Re: Blinded Identities [was Re: exporting signatures only/CAPI]
The "blinded identities" problem is one of the oldest that we have discussed here (although not much recently, of course!). It is basically similar to what cryptographers call "blinded credentials" and is closely related to electronic cash, as Michael Froomkin's example from Stefan Brands points out. I posted an idea a few years ago for how to use the technique to solve the related problem of remailer abuse. A simple way to approximate what you want is to use a standard blinded signature exactly as is done with David Chaum's DigiCash. The customer comes to you and presents some proof of identity. This may be in person via standard paper documents, or on-line via some cryptographic credential as you suggested. You make a list of all of your customers, and make sure that this customer is new, someone you haven't seen before. Now you simply give him a blinded cryptographic signature, of exactly the same form as the blinded coins given out by DigiCash. He unblinds it, and he is left with a signed credential from you, but one which is unlinkable to his identity. When he interacts with you, he displays this credential as proof that he is a customer in good standing. If he violates the terms of your contract, you disable the credential (add it to a list of bad credentials). He can't use this one any more, and he can't get a new one because he is on the list of people who already got their credential. This simple solution suffers from several problems, some of which are endemic to this class of solutions and others which can be addressed with fancier crypto. Among the fundamental problems we have first that verifying identity reliably is difficult to impossible. If people are motivated badly enough, they can forge whatever documents they need. Then they keep signing up with new identities like the kids who use AOL throwaway accounts. Second, if the customer ever loses his credential, he is screwed. He comes to you with some sob story about how his disk crashed and his dog ate his backups, but you have no way of knowing if he actually lost his credential, or if he is an abuser who got his credential cancelled. Another problem is that groups of users can share credentials, so that some hacker club can get a bunch, one for each of them, and then they can all abuse your ISP, getting credentials cancelled, but able to keep going as long as one is left. Problems which can be fixed include that credentials could be stolen, like phone card numbers, so an innocent person gets his credential cancelled and then we are back to the second problem above. You can mostly solve this by having him create a key when he first registers with his credential and require all his interactions to be protected by this key. There are also more elaborate solutions where he wouldn't actually send his credential over, but use zero knowledge techniques to prove that he had one. Unfortunately David Chaum has a pretty good set of patents covering blind signatures, so for a commercial venture you'd probably have to look into the legal situation. I can send you a list of Chaum's patents in the area if you want it. (I had it on my web page but my ISP quit so I need to get a new page going.) Some of the other practical issues are also mentioned in Michael Froomkin's article, like waiting a while after you get your credential before you use it. Hal
In <199610140530.WAA17735@crypt>, on 10/13/96 at 10:30 PM, Hal Finney <hal@rain.org> said:
The "blinded identities" problem is one of the oldest that we have discussed here (although not much recently, of course!). It is basically similar to what cryptographers call "blinded credentials" and is closely related to electronic cash, as Michael Froomkin's example from Stefan Brands points out. I posted an idea a few years ago for how to use the technique to solve the related problem of remailer abuse.
A simple way to approximate what you want is to use a standard blinded signature exactly as is done with David Chaum's DigiCash. The customer comes to you and presents some proof of identity. This may be in person via standard paper documents, or on-line via some cryptographic credential as you suggested. You make a list of all of your customers, and make sure that this customer is new, someone you haven't seen before.
Hmmmm... I am at a loss as why the customers identity needs to be know at all? What does it matter if I am a new customer or not? I don't see why we couldn't have anonymous prepaid credit-cards similiar to the prepaid calling cards available now. You pop down to the local bank here's $500 cash, they give you your card, when you have used up your $500 you throw it away. Of cource the issuer of the card would charge some fee for the service, say $1 on every $100, maybe more maybe less the market will decide that. :) No one need know who I am or what I am purchasing. Much simpler to implement, no id verification, no blinded credentials, Just treat it like any other credit card. KISS - Keep It Simple Stupid :) -- ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting WebExplorer & Java Enhanced!!! Cooking With Warp 4.0 Author of PGPMR2 - PGP Front End for MR/2 Ice Look for MR/2 Tips & Rexx Scripts Get Work Place Shell for Windows!! PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info ----------------------------------------------------------- *MR/2 ICE: Windows: Just another pane in the glass.
At 11:25 PM -0500 10/14/96, William H. Geiger III wrote: (responding to Hal Finney's comments about blinded credentials, including identity credentials)
Hmmmm... I am at a loss as why the customers identity needs to be know at all?
What does it matter if I am a new customer or not?
This is an important issue, which has an important answer. The answer will sound flippant, but is worth thinking about. Namely, maybe it _doesn't_ matter if one is a new customer, maybe it _does_. More particularly, it is up to the customer and vendor to negotiate a mutually agreeable arrangement. Sometimes this includes identities, sometimes proofs of religious belief, sometimes proofs of credit worthiness (solvency, expectation of repayment, etc.). Neither Chaum nor Finney nor myself have ever (that I recall) called for a government-mandated system of _identities_. The whole point of "blinded credentials" is so that "selective disclosure of information" can occur. The canonical example is an "age credential" for entry into bars, for example, or for rental of adult videos, as another example. (The present system--simply _looking_ at a person to confirm that they "look old enough"--works pretty well for most adults, with only those in the margin zone being "carded." Even with "carding," a bar owner only checks the age field, and the photo field of course, to verify age. Chaum's concerns when he wrote his "systems to foil Big Brother" papers in the mid-80s were that fully-computerized versions of these credentials would present substantial threats to privacy. Rather than just looking at an age credential, and then forgetting the data seen, computers and surveillance systems would _remember_ all presentations of credentials, allowing extensive construction of dossiers on movements, purchases, habits, etc.). Anyway, getting back to Wm. Geiger's question, "What does it matter if I am a new customer or not?," maybe it does matter, maybe it doesn't. As a merchant, I might offer "new customers" special prices or services that I don't normally offer. Whatever. The important point is not to have government (for example) interefere in such transactions. Customers are free to offer such credentials as they wish to, and merchants are free to refuse the credentials offered. (In the real world, there are few businesses that want extensive credentials. The most important credential to them is _cash_, which is an interesting form of "blinded credential" (if you think about it). Namely, cash is "proof of ability to pay without any other credentials." Paying by check (a promise that one's bank will make good) or by asking for a purchase to be put on a "tab" (for later payment), are both situations where a merchant might demand various forms of credentials.)
I don't see why we couldn't have anonymous prepaid credit-cards similiar to the prepaid calling cards available now. You pop down to the local bank here's $500 cash, they give you your card, when you have used up your $500 you throw it away. Of cource the issuer of the card would charge some fee for the service, say $1 on every $100, maybe more maybe less the market will decide that. :)
But in this example, William has just described a form of blinded credential! Exactly Hal's point.
No one need know who I am or what I am purchasing. Much simpler to implement, no id verification, no blinded credentials, Just treat it like any other credit card.
KISS - Keep It Simple Stupid :)
Sometimes things are simple, sometimes simple things are stupid. The key of our kind of cryptography is to allow mutually acceptable, mutually negotiated protocols. Sometimes these will be just "blinded proofs of ability to pay" (cash, prepaid cards, etc.), sometimes these may involve other forms of proof. (For example, imagine a sex club that demands a blinded proof that one is HIV-negative.) The key point is that such protocols be voluntary. --Tim May "The government announcement is disastrous," said Jim Bidzos,.."We warned IBM that the National Security Agency would try to twist their technology." [NYT, 1996-10-02] We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
participants (3)
-
Hal Finney -
Timothy C. May -
William H. Geiger III