anonymity +- credentials
John S. Denker
jsd at av8n.com
Fri Oct 3 14:32:49 EDT 2003
On 10/03/2003 01:26 PM, R. A. Hettinga wrote:
>
> It seems to me that perfect pseudonymity *is* anonymity.
They're not quite the same thing; see below.
> Frankly, without the ability to monitor reputation, you don't have
> ways of controlling things like transactions, for instance. It's just
> that people are still mystified by the concept of biometric
> is-a-person identity, which strong cryptography can completely
> divorce from reputation.
We agree that identification is *not* the issue, and
that lots of people are confused about this.
I'm not sure "reputation" is exactly the right concept
either; the notion of "credentials" is sometimes better,
and the operating-systems folks speak of "capabilities".
There are three main possibilities:
-- named (unique static handle)
-- pseudonymous (dynamic handles)
-- anonymous (no handle all)
Sometimes pseudonyms are more convenient than having no
handle at all. It saves you the trouble of having to
re-validate your credentials at every micro-step of the
process (whatever the process may be).
Oftentimes pseydonyms are vastly preferable to a static
name, because you can cobble up a new one whenever you
like, subject to the cost of (re)establishing your
credentials from scratch.
The idea of linking (bidirectionally) all credentials
with the static is-a-person identity is a truly terrible
idea. It dramatically *reduces* security. Suppose Jane
Doe happens to have the following credentials
-- Old enough to buy cigarettes.
-- Has credit-card limit > $300.00
-- Has credit-card limit > $3000.00
-- Has car-driving privileges.
-- Has commercial pilot privileges.
-- Holds US citizenship.
-- Holds 'secret' clearance.
When Jane walks into a seedy bar, someone can reasonably
ask to verify her "old-enough" credential. She might
not want this query to reveal her exact age, and she
might *really* not want it to reveal her home address (as
many forms of "ID" do), and she might *really* *really*
not want it to reveal all her other credentials and
capabilities.
*) There is an exploding epidemic of "ID" theft.
That is a sure sign that people keep confusing
capability --> identity and identity --> capabilities.
*) There are those who want us to have a national ID-checking
infrastructure as soon as possible. They think this will
increase security. I think it is a giant step in the wrong
direction.
*) Reputation (based on a string of past interactions) is
one way, but not the only way, to create a credential that
has some level of trust.
=========
We need a practical system for anonymous/pseudonymous
credentials. Can somebody tell us, what's the state of
the art? What's currently deployed? What's on the
drawing boards?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list