Re: Web Payments and Identity from Dave Raggett on 2013-09-30 (public-webpayments@w3.org from September 2013)

From: Dave Raggett <dsr@w3.org>
Date: Mon, 30 Sep 2013 09:46:50 +0100
To: Manu Sporny <msporny@digitalbazaar.com>, Ricardo Varela <phobeo@gmail.com>
CC: Ben Adida <ben@adida.net>, Web Payments CG <public-webpayments@w3.org>, "Joe Cascio, Jr." <joe.cascio.jr@gmail.com>, Dan Callahan <dan.callahan@gmail.com>, Lloyd Hilaiel <lloyd@mozilla.com>
Message-ID: <52493A7A.3080105@w3.org>

In respect to knowing your customer, one approach is to use zero 
knowledge proofs. I was part of the EU project PrimeLife which finished 
a few years back and worked with IBM on a demo for their identity mixer 
technology (idemix). Imagine that a national government issues its 
citizens with a smart card attesting to a variety of  personal 
information, e.g. your name, passport number, date birth, current 
address, and so forth.  banks and other institutions have trust in the 
processes used by the government in providing these national identity 
cards.

Now imagine a situation where you want to purchase let's say a box of 
wine online, and are required to prove that you are 18 years or older.  
Idemix would allow you to provide a crypographic proof backed by your 
goverment *without* disclosing your data of birth or your national id 
number! This is possible through a zero knowledge proof over expressions 
of attributes on the government issued id.

The approach lends itself to the creation of psuedonymous identities for 
specific purposes and minimizes the loss of privacy, unlike conventional 
approaches where privacy is not prioritized. Note that the customer's 
true identity can be revealed by a court order if required. This 
involves a computation to reveal the base identity (your national id in 
this example). So your privacy relies on a trusted independent party, 
which could be part of the judiciary.

Idemix is available as an open source java library. My demo was based on 
an extension to the Firefox browser and allows web pages running in the 
browser to create a new pseudonymous id, and to ask the extension to 
authenticate the user and provide a zero knowledge proof that the user 
owns that pseudonymous id. The example is for a university where the 
student union issues new students with a USB key stick this allows 
students to make purchases and to participate in chat sessions without 
disclosing their identity. See slide 38 on: 
http://www.slideshare.net/iwmw/raggett

Today, customer privacy is a low priority for businesses, who constantly 
demand for personal information that they don't need to know. It is 
almost a paradox, but STRONG identity can be used to underpin STRONG 
PRIVACY, however, this will require concerted action by citizens to 
overcome the reluctance of business and governments to do more than the 
very minimum.

Further reading:
http://people.w3.org/~dsr/blog/?p=95 
<http://people.w3.org/%7Edsr/blog/?p=95>
http://www.zurich.ibm.com/idemix/details.html
http://en.wikipedia.org/wiki/Zero-knowledge_proof

-- 
Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett

Received on Monday, 30 September 2013 08:47:24 UTC