Credentials Without Identity
Rich Graves makes some very good points, but he said something I want to riff on. (And as a measure of how apologetic some folks are getting about discussing anything not on Perry's List of Approved Topics, Rich unfortunately labeled his post "[ID point semi-off-topic]..." In fact, the issue of credentials and identity is NOT off-topic, not even semi-off-topic. It is central to the themes of our list. I urge all to read Chaum's seminal work on "credentials without identity.") At 1:05 AM 11/5/95, Rich Graves wrote:
Proving legal residency requires a combination of two documents, one each from specified lists. Most commonly a driver's license, green card (which is actually pink), or birth certificate from list A, and a social security card from list B.
Chris Hibbert's SSN FAQ talks a little bit about how this works, and why it's a Good Thing. Basically, for privacy and security reasons, it is a very good idea to separate the issues of identity and authorization.
I don't care how securely you can authenticate who I am -- by PGP, retinal scan, whatever. I do not want a single digitizable token to be the key to my identity. Even if that identity cannot be forged (and everything can be forged), it can be used to track me, by the government, by the Direct Marketing Association, by the private investigators of certain wacky ....
Chris's (or Chris') points are admirable, but getting more and more irrelevant by the day. The notion of unlinking identity and authorization by separate pieces of identification is another form of "security through obscurity." The two forms of credentials can be linked in data bases. Just because one piece of ID has citizenship or voting status and another has other stuff is meaningless, provided the ID forms can be linked. As they can, in multiple ways. The credit tracking agencies can do this trivially, with names, social security numbers, driver's license numbers, addresses, phone numbers, etc. All are pointers into the cloud of numbers that constitutes one's dossier. Happily, Chaum's work on "credentials without identity," based essentially on the kind of "blinding" used in digital cash (with some differences, of course), allows for one to display a credential showing one is old enough to enter a bar or library (in 2005), without revealing a name (which is just another credential). --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
Timothy C. May writes:
(And as a measure of how apologetic some folks are getting about discussing anything not on Perry's List of Approved Topics, [....] In fact, the issue of credentials and identity is NOT off-topic, not even semi-off-topic. It is central to the themes of our list. I urge all to read Chaum's seminal work on "credentials without identity.")
I've repeatedly stated, Tim, that my problem is with junk, not with stuff on list charter. You can claim anything you like about my statements, but it won't be true. Any statement to the effect that I'm against discussion of anonymous credentials is a "big lie" -- an attempt to distort what I have said by being sufficiently outrageous. Repeating, I am troubled by people posting stuff about whether roadways should be privatized -- I am perfectly happy with discussion of Chaumian anonymous credentials. My problem is with people who think this is Libernet, or Waconet, or Fosternet, or IBM MicroKernel net, or Internet Investing Net, or what have you. I also find the beating of dead horses unfortunate, but I never complain about it since its usually technically on topic. Now, Tim, if you feel people should be able to post their questions about system administration of Unix boxes here, as in fact happened only last week, please speak up. Perry
On Sat, 4 Nov 1995, Timothy C. May wrote:
(And as a measure of how apologetic some folks are getting about discussing anything not on Perry's List of Approved Topics, Rich unfortunately labeled his post "[ID point semi-off-topic]..." In fact, the issue of credentials and identity is NOT off-topic, not even semi-off-topic. It is central to the themes of our list. I urge all to read Chaum's seminal work on "credentials without identity.")
Thanks for the newbie correction. In case anyone else is new to this, I couldn't find that paper, but Chaum's ideas and references are at http://www.digicash.com/publish/sciam.html
Proving legal residency requires a combination of two documents, one each from specified lists. Most commonly a driver's license, green card (which is actually pink), or birth certificate from list A, and a social security card from list B.
Chris Hibbert's SSN FAQ talks a little bit about how this works, and why it's a Good Thing. Basically, for privacy and security reasons, it is a very good idea to separate the issues of identity and authorization.
I don't care how securely you can authenticate who I am -- by PGP, retinal scan, whatever. I do not want a single digitizable token to be the key to my identity. Even if that identity cannot be forged (and everything can be forged), it can be used to track me, by the government, by the Direct Marketing Association, by the private investigators of certain wacky ....
