Unforgeable Blinded Credentials

John Denker jsd at av8n.com
Wed Apr 5 01:02:24 EDT 2006


Hal Finney wrote in part:
> ... Attempts to embed sensitive secrets in credentials don't work because there are no sensitive
> secrets today.  You could use credit card numbers or government ID numbers (like US SSN) but in 
> practice such numbers are widely available to the black hat community.

The phrase "there are no sensitive secrets today" sounds very strange
by itself, and doesn't sound much better in context.

I assume the intended meaning was more along the lines of:
==   The set of things you want to keep secret has zero overlap with
==   the set of things you might want to use as an identifier.

Let me just remark that there's nothing new about this.  The notion of
a secret identifier is very widespread, but if you think about it, it
is completely absurd, and always has been.  For a fuller discussion, see:
   http://www.av8n.com/vpn/id-theft.htm

which begins as follows:
]] I am reminded of a passage from /Buffy the Vampire Slayer/, in the episode "Lie to Me":
]]
]]      BILLY FORDHAM:  I know who you are!
]]      SPIKE:          I know who I am, too.  So what?
]]
]] My point here is that it shouldn’t matter if somebody knows who I am. Suppose somebody can
]] describe me -- so what? Suppose somebody knows my date of birth, social security number, and
]] great-great-grandmother’s maiden name -- so what?
]]
]] It’s only a problem if somebody uses that identifying information to spoof the _authorization_
]] for some transaction.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list