On Sat, 4 Nov 1995, Timothy C. May wrote:
(And as a measure of how apologetic some folks are getting about discussing anything not on Perry's List of Approved Topics, Rich unfortunately labeled his post "[ID point semi-off-topic]..." In fact, the issue of credentials and identity is NOT off-topic, not even semi-off-topic. It is central to the themes of our list. I urge all to read Chaum's seminal work on "credentials without identity.")
Thanks for the newbie correction. In case anyone else is new to this, I couldn't find that paper, but Chaum's ideas and references are at http://www.digicash.com/publish/sciam.html
Proving legal residency requires a combination of two documents, one each from specified lists. Most commonly a driver's license, green card (which is actually pink), or birth certificate from list A, and a social security card from list B.
Chris Hibbert's SSN FAQ talks a little bit about how this works, and why it's a Good Thing. Basically, for privacy and security reasons, it is a very good idea to separate the issues of identity and authorization.
I don't care how securely you can authenticate who I am -- by PGP, retinal scan, whatever. I do not want a single digitizable token to be the key to my identity. Even if that identity cannot be forged (and everything can be forged), it can be used to track me, by the government, by the Direct Marketing Association, by the private investigators of certain wacky ....
Rich's (or Chris') points are admirable, but getting more and more irrelevant by the day. The notion of unlinking identity and authorization by separate pieces of identification is another form of "security through obscurity."
True. But until digital technology becomes ubiquitous, we're stuck with it, and it does help. I see no analog, well, analog to credential technology. It absolutely requires machines that can generate and handle large random numbers. Right? My point was, even people who should know better, like the managers and clients of FBOI (fboi@netcom.com), are relying on security through appeal to irrelevant crypto authority, which is even worse. Using your primary pgp key as a traceable link to your credit card number or bank account can be just as bad as publishing your credit card number.
Happily, Chaum's work on "credentials without identity," based essentially on the kind of "blinding" used in digital cash (with some differences, of course), allows for one to display a credential showing one is old enough to enter a bar or library (in 2005), without revealing a name (which is just another credential).
I haven't yet fully digested this concept, but don't you get into a bit of a chicken-and-egg problem when you start applying this to things like proof of age and citizenship? Until you reach a certain age, you're not going to remember your passphrase. I still think there's a role for private keys held by some authority (I realize that's not a popular word). I'd guess this would be addressed by a "secret sharer"/secsplit kind of thing, where your parents hold a combination of keys that together can represent your secret key until you're old enough to change it yourself. Still I'd worry about what kind of information was gathered about me in my youth, and how that might be carried over into maturity. -rich