Cryptographic privacy protection in TCPA

AARG!Anonymous remailer at aarg.net
Sat Aug 17 14:45:28 EDT 2002


Dr. Mike wrote, patiently, persistently and truthfully:
>
> On Fri, 16 Aug 2002, AARG! Anonymous wrote:
>
> > Here are some more thoughts on how cryptography could be used to
> > enhance user privacy in a system like TCPA.  Even if the TCPA group
> > is not receptive to these proposals, it would be useful to have an
> > understanding of the security issues.  And the same issues arise in
> > many other kinds of systems which use certificates with some degree
> > of anonymity, so the discussion is relevant even beyond TCPA.
>
> OK, I'm going to discuss it from a philosophical perspective.
> i.e. I'm just having fun with this.

Fine, but let me put this into perspective.  First, although the
discussion is in terms of a centralized issuer, the same issues arise if
there are multiple issuers, even in a web-of-trust situation.  So don't
get fixated on the fact that my analysis assumed a single issuer -
that was just for simplicity in what was already a very long message.

The abstract problem to be solved is this: given that there is some
property which is being asserted via cryptographic certificates
(credentials), we want to be able to show possession of that property
in an anonymous way.  In TCPA the property is "being a valid TPM".
Another example would be a credit rating agency who can give out a "good
credit risk" credential.  You want to be able to show it anonymously in
some cases.  Yet another case would be a state drivers license agency
which gives out an "over age 21" credential, again where you want to be
able to show it anonymously.

This is actually one of the oldest problems which proponents of
cryptographic anonymity attempted to address, going back to David Chaum's
seminal work.  TCPA could represent the first wide-scale example of
cryptographic credentials being shown anonymously.  That in itself ought
to be of interest to cypherpunks.  Unfortunately TCPA is not going for
full cryptographic protection of anonymity, but relying on Trusted Third
Parties in the form of Privacy CAs.  My analysis suggests that although
there are a number of solutions in the cryptographic literature, none of
them are ideal in this case.  Unless we can come up with a really strong
solution that satisfies all the security properties, it is going to be
hard to make a case that the use of TTPs is a mistake.


> I don't like the idea that users *must* have a "certificate".  Why
> can't each person develop their own personal levels of trust and
> associate it with their own public key?  Using multiple channels,
> people can prove their key is their word.  If any company wants to
> associate a certificate with a customer, that can have lots of meanings
> to lots of other people.  I don't see the usefullness of a "permanent
> certificate".  Human interaction over electronic media has to deal
> with monkeys, because that's what humans are :-)

A certificate is a standardized and unforgeable statement that some
person or key has a particular property, that's all.  The kind of system
you are talking about, of personal knowledge and trust, can't really be
generalized to an international economy.


> > Actually, in this system the Privacy CA is not really protecting
> > anyone's privacy, because it doesn't see any identities.  There is no
> > need for multiple Privacy CAs and it would make more sense to merge
> > the Privacy CA and the original CA that issues the permanent certs.
> > That way there would be only one agency with the power to forge keys,
> > which would improve accountability and auditability.
>
> I really, REALLY, *REALLY*, don't like the idea of one entity having
> the ability to create or destroy any persons ability to use their
> computer at whim.  You are suggesting that one person (or small group)
> has the power to create (or not) and revoke (or not!) any and all TPM's!
>
> I don't know how to describe my astoundment at the lack of comprehension
> of history.

Whoever makes a statement about a property should have the power to
revoke it.  I am astounded that you think this is a radical notion.

If one or a few entities become widely trusted to make and revoke
statements that people care about, it is because they have earned that
trust.  If the NY Times says something is true, people tend to believe it.

If Intel says that such-and-such a key is in a valid TPM, people may
choose to believe this based on Intel's reputation.  If Intel later
determines that the key has been published on the net and so can no
longer be presumed to be a TPM key, it revokes its statement.

This does not mean that Intel would destroy any person's ability to use
their computer on a whim.  First, having the TPM cert revoked would not
destroy your ability to use your computer; at worst you could no longer
persuade other people of your trustworthiness.  And second, Intel would
not make these kind of decision on a whim, any more than the NY Times
would publish libelous articles on a whim; doing so would risk destroying
the company's reputation, one of its most valuable assets.

I can't really respond to the remainder of the message.  It doesn't seem
to have anything to do with the real issues.  Hopefully my introduction
above will have put the problem into perspective.  I suggest you educate
yourself on cryptographic technologies for anonymity.  You might start
with David Chaum's early CACM article,
http://www.chaum.com/articles/Security_Wthout_Identification.htm.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list