[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: one-body, one-cert

To: Hal Finney <hal@rain.org>
Subject: Re: one-body, one-cert
From: Carl Ellison <cme@cybercash.com>
Date: Mon, 21 Oct 1996 10:56:01 -0400
Cc: spki@c2.net
Sender: owner-spki@c2.net
At 05:04 PM 10/20/96 -0700, Hal Finney wrote:
>David Chaum has an even more elaborate scheme in which all the certs have
>a certain mathematical structure, so that credentials like "good customer"
>or "pays bills on time" can be transferred from one blinded cert to another.

Can you point me (us) at a writeup for that?

>> Our INDIRECT-SUBJECT: construct allows someone to issue certs (e.g., for
>> voter registration) which are anonymous even to the issuer, but I'm not
>> entirely sure anyone except voter registration will ever set up such a
>> service.
>>
>> I'm also not sure it's desirable to have a (one body):(one active cert)
>> service.  Such a service could be misused to become like the hated national
>> ID card -- required to get work, to pay taxes, get paid, get medical care,
>> travel, ..., and subject to threat of revocation, in case you do something
>> the service disapproves of.
>
>It is possible there could be multiple competing bodies offering
>is-a-person certs, although this becomes inefficient if there are too
>many, since the customer and the service must share an is-a-person
>cert issuer.  

As soon as you have a second is-a-person CA, you have given a miscreant a
second chance to do evil -- right?

>> Meanwhile, there's the problem of revocation of an anonymous blind cert.
>> Since the blind signature isn't part of a cert itself, it can't be revoked
>> without revoking the blind signature key and therefore all the certs issued
>> by that blind signature key.  You can allow single user revocation, but
>> only by using a different bind signature key for each applicant -- in which
>> case anonymity to the issuer is lost.
>
>I don't fully understand the technical issue here.  Revocation of a blind
>cert would mean issuing a signature on that cert stating that it is
>revoked, and probably putting it on a CRL for people to find.

If we use blind signatures in the SPKI style, then the cert gives some
authority to a single signature key.  That key blindly signs a hash of some
other key -- and the combination of the SPKI cert and the now-unblinded
signature provides proof of access permission.  The only cert here is the
INDIRECT-SUBJECT: cert -- and you want that applied to one key for everyone
in the universe.  If you want to be able to revoke one person by revoking
one cert, then you have to have a mapping from person back to that cert.

Now -- you *could* make a KRL -- key revocation list -- to list the public
keys of people you found to be bad -- and not touch the authorization
certificates.  Is that what you meant?

>> Meanwhile, if he sets up such a service just for his members (e.g., an
>> on-line Alcoholics Anonymous group, for example), the list of people who
>> have requested blinded certs is itself an unacceptable leakage of
>> information.   He needs a worldwide (one body):(one cert) service.
>
>Yes, this is a good point.  This is an area where there are advantages
>in tackling the problem at the large scale.  There is also a psychological
>problem that people who are interested in anonymity are particularly
>*uninterested* in getting their names on lists.  You should hear the story
>about the time ViaCrypt tried to do a customer survey of people who had
>bought PGP.

This looks like the killer to me.

At some point, a person has to present something linkable to himself to a
server in order to get permission for some blinded public key to gain
access to the "I am still a maker of kiddie-porn snuff films and want help
to stop" mailing list.  He can claim that that public key belongs to a
friend, but if we haven't made that impossible (at least difficult), then
we have a loophole in the one-person:one-access-chance rule.

AFAIK, the only way to achieve real anonymity is to give up the notion of
one-body:one-X, for any X.  Voting works because it's your vote that's
secret, not the fact that you're on the voter list.  What if you wanted to
arrange voting so that when the invading armies take over they can't round
up a list of everyone who voted in the last election? ...but you still want
one-person:one-vote?  At this point, I don't think it's possible.

I would like to be proved wrong, here.

I have a small nagging doubt about what I've said above.  The voting
analogy might apply after all, with one more layer of indirection.

Perhaps the is-a-person identification needs to itself be blinded and
issued to every citizen.  That might be issued by the UN member states.
Every citizen of the earth would get a completely blinded signature on his
public key, and the signing key would carry information with it (like
citizenship).

Of course, we then need to address loss/compromise of keys, theft of keys,
....

 - Carl


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+
Prev by Date: Re: one-body, one-cert
Next by Date: Re: one-body, one-cert
Prev by thread: Re: one-body, one-cert
Next by thread: Re: one-body, one-cert
Index(es):
- Main
- Thread