[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Credentials Without Identity

On Sat, 4 Nov 1995, Timothy C. May wrote:

> (And as a measure of how apologetic some folks are getting about discussing
> anything not on Perry's List of Approved Topics, Rich unfortunately labeled
> his post "[ID point semi-off-topic]..." In fact, the issue of credentials
> and identity is NOT off-topic, not even semi-off-topic. It is central to
> the themes of our list. I urge all to read Chaum's seminal work on
> "credentials without identity.")

Thanks for the newbie correction.

In case anyone else is new to this, I couldn't find that paper, but Chaum's
ideas and references are at http://www.digicash.com/publish/sciam.html

> >Proving legal residency requires a combination of two documents, one each
> >from specified lists. Most commonly a driver's license, green card (which
> >is actually pink), or birth certificate from list A, and a social
> >security card from list B.
> >
> >Chris Hibbert's SSN FAQ talks a little bit about how this works, and why
> >it's a Good Thing. Basically, for privacy and security reasons, it is a
> >very good idea to separate the issues of identity and authorization.
> >
> >I don't care how securely you can authenticate who I am -- by PGP, retinal
> >scan, whatever. I do not want a single digitizable token to be the key to
> >my identity. Even if that identity cannot be forged (and everything can be
> >forged), it can be used to track me, by the government, by the Direct
> >Marketing Association, by the private investigators of certain wacky
> ....
> Rich's (or Chris') points are admirable, but getting more and more
> irrelevant by the day. The notion of unlinking identity and authorization
> by separate pieces of identification is another form of "security through
> obscurity."

True. But until digital technology becomes ubiquitous, we're stuck with
it, and it does help. I see no analog, well, analog to credential 
technology. It absolutely requires machines that can generate and handle 
large random numbers. Right?

My point was, even people who should know better, like the managers and
clients of FBOI ([email protected]), are relying on security through appeal
to irrelevant crypto authority, which is even worse. Using your primary
pgp key as a traceable link to your credit card number or bank account can
be just as bad as publishing your credit card number. 
> Happily, Chaum's work on "credentials without identity," based essentially
> on the kind of "blinding" used in digital cash (with some differences, of
> course), allows for one to display a credential showing one is old enough
> to enter a bar or library (in 2005), without revealing a name (which is
> just another credential).

I haven't yet fully digested this concept, but don't you get into a bit of
a chicken-and-egg problem when you start applying this to things like
proof of age and citizenship? Until you reach a certain age, you're not
going to remember your passphrase. I still think there's a role for
private keys held by some authority (I realize that's not a popular word). 

I'd guess this would be addressed by a "secret sharer"/secsplit kind of
thing, where your parents hold a combination of keys that together can
represent your secret key until you're old enough to change it yourself. 
Still I'd worry about what kind of information was gathered about me in my
youth, and how that might be carried over into maturity.