Principle of Least Knowledge

Ben Hyde illustrates the thinking behind what I've started calling the principle of least knowledge with an excellent privacy scenario:

I join a library, anonymously. They give me a membership card - presumably some digital object signed by the library. I didn't tell them who I am, or where I live, or etc. etc. I really value my privacy! But the library isn't willing to let me borrow any books. They need to know two things first. Do I live in town and will somebody they trust vouch that I return my library books. So I go to the town's privacy server and have it add an assertion to the library card that says "lives in town" and I go to my university's privacy server have them add an assertion that says "four years a student, returned all books." My true identity is still not revealed on the library card; but now they know all they need to know and they are willing to grant me the right to borrow books.

What Ben illustrates here is that the library needs only two items of knowledge to provide its services. The present day method of acquiring that knowledge requires you to fill out forms and perhaps get them signed by a referee. They take far more information from you than is necessary because there's no infrastructure in place to handle the trust issues.

Permalink: http://blog.iandavis.com/2004/09/principle-of-least-knowledge/

Other posts tagged as open-society, rights

Earlier Posts