W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Non-correlation / pseudo-anonymity (was Re: VOTE: Verifiable Claims Terminology)

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Sun, 12 Jun 2016 21:09:51 +0100
To: Steven Rowat <steven_rowat@sunshine.net>, public-credentials@w3.org, Manu Sporny <msporny@digitalbazaar.com>
Message-ID: <6ddcd228-0f66-c7ab-f108-34c1a924f93f@kent.ac.uk>

On 12/06/2016 16:24, Steven Rowat wrote:
> On 6/12/16 12:35 AM, David Chadwick wrote:
>> On 12/06/2016 00:31, Steven Rowat wrote:
>>> A. Pseudonymity (Alias) occurs at the issuer stage.
>>> B. Pseudo-anonymity occurs at the Acceptor/Relaying Party/Checkpoint
>>> stage.
>>> For example, if we apply this to the Pseudo-anonymity use case in the
>>> Editor's Draft June 11 VC use cases,
>>> http://w3c.github.io/webpayments-ig/VCTF/use-cases/
>>> section 4.4.3, Pseudo-anonymity, and take the last example, of Paula:
>>> "...Paula has been certified as an aid worker, and wishes that
>>> information to be marked on her posts. She shares her certificate with
>>> the forum, but limits it to only verifying that she is the holder of the
>>> certificate, that she is the subject of it, and that she is an aid
>>> worker. In this way she maintains her anonymity..."
>>> This is scenario B, where at the Relaying Party stage of the credential,
>>> Paula's name and other important data is withheld so as not to identity
>>> her.
>>> Now, suppose Paula decides to write a book about her experiences, and
>>> she is in danger of being killed if she tells the truth. She decides to
>>> write the book anyway, call herself Norman, and publish it and have
>>> "Norman" be paid for any sales.
>>> This is scenario A, Pseudonymity (Alias), and occurs at the issuer stage
>>> of the credential.
>>> In Alias, scenario A, a government wanting to figure out if Norman and
>>> Paula are the same person could do so, via the issuer. They will not
>>> care particularly about scenario B.
>>> Thus Pseudonymity (Alias) and Pseudo-anonymity are substantially
>>> different situations, and will require different levels of security and
>>> different interfaces with the holder, the government, and the
>>> credentials issuers and Relaying Parties.
>>> Does this make sense?
>>> If so, then it seems that only scenario B is covered in the VC use
>>> cases.
>>> If this is so, I suggest that scenario A, Alias (Pseudonymity), is just
>>> as important in a social and even financial sense, and should be pursued
>>> in parallel with Pseudo-anonymity.
>> I think this can be catered for relatively easily in the existing use
>> cases, by holders issuing credentials about themselves that only contain
>> the name they want to be known by ie. their aliases. The use cases
>> already state "It MUST be possible for any entity to issue a verifiable
>> claim."
> This sounds promising. Do you mean, to follow the Paula from VC use
> cases 4.4.3 example, that Paula can issue a verifiable credential saying
> that Norman is actually a professional journalist (Paula already has
> this credential, issued by a news corporation), and that now Norman (her
> Alias) will be able to use her journalist credential without revealing
> the name "Paula"?

This is the way I read the use cases.

However, in another message that I have just sent (about what the
abstract of the data model says), I currently take issue with the way
the model is being specified, as it is inconsistent with the definition
of identity, in that it requires a claim to be about an identity, rather
than the claim (or set of claims) actually being the identity.

> In other words, that Paula will be able to issue a credential that
> authorizes the use of  her reputation credentials by her alias, without
> having to transfer the name 'Paula' as well?

Paula would issue a credential saying My name is Norman, and would also
present the credential saying that the holder is a professional
journalist. She would be able to prove possession of both of them.

> And, possibly, if so, be able to authorize the "Norman" book income
> going to a bank account set up by Paula, by the same method?

She would present a credential saying she is the holder of a certain
bank account (and be able to prove it) without revealing the name of the
account holder.

> In my opinion these two things, the ability of the alias to carry the
> credentials of the real person, and the ability of the real person to
> accept money earned by the alias, are core for full and effective use of
> an alias.

I don't believe it is difficult to do.

> I'll go so far as to say that several hundred years of the traditional
> book publishing industry has honed this capability, pre-Internet.
> Publishers routinely issue books that give a blurb telling the author's
> credentials or capabilities, even when the author's name, like "Norman",
> is a pseudonym. The publisher knows the name is a pseudonym, but the
> public may or may not. And of course the publisher handles the flow of
> money to Paula that the public believes is being paid to "Norman".

If we cannot electronically enable what is already done today without
electronic credentials, it will be hard to gain user acceptance.



> I'd be very interested to know if both of these capabilities seem
> already provided for by the architecture of the VC model as currently
> described
> Steven
Received on Sunday, 12 June 2016 20:10:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC