[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: one-body, one-cert

From: Carl Ellison <cme@cybercash.com>
> At 05:04 PM 10/20/96 -0700, Hal Finney wrote:
> >David Chaum has an even more elaborate scheme in which all the certs have
> >a certain mathematical structure, so that credentials like "good customer"
> >or "pays bills on time" can be transferred from one blinded cert to another.
> Can you point me (us) at a writeup for that?

The two papers in which Chaum discusses this most directly are:

   "Showing Credentials Without Identification: Signatures Transferred
   Between Unconditionally Unlinkable Pseudonyms," D. Chaum, Accepted but
   not Presented Auscrypt '89.
   "A Secure and Privacy-Protecting Protocol for Transmitting Personal
   Information Between Organizations," D. Chaum & J.-H. Evertse, Advances
   in Cryptology CRYPTO '86, A.M. Odlyzko (Ed.), Springer-Verlag, pp.

These are both somewhat old and there may be some newer material.

> >It is possible there could be multiple competing bodies offering
> >is-a-person certs, although this becomes inefficient if there are too
> >many, since the customer and the service must share an is-a-person
> >cert issuer.  
> As soon as you have a second is-a-person CA, you have given a miscreant a
> second chance to do evil -- right?

I'm not sure exactly what you mean.  As I see it, the is-a-person
credential is primarily used by a service which wants to make sure
that all of its users are unique.  Your voting example is a good one.
Now suppose some issuer of such credentials was evil and refused to
issue a credential to some person.  If there were a competing CA, the
person could get a credential from that other one.  As long as both he
and the service he is using are able to validate credentials from that
service, he can prove that he is unique.  (It would be necessary for all
customers to supply is-a-person credentials from a variety of issuers.)
So as long as everyone is able to use all of the is-a-person CA's,
the only way a person can be effectivelly denied one is if all the CA's
collude to deny him.

> >> Meanwhile, there's the problem of revocation of an anonymous blind cert.
> If we use blind signatures in the SPKI style, then the cert gives some
> authority to a single signature key.  That key blindly signs a hash of some
> other key -- and the combination of the SPKI cert and the now-unblinded
> signature provides proof of access permission.  The only cert here is the
> INDIRECT-SUBJECT: cert -- and you want that applied to one key for everyone
> in the universe.  If you want to be able to revoke one person by revoking
> one cert, then you have to have a mapping from person back to that cert.
> Now -- you *could* make a KRL -- key revocation list -- to list the public
> keys of people you found to be bad -- and not touch the authorization
> certificates.  Is that what you meant?

Yes, this is generally what I had in mind.  You are right, it is not
actually a CRL, but it serves much the same function in that it serves as
notice that certain keys are not to have the authority their certificates
seem to grant to them.

> At some point, a person has to present something linkable to himself to a
> server in order to get permission for some blinded public key to gain
> access to the "I am still a maker of kiddie-porn snuff films and want help
> to stop" mailing list.  He can claim that that public key belongs to a
> friend, but if we haven't made that impossible (at least difficult), then
> we have a loophole in the one-person:one-access-chance rule.

I think the two-level blinding prevents this level of identification.
He gets the is-a-person credential, which is fully blinded and unlinkable
to him, from the is-a-person CA.  Then when he goes to the kiddie-porn
mailing list he gets yet another blinded pseudonym when he registers,
by showing his is-a-person credential.  So that list does not see anything
directly related to his identity.  Ideally, many people get kiddie-
porn pseudonyms that they never intend to use, along with thousands of
other such credentials/pseudonyms/signed keys (these are all the same)
with all kinds of forums that exist out there.  So there is not even
any particular linkage between the is-a-person credentials which have
registered with the kiddie-porn list and the actual users of the list.
The former is a blinded superset, ideally a vastly larger set, than
the latter.

> AFAIK, the only way to achieve real anonymity is to give up the notion of
> one-body:one-X, for any X.  Voting works because it's your vote that's
> secret, not the fact that you're on the voter list.  What if you wanted to
> arrange voting so that when the invading armies take over they can't round
> up a list of everyone who voted in the last election? ...but you still want
> one-person:one-vote?  At this point, I don't think it's possible.

If you had everyone in the country register to vote, then you would achieve
what you want.  There is no record of exactly who voted, but using
is-a-person credentials we can make sure that no person voted twice.

> Perhaps the is-a-person identification needs to itself be blinded and
> issued to every citizen.  That might be issued by the UN member states.
> Every citizen of the earth would get a completely blinded signature on his
> public key, and the signing key would carry information with it (like
> citizenship).

Yes, the more universal it is then the less information is leaked by
using the system.

> Of course, we then need to address loss/compromise of keys, theft of keys,
> ....

Unfortunately these practical issues make the idea, which already faces
insurmountable obstacles, even less likely to succeed, IMO.