W3C home > Mailing lists > Public > public-webpayments@w3.org > September 2013

Re: Web Payments and Identity

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 30 Sep 2013 15:27:20 +0200
Message-ID: <52497C38.90102@gmail.com>
To: Dave Raggett <dsr@w3.org>, public-webpayments@w3.org
David Ragget wrote:
> In respect to knowing your customer, one approach is to use zero 
> knowledge proofs. I was part of the EU project PrimeLife which finished 
> a few years back and worked with IBM on a demo for their identity mixer 
> technology (idemix). Imagine that a national government issues its 
> citizens with a smart card attesting to a variety of  personal 
> information, e.g. your name, passport number, date birth, current 
> address, and so forth.  banks and other institutions have trust in the 
> processes used by the government in providing these national identity 
> cards.
>
> Now imagine a situation where you want to purchase let's say a box of 
> wine online, and are required to prove that you are 18 years or older.  
> Idemix would allow you to provide a crypographic proof backed by your 
> goverment *without* disclosing your data of birth or your national id 
> number! This is possible through a zero knowledge proof over expressions 
> of attributes on the government issued id.
>
> The approach lends itself to the creation of psuedonymous identities for 
> specific purposes and minimizes the loss of privacy, unlike conventional 
> approaches where privacy is not prioritized. Note that the customer's 
> true identity can be revealed by a court order if required. This 
> involves a computation to reveal the base identity (your national id in 
> this example). So your privacy relies on a trusted independent party, 
> which could be part of the judiciary.
>
> Idemix is available as an open source java library. My demo was based on 
> an extension to the Firefox browser and allows web pages running in the 
> browser to create a new pseudonymous id, and to ask the extension to 
> authenticate the user and provide a zero knowledge proof that the user 
> owns that pseudonymous id. The example is for a university where the 
> student union issues new students with a USB key stick this allows 
> students to make purchases and to participate in chat sessions without 
> disclosing their identity. See slide 38 on: 
> http://www.slideshare.net/iwmw/raggett
>
> Today, customer privacy is a low priority for businesses, who constantly 
> demand for personal information that they don't need to know. It is 
> almost a paradox, but STRONG identity can be used to underpin STRONG 
> PRIVACY, however, this will require concerted action by citizens to 
> overcome the reluctance of business and governments to do more than the 
> very minimum.
>
> Further reading:
> http://people.w3.org/~dsr/blog/?p=95 <http://people.w3.org/%7Edsr/blog/?p=95> 
> <http://people.w3.org/%7Edsr/blog/?p=95>
> http://www.zurich.ibm.com/idemix/details.html
> http://en.wikipedia.org/wiki/Zero-knowledge_proof
>
> -- 
> Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett

I guess this particularly apply to the merchant-side of payments, right?

Sometimes you would like to anonymize the merchant from the payment
provider in case you are purchasing  goods or services that are illegal or at
least shameful.  Is this maybe covered by BitCoins?  I must admit I'm not
up to speed on this technology.

Cheers
Anders
Received on Monday, 30 September 2013 13:27:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:24 UTC