Rich's (or Chris') points are admirable, but getting more and more irrelevant by the day. The notion of unlinking identity and authorization by separate pieces of identification is another form of "security through obscurity."
True. But until digital technology becomes ubiquitous, we're stuck with it, and it does help. I see no analog, well, analog to credential technology. It absolutely requires machines that can generate and handle large random numbers. Right? My point was, even people who should know better, like the managers and clients of FBOI (fboi@netcom.com), are relying on security through appeal to irrelevant crypto authority, which is even worse. Using your primary pgp key as a traceable link to your credit card number or bank account can be just as bad as publishing your credit card number.
Happily, Chaum's work on "credentials without identity," based essentially on the kind of "blinding" used in digital cash (with some differences, of course), allows for one to display a credential showing one is old enough to enter a bar or library (in 2005), without revealing a name (which is just another credential).
I haven't yet fully digested this concept, but don't you get into a bit of a chicken-and-egg problem when you start applying this to things like proof of age and citizenship? Until you reach a certain age, you're not going to remember your passphrase. I still think there's a role for private keys held by some authority (I realize that's not a popular word). I'd guess this would be addressed by a "secret sharer"/secsplit kind of thing, where your parents hold a combination of keys that together can represent your secret key until you're old enough to change it yourself. Still I'd worry about what kind of information was gathered about me in my youth, and how that might be carried over into maturity. -rich
On Sat, 4 Nov 1995, Timothy C. May wrote:
The credit tracking agencies can do this trivially, with names, social security numbers, driver's license numbers, addresses, phone numbers, etc. All are pointers into the cloud of numbers that constitutes one's dossier.
Ah, the Swedish way is so much more convenient. Directly after birth you get a tag around your arm, with a number that is later changed to an entry into several databases, including 'Birth Registry' and you get your Person Number for life, in the format YYMMDD-abcd, which is unique (at least in Sweden). All forthcoming database entries are based on this number, usually as a first key field. Surprise immigrants get a preliminary number at the border (other format) and a genuine one if later accepted. Without a Person Number you would be practically helpless: no schooling, no drivers licence, no 'social benefits', no bank account, no job (if your employer intends to do it legally and cut off taxes). The only marginally possible way to get around this is to use the Person Number of another person (forging a Swedish Approved ID is quite a task, though, and it's not very kind to that other person). Most Government databases are open to the public, so the credit tracking agencies don't have to work very hard regarding persons (sometimes a bit more with corporate entities; those can be registered to fall guys - not hard to find in a jurisdiction with nice jails and short sentences). Now, there are laws against cross-referencing various databases without the approval of the Data Inspection, which often says no. But if you do it illegaly, there is very little risk of detection. It looks like the Approved ID will be a smart-card with a signing mechanism (probably escrowed), naturally linked to the Person Number, real soon now, at least before the mythical y.2000 . Links to physical characteristics (retina?) are not (openly) discussed yet but may eventually come into play. I think there's not much to win (and a lot of conveniency to loose) in trying to hide from this System. A friend of mine, and his wife, had their baby born at home and hid it from the System for several years (loosing good money from the Social Security system in that process - in Sweden all people get many 'benefits'= transferred tax money, regardless of income) but eventually they registered the child, of course. It was a mere gesture. Solution: 1) Don't fight the inevitable, like Don Quixote (sp?) did. The trick is to keep one's database entries as unsuspicious as possible. Pay politically correct items and services with a credit card, but use cash in transfers that the current (and possibly a coming, more Orwellian) regime might consider to be disloyal. Don't refuse to fill in forms or answer questions which are more or less obligatory or that might give you some benefits - just lie if necessary to create a normal, inconspicuous profile. 2) Prepare for Crypto Anarchy. Create untrackable net aliases for future use. Keep informed of all the tricks to bypass coming futile attempts to link net pseudonyms to Person Numbers (or physical characteristics). Enjoy (and help create and protect) the virtual sanctuary with digital mixes and anonymous http proxies (and DC-nets or something better eventually). Mats
participants (4)
-
Mats Bergstrom -
Perry E. Metzger -
Rich Graves -
tcmay@got.net