Ben Laurie blathering

Selective Disclosure, At Last?

Apparently it’s nearly five years since I first wrote about this and now it finally seems we might get to use selective disclosure.

I’m not going to re-iterate what selective disclosure is good for and apparently my friend Ben Hyde has spared me from the need to be cynical, though I think (I am not a lawyer!) he is wrong: the OSP applies to each individual specification – you are not required to use them in the context of each other.

So, for now, I will just celebrate the fact that Microsoft has finally made good on its promise to open up the technology, including BSD-licensed code. Though I guess I will have to inject one note of cynicism: a quick glance at the specification (you can get it here) suggests that they have only opened up the most basic use of the technology: the ability to assert a subset of the signed claims. There’s a lot more there. I hope they plan to open that up, too (how long will we have to wait, though?).


  1. Heh, as soon as I saw this news, I came over here to see what you had to say about it. 🙂 Going to read your previous paper on selective disclosure but what about the particular implementation through cryptographic tokens, any opinion on that? Reminds me of the various cryptographic scrip approaches like DigiCash or Millicent that never went anywhere, which I’ve heard being blamed on consumers not caring about anonymity while merchants and/or banks were actively against it.

    Comment by sprewell — 4 Mar 2010 @ 13:52

  2. The advantage for this should be obvious for everyone who read the abstract of stefan brands dissertation.

    But why on earth would Microsoft be an answer to this problem?

    When companies manage your credentials, you will get the exact opposite of ‘control over your data’. Unless of course you want to pay for this service, in which case nobody will use it. At any rate, they will try to make money out of it *somehow*. Thats their purpose. We’ve also seen often enough how companies will try to get and keep their monopoly, so no surprise here either.

    If you want it to be fair, write an RFC and wait for somebody with too much time to implement it. We don’t need another half-assed MS standard.

    Comment by pepe — 4 Mar 2010 @ 15:46

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress