W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Non-correlation / pseudo-anonymity (was Re: VOTE: Verifiable Claims Terminology)

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Sat, 11 Jun 2016 19:09:27 +0100
To: public-credentials@w3.org
Message-ID: <2d9b228a-5727-d3bd-f516-3de356fee50c@kent.ac.uk>

On 11/06/2016 17:46, Manu Sporny wrote:
> On 06/11/2016 07:27 AM, David Chadwick wrote:
>> By using a common ID for two different identity profiles we produce
>> a correlation handle for the relying parties.
> Yes, correlation handles are REQUIRED for a number of use cases.
> Pseudo-anonymity is REQUIRED for others. We need both.
> For example:
> You get a driver's license from Entity A.

Presumably a government body, and therefore presumably quite trusted.

> You get a proof of employment from Entity B.

Which can be from any one of millions of organisations, so trust would
presumably be much smaller than in the first credential.

> A bank asks you to submit both to open a new account. In a non-common ID
> scenario, how does an automated software program determine that the
> driver's license and the proof of employment are talking about the same
> identifier?

If you want linkability, then Entity B, which must have authenticated
the user when it first employed him or her, e.g. by checking his/her
passport, driver's license or other government issued credential, should
embed the government issued credential in the employment one that it issues.

The bank then has the correlating handle it needs in the employment
credential and asks the user to provide the corresponding government
issued credential as well.

> I'm not arguing against non-correlation. It's an important requirement.
> Correlatability is an important requirement as well.

I agree. My argument is that correlation should be a positive act, and
that non-correlation should be the default privacy protecting act.

> Proof of age should be non-correlatable.
> Passport is correlatable.

To be more precise, passport number is correlatable. The nationality
attribute from a passport is not. Neither is the name attribute on its own.

> Email is correlatable (and how many systems that you use on a regular
> basis have your email address?)

I know. People often forget this. But at least it is a positive action
to share your email address with someone. As opposed to the fingerprint
of my laptop configuration that allows web sites to uniquely identify me
behind my back, as it were, without my consent or knowledge.

> I'm strongly asserting that anyone claiming that they have a solution
> that actually provides non-correlatability in non-trivial use cases has
> either not thought deeply about the problem or is selling snake oil.

I agree. Total privacy protection is probably impossible.

But we should not design a system that has correlation built in by
default, if we can avoid it.



> -- manu
Received on Saturday, 11 June 2016 18:09:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:53 UTC