anonymity +- credentials

John S. Denker jsd at av8n.com
Fri Oct 3 14:32:49 EDT 2003 

On 10/03/2003 01:26 PM, R. A. Hettinga wrote:
 >
 > It seems to me that perfect pseudonymity *is* anonymity.

They're not quite the same thing; see below.

 > Frankly, without the ability to monitor reputation, you don't have
 > ways of controlling things like transactions, for instance. It's just
 > that people are still mystified by the concept of biometric
 > is-a-person identity, which strong cryptography can completely
 > divorce from reputation.

We agree that identification is *not* the issue, and
that lots of people are confused about this.

I'm not sure "reputation" is exactly the right concept
either;  the notion of "credentials" is sometimes better,
and the operating-systems folks speak of "capabilities".

There are three main possibilities:
  -- named (unique static handle)
  -- pseudonymous (dynamic handles)
  -- anonymous (no handle all)

Sometimes pseudonyms are more convenient than having no
handle at all.  It saves you the trouble of having to
re-validate your credentials at every micro-step of the
process (whatever the process may be).

Oftentimes pseydonyms are vastly preferable to a static
name, because you can cobble up a new one whenever you
like, subject to the cost of (re)establishing your
credentials from scratch.

The idea of linking (bidirectionally) all credentials
with the static is-a-person identity is a truly terrible
idea.  It dramatically *reduces* security.  Suppose Jane
Doe happens to have the following credentials
  -- Old enough to buy cigarettes.
  -- Has credit-card limit > $300.00
  -- Has credit-card limit > $3000.00
  -- Has car-driving privileges.
  -- Has commercial pilot privileges.
  -- Holds US citizenship.
  -- Holds 'secret' clearance.

When Jane walks into a seedy bar, someone can reasonably
ask to verify her "old-enough" credential.  She might
not want this query to reveal her exact age, and she
might *really* not want it to reveal her home address (as
many forms of "ID" do), and she might *really* *really*
not want it to reveal all her other credentials and
capabilities.

*) There is an exploding epidemic of "ID" theft.
That is a sure sign that people keep confusing
capability --> identity and identity --> capabilities.

*) There are those who want us to have a national ID-checking
infrastructure as soon as possible.  They think this will
increase security.  I think it is a giant step in the wrong
direction.

*) Reputation (based on a string of past interactions) is
one way, but not the only way, to create a credential that
has some level of trust.

=========

We need a practical system for anonymous/pseudonymous
credentials.  Can somebody tell us, what's the state of
the art?  What's currently deployed?  What's on the
drawing boards?


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list