and server.
Separately, I see the flip side of ‘need to know’ as ‘know your need’, i.e. entities involved in identity transactions must be able to assess and assert their needs for identity attributes. This is the CARML piece of the Identity Governance Framework). Put another way, before a decision is made as to whether or not some entity ‘needs to know’, it'd be nice to know why they are asking.
I agree that it is sometimes a positive and useful thing for a claims provider to know the user's “what, where, why, when and who”. So everything is a matter of minimization – but within to the requirements of the scenario.
I don't actually buy the “influence/control both client and server” phraseology. I'm fine with influence, but see control as an elusive and worthless goal. That's not how the world works. It works through synergy and energy radiating from everywhere, and those of us who are on this odyssey must tap into that.
