Slashdot Mirror

← Back to Stories (view on slashdot.org)

Digital Credentials Offer Enhanced Privacy

Posted by kdawson on from the cypherpunks-write-code dept.

John Q Random writes "Stefan Brands's company credentica.com announced their U-Prove library and SDK implementing ID tokens — also known as digital credentials or private credentials. (Private Credentials are a cool PKI replacement and anonymous e-cash tech that allows you to prove certified attributes like age, credit rating, group membership, etc. without revealing who you are; to allow you to have a digital life without the digital dossier effect inherent in a central databases.) Following this announcement, Adam Back announced credlib, an open source implementation of Brands credentials (and the older more basic Chaum certificates). These developments relate to recent news from IBM's Zurich labs on their identity-mixer project (previously discussed on Slashdot) that is based on the less efficient Jan Camenisch and Anna Lysyanskaya credentials."

6 of 49 comments (clear)

  1. Identity Theft by biocute · · Score: 3, Insightful

    This is under the presumption that the holder/applicant is who he claims he is.

    I guess it'll just get added to the to-do list of phishers and ID thieves.

    And the fact that (real) sensitive data has to be included to prevent 'leading/sharing' just begs for hacking.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Identity Theft by Anonymous Coward · · Score: 1, Insightful

      How the holder/applicant builds up his/her reputation capital is one issue. Maintaining the integrity of it afterwards is what this technology is all about.

      The fact that Adam Back is involved lends serious credibility to this effort. There may well be weaknesses, as with any scheme. But at least it's been looked at and implemented in part by one of the best in the biz.

      Of course, some wit might point out how do we know it's the real Adam Back? Clearly that's possible to determine, but with our previous technology, it's a bit more painful. Personally, I'm quite confident that it's the real Adam.

  2. Digital creds = "certs or keys" by xxxJonBoyxxx · · Score: 1, Insightful

    When I read "digital credentials" I immediately thought "(SSL/SMIME) certs and (SSH/PGP) keys". Those are two standard and widely implemented forms of "strong" digital authentication. SSL certs are also already available in hardware tokens, etc, if you like the FOB route. (Just ask the DoD about CAC cards...)

    I don't know why people keep trying to reinvent the wheel here.

  3. Technolgy can't fix legal/economic problems by Wesley+Felter · · Score: 2, Insightful

    Where is the threat to individual privacy? As I see it, the threat is companies misusing legitimately-obtained personal information. Now let's tie in privacy with today's earlier discussion about credit card fraud. To buy anything over the Net from a reputable vendor, you usually must provide your legal name, home address, and phone number in order for the credit card transaction to be approved. (Buying from less reputable vendors may actually provide more privacy because AFAIK Paypal doesn't expose all these personal details when you make a payment.) What is the chance that VISA/MC/AMEX will re-engineer their systems to be privacy-preserving?

    1. Re:Technolgy can't fix legal/economic problems by John.P.Jones · · Score: 2, Insightful

      > What is the chance that VISA/MC/AMEX will re-engineer their systems to be privacy-preserving?

      Much better when there is a well understood solution to the problem. The technology is a necessary not a sufficient condition for fixing these problems. No it won't magically solve our problems but that doesn't negate the use of developing the technology.

  4. I don't think you understand the tech... by xxxJonBoyxxx · · Score: 2, Insightful

    The problem with regular certs is that they are all-or-nothing, so if you disclose your cert to a party, they now have all the information in the cert. For example, consider using a "digital drivers license" to prove your age or using a "digital student ID" to get a student discount; it's totall overkill.


    You don't put things like "age" or "student ID" on a cert, and you certainly wouldn't put them on a key. Instead, you could use the verified IDs from certs/keys to look up information from a master DB, much like Brands and dozens of other interchangable knuckleheads are proposing.

    Remember, whether you show up to a "verification service" with a magic cookie/ID/BrandsThing or a cert, you're still trusting a third party to only give out a piece of your total profile at a time. All the while, they're probably really selling the whole DB to random spammers, just like your average credit bureau.