Re: Blinded Identities [was Re: exporting signatures only/CAPI]
Steve Shear <azur@netcom.com> writes: I've been charged with developing an Internet service which needs to assure its clients of anonymity. However, we fear some clients may abuse the service and we wish to prevent the abusers from re-enrollment if terminated for misbehavior.
At 04:28 PM 10/13/96 -0400, "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu> wrote:
Stefan Brands has a protocol that probably does what you want. .... http://www.law.miami.edu/~froomkin/articles/oceanno.htm#ENDNOTE286
Looks like a really nice paper on anonymity issues; at 485K, it'll take a little while to read :-)
Yes, it was quite a load, but very good material.
The fundamental difficulty in this problem is that you need some demonstrable proof of uniqueness for human users; if you don't have that, you can't transform it into a unique-but-anonymous identity.* The issues are similar to privacy-protecting voter registration problems.
Brands's protocol starts with the user going to the bank with proof of ID, and getting a numerical ID which can be blinded and signed. It's a nice approach; you can do cruder approaches by hashing your universal-citizen-unit-ID-number or whatever, but that can be dictionary-searched by feeding all the possible ID numbers through the hash.
For some applications, mapping back to a unique human isn't necessary; if you do something like map back to a bank account which has a high minimum balance for setup, this discourages the type of users who don't want to spend $100 just to send spam.
Blinding a Verisign signature isn't enough, though - they support personna certificates without proof of identity.
Is it possible to determine the level of Verisign signature to screen out personna certificates?
[ * There are non-universal-identifier methods for preventing double-use. Voter registration in many places just depends on identification and affidavit, and is often abused (e.g. Chicago graveyard voters and Nevada absentee ballots), but usually not massively abused. Some third-world countries don't even require registration or literacy - they dip your thumb in ink after you vote, using a kind of ink that won't come off for a couple of days. Attacks against this protocol include better solvents :-) ]
Of course, if elections were very infrequent, they could cut off a finger each time you vote :-) You all have given me much to think about. Thanks.
participants (1)
-
azur@netcom.com