-----BEGIN PGP SIGNED MESSAGE----- Michael Froomkin <froomkin@law.miami.edu> writes:
Suppose Alice is a CA who issues anonymous age credentials. Bob is 15 Carol is 25
Carol gets a legitimate anonymous age credential from Alice bound to an anonymous public key generated for this purpose. Carol then gives the key pair to Bob. Bob uses to do things only adults are legally permitted to do. (It's not bound to Carol's everday keypair because that's not anonymous....)
What can stop Bob and Carol from subverting a scheme that relies on anonymous age creditials in this manner?
I think I wrote something about this before, but I can't recall whether there was subsequent discussion... In Chaum's pseudonym/credential system, you can be restricted in the number of pseudonyms you can get of a given type. You can transfer your credentials among any of your pseudonyms, but you might only have one pseudonym (and associated key pair) for a specific forum or purpose. So Carol could get her age credential by showing her birth certificate, and get it on a non-anonymous pseudonym, then transfer it to any of her other pseudonyms. Maybe there is a particular nym which she uses for access in some area, and she has to prove her age in order to do so. So she transfers the credential to that pseudonym and can get access. Now Carol could give her pseudonym, credential and key pair to Bob, and let him act as her within that forum (say, for access to a particular archive). He could then exercise all of the privileges that she could. This is in effect a shortcut for the case where Bob asks Carol, "get me this file", "get me that file", and she does. This is in effect a blanket promise on Carol's part to respond affirmatively to all such requests. Obviously, as I think Michael wrote earlier, we can't stop Carol from doing this on a file-by-file basis. But we still might want to make it so she won't give Bob full access, since that will make it even easier for him to get these files he's not supposed to see, and it seems to somewhat remove Carol from responsibility for giving each file to Bob. One thing that might make Carol reluctant to authorize Bob to act as her agent in this way is that she would also be responsible for any negative consequences of things Bob does. If Bob abuses the lent key pair in some way, such that maybe he is even banned from that archive, then Carol will suffer the consequences as well. Given that she only gets one pseudonym of a kind which can access this archive, she can be hurt by giving Bob the full use of that nym. Now, depending on the circumstances, this may or may not be a significant deterrent for Carol. If the archive has no material she would be interested in, or there is no significant likelihood of abuse which would lead to losing her access, then it won't matter. But things could be structured so that these bad consequences were more likely, and then it would be a more significant consideration for her. There is a tradeoff between anonymity and accountability here. We gain this degree of accountability only be limiting the number of pseudonyms a person can have for certain kinds of usage, thereby reducing anonymity. The most extreme case would would to say that a person can have only one identity for use everywhere. That is, we would ban anonymity. At the other extreme, anyone can get as many nyms of all kinds as they want, and transfer credentials in all ways, in which case credentials are meaningless. These seem to be the two endpoints considered in Michael's hypothetical example. But there are actually a whole range of intermediate points which are possible. One example, close to the non-anonymous case, is to give every person exactly one online pseudonym, unlinkable to their physical identity, but the only one they can use in their online life. Now if they behave abusively the consequences they can suffer are limited. They can't go to jail. But still the risks may be relatively severe, and could include in the most extreme case loss of access to all online resources, which will be a severe punishment in the future. Another point on the continuum would be the use of a single pseudonym for all access to materials which are illegal for minors to see. If Carol gives hers to Bob and he screws it up somehow, she may be stuck watching PG movies for the rest of her life. I have tried to think of a better technical fix, such that in order to give Bob the ability to show one of her credentials, Carol must inherently give him the ability to use all of them, to act as her in all forums. Maybe some zero-knowledge protocol would be required to show a credential, one which would only work if you knew some basic secret that underlies all your pseudonyms, but which doesn't reveal it to anyone. Then Bob could act as Carol only if he knew her innermost secrets. But still it would be necessary to retain unlinkability among pseudonyms. I can't see how to make it work, and maybe it is fundamentally impossible. But if something like this were possible it would be a good solution to the problem Michael has described. Hal Finney -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMSp9xxnMLJtOy9MBAQH9GAH9F7E6mZ/4lfL/b/4kdGTSpLZfmvJZu7iK EN8+wUHrAdi/cobG9KUsrFxcm3evG6ijLyu4WhxQzdoU0k1wyAUN7g== =X7tH -----END PGP SIGNATURE-----