W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2013

Re: Web Payments and Identity

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 30 Sep 2013 11:39:17 +0200
Message-ID: <CAKaEYhKSCtoNskF559jqaXATym8u0Q=_o1kqz-_TEqXNURUJGA@mail.gmail.com>
To: Dave Raggett <dsr@w3.org>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Ricardo Varela <phobeo@gmail.com>, Ben Adida <ben@adida.net>, Web Payments CG <public-webpayments@w3.org>, "Joe Cascio, Jr." <joe.cascio.jr@gmail.com>, Dan Callahan <dan.callahan@gmail.com>, Lloyd Hilaiel <lloyd@mozilla.com>
On 30 September 2013 10:46, Dave Raggett <dsr@w3.org> wrote:

>  In respect to knowing your customer, one approach is to use zero
> knowledge proofs. I was part of the EU project PrimeLife which finished a
> few years back and worked with IBM on a demo for their identity mixer
> technology (idemix). Imagine that a national government issues its citizens
> with a smart card attesting to a variety of  personal information, e.g.
> your name, passport number, date birth, current address, and so forth.
> banks and other institutions have trust in the processes used by the
> government in providing these national identity cards.
> Now imagine a situation where you want to purchase let's say a box of wine
> online, and are required to prove that you are 18 years or older.  Idemix
> would allow you to provide a crypographic proof backed by your goverment
> *without* disclosing your data of birth or your national id number! This is
> possible through a zero knowledge proof over expressions of attributes on
> the government issued id.
> The approach lends itself to the creation of psuedonymous identities for
> specific purposes and minimizes the loss of privacy, unlike conventional
> approaches where privacy is not prioritized. Note that the customer's true
> identity can be revealed by a court order if required. This involves a
> computation to reveal the base identity (your national id in this example).
> So your privacy relies on a trusted independent party, which could be part
> of the judiciary.
> Idemix is available as an open source java library. My demo was based on
> an extension to the Firefox browser and allows web pages running in the
> browser to create a new pseudonymous id, and to ask the extension to
> authenticate the user and provide a zero knowledge proof that the user owns
> that pseudonymous id. The example is for a university where the student
> union issues new students with a USB key stick this allows students to make
> purchases and to participate in chat sessions without disclosing their
> identity. See slide 38 on:  http://www.slideshare.net/iwmw/raggett
> Today, customer privacy is a low priority for businesses, who constantly
> demand for personal information that they don't need to know. It is almost
> a paradox, but STRONG identity can be used to underpin STRONG PRIVACY,
> however, this will require concerted action by citizens to overcome the
> reluctance of business and governments to do more than the very minimum.


There's also a concept of group membership.  "I am a member of the group of
people over 18" and that group issues me a token.  But it doesnt say which
member I am.  A similar form of "blinding".

> Further reading:
>    http://people.w3.org/~dsr/blog/?p=95
>    http://www.zurich.ibm.com/idemix/details.html
>    http://en.wikipedia.org/wiki/Zero-knowledge_proof
> --
> Dave Raggett <dsr@w3.org> <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Monday, 30 September 2013 09:39:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC