On Wed, Aug 21, 2002 at 03:24:21AM +0100, Adam Back wrote:
Because Camenisch credentials are unlinkable multi-show it makes it harder to recognize sharing, so the user could undetectably share credentials with a small group that he trusts.
[...]
However if the Camenisch (unlinkable multi-show) credential were shared too widely the issuer may also learn the secret key and hence be able to link and so revoke the overly-shared credentials. This combats sharing though to a limited extent.
Since writing this I realised that there is a problem revoking unlinkable multi-show credentials: - I was presuming that revealing the credential and it's secret key is sufficient to allow someone to link shows of that credential. - but to link you'd have to try each revoked credential in turn. Therefore the verifier would have to perform work linear in the number of revoked credentials at each show, for the duration of the epoch. Anonymous suggests one way out is to just define that the issuing CA and the refreshing CA to be the same entity. Then you already have to trust the hardware manufacturer not to issue certs whose secrets are outside of a TPM. In this case Brands or Chaum credentials work. The remaining desiderata are: - it is not ideal from a risk management perspective to have to have the hardware manufacturers endorsement private key online to refresh certificates (or in general for there to be any private key online that allows issuing of credentials whose private keys lie outside a TPM); - not ideal to have to have an online protocol with an otherwise non-existant third party (credential refresh CA) in order to avoid linkability; Other ideas I gave in an earlier post towards fixing these remaining issues now that it seems unlinkable multi-show credentials won't work: | Perhaps there would be someway to have the privacy CA be a different | CA to the endorsement CA and for the privacy CA to only be able to | refresh existing credentials issued by the endorsement CA, but not to | create fresh ones. | | Or perhaps some restriction could be placed on what the privacy CA | could do of the form if the privacy CA issued new certificates it | would reveal it's private key. Adam -- http://www.cypherspace.org/adam/