Unforgeable Blinded Credentials

Hal Finney hal at finney.org
Tue Apr 4 18:24:48 EDT 2006 

Ben Laurie writes:
> If I have understood your description correctly it seems to me that this
> is defeated if, rather than sharing the master certificate, the bad guy
> allows their friend to proxy to them for whatever proofs are required.
> That way they never have to give up the precious master cert, but the
> friend's slave cert's still work.

That's a good point, proxies are another way to get around limitations on
credential sharing.  Attempts to embed sensitive secrets in credentials
don't work because there are no sensitive secrets today.  You could
use credit card numbers or government ID numbers (like US SSN) but in
practice such numbers are widely available to the black hat community.
Someone getting a credential using a stolen identifier won't be deterred
from sharing it, if the only deterrence is fear of the identifier
becoming public.

Blacklisting seems to me to be the only good solution, and in fact it
is the one proposed for the only proposed deployment of this technology
I am aware of, Direct Anonymous Attestation proposed for the Trusted
Computing group, http://www.zurich.ibm.com/security/daa/ .  This is
based on the CL signatures I referenced earlier.

Trusted Computing systems have a credential which they are supposed
to show to prove they are legit.  But if these showing instances
are linkable it is a privacy violation.  (In practice IP address is
normally going to provide just as much linkability, so for the most
part this is all political posturing IMO, but in principle this would
let you authenticate over TOR and retain your privacy.)  DAA provides
optionally unlinkable credential showing and relies on blacklisting to
counter credential sharing.  Actually the credentialed keys are supposed
to be protected by hardware, so this is a second layer of defense in
case someone figures out how to extract them from the chips.

I'm skeptical that this will actually go forward; we are all familiar
with the arguments against Trusted Computing proposals.  But it is still
of theoretical interest as a case study for unlinkable credentials which
might actually be fielded in the near future.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list