Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Digital Credentials Offer Enhanced Privacy

Posted by kdawson on Tue Feb 20, 2007 05:41 PM
from the cypherpunks-write-code dept.
John Q Random writes "Stefan Brands's company credentica.com announced their U-Prove library and SDK implementing ID tokens — also known as digital credentials or private credentials. (Private Credentials are a cool PKI replacement and anonymous e-cash tech that allows you to prove certified attributes like age, credit rating, group membership, etc. without revealing who you are; to allow you to have a digital life without the digital dossier effect inherent in a central databases.) Following this announcement, Adam Back announced credlib, an open source implementation of Brands credentials (and the older more basic Chaum certificates). These developments relate to recent news from IBM's Zurich labs on their identity-mixer project (previously discussed on Slashdot) that is based on the less efficient Jan Camenisch and Anna Lysyanskaya credentials."

Related Stories

[+] IT: IBM to Open Source Novel Identity Protection Software 40 comments
coondoggie handed us a link to a Network World article reporting that IBM plans to open source the project 'Identity Mixer'. Developed by a Zurich-based research lab for the company, Identity Mixer is a novel approach to protecting user identities online. The project, which is a piece of XML-based software, uses a type of digital certificate to control who has access to identity information in a web browser. IBM is enthusiastic about widespread adoption of this technology, and so plans to open source the project through the Eclipse Open Source Foundation. The company hopes this tactic will see the software's use in commercial, medical, and governmental settings.
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • Identity Theft (Score:4, Insightful)

    by biocute (936687) on Tuesday February 20 2007, @05:44PM (#18088978)
    (http://xmoo.com/)
    This is under the presumption that the holder/applicant is who he claims he is.

    I guess it'll just get added to the to-do list of phishers and ID thieves.

    And the fact that (real) sensitive data has to be included to prevent 'leading/sharing' just begs for hacking.
  • Well blow me down! (Score:3, Funny)

    by Itninja (937614) on Tuesday February 20 2007, @05:53PM (#18089080)
    (http://geeksplosion.blogspot.com/)
    At first I thought is said "Digital Credentials Offer Enhanced Piracy"

    "Me SmartCard an' Biometrics allow en' more booty to be plundered, yarhhh!"
    • Hah! by TheVelvetFlamebait (Score:1) Tuesday February 20 2007, @06:48PM
  • Digital creds = "certs or keys" (Score:1, Insightful)

    by xxxJonBoyxxx (565205) on Tuesday February 20 2007, @05:55PM (#18089112)
    When I read "digital credentials" I immediately thought "(SSL/SMIME) certs and (SSH/PGP) keys". Those are two standard and widely implemented forms of "strong" digital authentication. SSL certs are also already available in hardware tokens, etc, if you like the FOB route. (Just ask the DoD about CAC cards...)

    I don't know why people keep trying to reinvent the wheel here.
  • yep (Score:2)

    by User 956 (568564) on Tuesday February 20 2007, @05:57PM (#18089142)
    (http://www.atomjax.com/)
    Following this announcement, Adam Back announced credlib, an open source implementation of Brands credentials (and the older more basic Chaum certificates).

    That certainly sounds like a credlib-able solution to the problem.
  • Where is the threat to individual privacy? As I see it, the threat is companies misusing legitimately-obtained personal information. Now let's tie in privacy with today's earlier discussion about credit card fraud. To buy anything over the Net from a reputable vendor, you usually must provide your legal name, home address, and phone number in order for the credit card transaction to be approved. (Buying from less reputable vendors may actually provide more privacy because AFAIK Paypal doesn't expose all these personal details when you make a payment.) What is the chance that VISA/MC/AMEX will re-engineer their systems to be privacy-preserving?
  • by Valdez (125966) on Tuesday February 20 2007, @06:28PM (#18089524)
    ...and no CardSpace?

    Oh, thats right, I'm reading /. ;)

    • 1 reply beneath your current threshold.
  • How? (Score:3, Interesting)

    by pesc (147035) on Tuesday February 20 2007, @06:37PM (#18089616)
    I don't need this certificate myself. Can someone explain why I can't obtain one proving my age (42) and sell it to a youngster? All other attributes are masked.
    • anti-lending feature (Re:How?) (Score:4, Informative)

      by Anonymous Coward on Tuesday February 20 2007, @06:54PM (#18089794)
      They have an anti-lending option. Here's how it works: the credential can have multiple private keys, one of which has to be random and the others of which can be secrets you would not be happy to sell to a youngster. (Say like your credit card number, or any other info that could be risky to lend to someone). Without all of the private keys you cant use the credential, so the would be lender, or reseller cant transfer the credential without revealing secrets chosen to be risky to share.

      The CA or credential issuer, he sees secrets when the credential is issued, however you trust him not to abuse those secrets (and maybe you paid him with the same credit card number eg). However due to the crypto magic the CA cant observe nor trace your uses of the credential back to you even with full collusion with relying parties.

      In fact the privacy is unconditionally secure and the user has full control and doesnt have to trust anyone (not CA, not relying parties, etc) only that the software of his credential wallet software is correctly implemented. This software would typically be open source and peer reviewed.
      [ Parent ]
    • Re:How? by Jherek Carnelian (Score:1) Tuesday February 20 2007, @07:19PM
    • 1 reply beneath your current threshold.
  • False security (Score:2)

    by syousef (465911) on Tuesday February 20 2007, @06:51PM (#18089758)
    True of all such "private" information storage facilities...

    Either the information is kept by someone and can be obtained from the issuer (whether through legitimate legal means or theft. This is valuable information. Unscrupulous people will steal, trade and sell it). You're basically trusting the issuer to keep you safe. SSL certs are kinda like this but there's no pretense of private data being stored encrypted in the cert.

    OR

    Once the certificate is issued there is no way to identify who it is issued to, which means the only way a security hole in the method comes to light is when massive fraud occurs or if someone brags about breaking it. PGP is kinda like this.

    All this does is allow you to buy products or services annoymously from legit vendors, and only so long as the system isn't compromised. The other thing is most non-shady vendors won't want to accept this form of ID/verification. I mean it's great for porn vendors because porn is socially vilified and people don't want to admit to buying it or having it on record. For most other things, the vendor will prefer a method of verification under their control since it'll give them marketing data and also prove to be a better protection against litigation than some anonymous cert.
  • by SiliconEntity (448450) on Tuesday February 20 2007, @07:11PM (#18089964)
    It remains to be seen at this point whether the Camenisch/Lysyanskaya Idemix credentials are really "less efficient" than Brands. Certainly the CL credential work is newer. Brands' stuff is good but the field does not stand still. Until we see benchmarks putting them side by side, it is too early to say which is more efficient.
    • 1 reply beneath your current threshold.
  • by SecretSauce (247950) on Tuesday February 20 2007, @07:34PM (#18090292)
    (http://www.secretsauce.org/ | Last Journal: Sunday August 07 2005, @08:48PM)
    Is PKI that broken that we already need a replacement? Seems to do the job for me...
  • The technology to do this one way or another has been around for years, at least since David Chaum's blinded signatures and e-cash. The problem is getting it to be marketable.

    There are 2 hurdles to this product:

    1. Digital certificates of any kind are hard to get Joe average user to understand and adopt. How many people use PGP style email encryption, let alone user SSL certificates?

    2. More seriously, how many online business are willing, not only not to collect customer data, but to go to sigificant expense to avoid collecting customer data?

    Since customer data is generally viewed as having value to businesses, you are in effect asking business to spend money to make less money. That just won't happen, unless customers demand it. And I don't see that happening anytime soon (see #1 above).
  • 5 replies beneath your current threshold.