W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: [WebCrypto.Next] Linking web identities with real-world identities

From: Dave Raggett <dsr@w3.org>
Date: Sat, 14 Feb 2015 10:31:58 +0000
Cc: public-web-security@w3.org, public-privacy@w3.org
Message-Id: <95B8CAC2-9232-44D4-AF71-3CA601E42CF2@w3.org>
To: Mike O'Neill <michael.oneill@baycloud.com>

> On 13 Feb 2015, at 21:22, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> I agree that an identity verification protocol based on explicit consent should be a standard component of the web platform, but I think it should be designed so there would no need for a fixed “real-world” identity.
> 
> The third-party entities could validate an arbitrary set of attributes, some of which may identify a legal person i.e. passport or birth certificate, but others could be anonymous attributes such as membership of a club, a child’s age, an anonymous audience category, or any attribute that the parties need and agree to without the necessity to inform any of the parties, including the validating parties, of other identifying attributes.

These refer to additional use cases, e.g. to prove that I am a child for access to a safe site for children.  I would encourage you to describe the use cases, since this is important for justifying work on a standard. There are no major technical barriers to pseudo-anonymous identity verification, so this is mostly about consensus building.

I built a demo for this kind of approach some years back around a use case where you need to prove you are a current student at a given university to gain access to a site run by students for students. The demo uses a Firefox extension for idemix. More details are given at:

     http://people.w3.org/~dsr/blog/?p=95 <http://people.w3.org/~dsr/blog/?p=95>

It might be easier, however, to start with work on a standard for simple comparisons against attributes, where the website/app already knows your name and address etc., and wants to verify that the web identity you are logged in with corresponds to that real-world identity. This doesn’t involve a loss of privacy since the website and the identity agent being asked to perform the verification already know your real-world identity.

—
   Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>>
Received on Saturday, 14 February 2015 10:32:05 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 14 February 2015 10:32:06 UTC