[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

one-body, one-cert

There was a request on another list a few days ago for a one-body, one-valid-cert service.  The writer assumed that a standard ID cert like one from VeriSign would give him that service.  [Ie., once you get one cert from them, you'll never be given another -- where "you" are the person with your DNA.]  He didn't realize how easy it is to get a cert under an assumed name (or someone else's name) from an on-line cert issuer.

He also wanted this cert to be anonymous.

Our INDIRECT-SUBJECT: construct allows someone to issue certs (e.g., for voter registration) which are anonymous even to the issuer, but I'm not entirely sure anyone except voter registration will ever set up such a service.

I'm also not sure it's desirable to have a (one body):(one active cert) service.  Such a service could be misused to become like the hated national ID card -- required to get work, to pay taxes, get paid, get medical care, travel, ..., and subject to threat of revocation, in case you do something the service disapproves of.

As I mentioned on that list, the Chicago folklore is that (one body):(one vote) is uninforceable.  I'm not sure such a service could succeed in its stated purpose.

Meanwhile, there's the problem of revocation of an anonymous blind cert.  Since the blind signature isn't part of a cert itself, it can't be revoked without revoking the blind signature key and therefore all the certs issued by that blind signature key.  You can allow single user revocation, but only by using a different bind signature key for each applicant -- in which case anonymity to the issuer is lost.

Meanwhile, if he sets up such a service just for his members (e.g., an on-line Alcoholics Anonymous group, for example), the list of people who have requested blinded certs is itself an unacceptable leakage of information.   He needs a worldwide (one body):(one cert) service.


 - Carl