- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Sat, 11 Jun 2016 19:09:27 +0100
- To: public-credentials@w3.org
On 11/06/2016 17:46, Manu Sporny wrote: > On 06/11/2016 07:27 AM, David Chadwick wrote: >> By using a common ID for two different identity profiles we produce >> a correlation handle for the relying parties. > > Yes, correlation handles are REQUIRED for a number of use cases. > Pseudo-anonymity is REQUIRED for others. We need both. > > For example: > > You get a driver's license from Entity A. Presumably a government body, and therefore presumably quite trusted. > You get a proof of employment from Entity B. Which can be from any one of millions of organisations, so trust would presumably be much smaller than in the first credential. > > A bank asks you to submit both to open a new account. In a non-common ID > scenario, how does an automated software program determine that the > driver's license and the proof of employment are talking about the same > identifier? If you want linkability, then Entity B, which must have authenticated the user when it first employed him or her, e.g. by checking his/her passport, driver's license or other government issued credential, should embed the government issued credential in the employment one that it issues. The bank then has the correlating handle it needs in the employment credential and asks the user to provide the corresponding government issued credential as well. > > I'm not arguing against non-correlation. It's an important requirement. > Correlatability is an important requirement as well. I agree. My argument is that correlation should be a positive act, and that non-correlation should be the default privacy protecting act. > > Proof of age should be non-correlatable. > > Passport is correlatable. To be more precise, passport number is correlatable. The nationality attribute from a passport is not. Neither is the name attribute on its own. > > Email is correlatable (and how many systems that you use on a regular > basis have your email address?) I know. People often forget this. But at least it is a positive action to share your email address with someone. As opposed to the fingerprint of my laptop configuration that allows web sites to uniquely identify me behind my back, as it were, without my consent or knowledge. > > I'm strongly asserting that anyone claiming that they have a solution > that actually provides non-correlatability in non-trivial use cases has > either not thought deeply about the problem or is selling snake oil. I agree. Total privacy protection is probably impossible. But we should not design a system that has correlation built in by default, if we can avoid it. regards David > > -- manu >
Received on Saturday, 11 June 2016 18:09:53 UTC