anonymity +- credentials

Ian Grigg iang at systemics.com
Wed Oct 8 10:16:14 EDT 2003 

Anton Stiglic wrote:
> 
> ----- Original Message -----
> From: "Ian Grigg" <iang at systemics.com>
> 
> > [...]
> > In terms of actual "practical" systems, ones
> > that implement to Brands' level don't exist,
> > as far as I know?
> 
> There were however several projects that implemented
> and tested the credentials system.  There was CAFE, an
> ESPRIT project.


CAFE now has a published report on it, so it
might actually be accessible.  I'm not sure
if any of the tech is available.


> At Zeroknowledge there was working implementation written
> in Java, with a client that ran on a blackberry.
> 
> There was also the implementation at ZKS of a library in C
> that implemented Brands's stuff, of which I participated in.
> The library implemented issuing and showing of credentials,
> with a limit on the number of possible showing (if you passed
> the limit, identity was revealed, thus allowing for off-line
> verification of payments for example.  If you did not pass the
> limit, no information about your identity was revealed).
> The underlying math was modular, you could work in a
> subgroup of Z*p for prime p, or use Elliptic curves, or
> base it on the RSA problem.  We plugged in OpenSSL
> library to test all of these cases.
> Basically we implemented the protocols described in
> [1], with some of the extensions mentioned in the conclusion.
> 
> The library was presented by Ulf Moller at some coding
> conference which I don't recall the name of...


Is any of this published?  I'd assumed not,
ZKS were another company obscuring their
obvious projects with secrecy.

> It was to be used in Freedom, for payment of services,
> but you know what happended to that projet.


Reality caught up to them, I heard :)  As
Eric R recently commented, there are no
shortage of encrypted comms projects being
funded and .. collapsing when they discover
that selling secure comms is not a demand-
driven business model.


> Somebody had suggested that to build an ecash system
> for example, you could start out by implementing David
> Wagner's suggestion as described in Lucre [2], and then
> if you sell and want extra features and flexibility get the
> patents and implement Brands stuff.


Back in '98 or so, I got involved with a project
to do bearer stuff.  I even went so far as to
commission a review of all the bearer protocols
(Cavendish, Chaum, Brands, Wagner, Mariott, etc
etc).  Brands came out as the best (please don't
ask me why), so Stefan and I spent many a pleasurable
negotiating session in Dutch bars trying to hammer
out a licence.  Unfortunately we didn't move fast
enough to lock up the terms, and he went off to
bigger and better things - ZKS.

Since then, we toyed around adding tokens to WebFunds.
We started out thinking about Wagner, but what
transpired was that it was just as easy to make
the whole lot available at once.  Now we have a
framework.  (It's an incomplete project, but we
recently picked it up again after a long period
of inactivity, as there is a group that has figured
out how to use it for a cool project.)  The protocol
only covers single phase withdrawals, not two
phase, so far.


> Similar strategy
> would seem to apply for digital credentials in general.


Perhaps!  I don't understand the model for credentials,
but if they can all be put into a block-level protocol,
then sharing the code base is a mighty fine idea.


> > There is an alternate approach, the E/capabilities
> > world.  Capabilities probably easily support the
> > development of psuedonyms and credentials, probably
> > more easily than any other system.   But, it would
> > seem that the E development is still a research
> > project, showing lots of promise, not yet breaking
> > out into the wider applications space.
> >
> > A further alternate is what could be called the
> > hard-coded psuedonym approach as characterised
> > by SOX.  (That's the protocol that my company
> > wrote, so normal biases expected.)  This approach
> > builds psuedonyms from the ground up, which results
> > in a capabilities model like E, but every separate
> > use of the capability must be then re-coded in hard
> > lines by hardened coders.
> 
> Do you have any references on this?


The capabilities guys hang around here:

http://erights.org/
http://www.eros-os.org/

SOX protocol is described here:

http://webfunds.org/guide/sox.html


iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list