Re: [saag] Liking Linkability

On 10/19/12 7:21 AM, Ben Laurie wrote:
>> >Ben,
>> >
>> >How is the following incongruent with the fundamental points we've been
>> >trying to make about the combined effects of URIs, Linked Data, and Logic en
>> >route to controlling privacy at Web-scale?
>> >
>> >Excerpt from Microsoft page [1]:
>> >
>> >A U-Prove token is a new type of credential similar to a PKI certificate
>> >that can encode attributes of any type, but with two important differences:
>> >
>> >1) The issuance and presentation of a token is unlinkable due to the special
>> >type of public key and signature encoded in the token; the cryptographic
>> >“wrapping” of the attributes contain no correlation handles. This prevents
>> >unwanted tracking of users when they use their U-Prove tokens, even by
>> >colluding insiders.
>> >
>> >2) Users can minimally disclose information about what attributes are
>> >encoded in a token in response to dynamic verifier policies. As an example,
>> >a user may choose to only disclose a subset of the encoded attributes, prove
>> >that her undisclosed name does not appear on a blacklist, or prove that she
>> >is of age without disclosing her actual birthdate.
>> >
>> >
>> >Why are you assuming that a hyperlink based pointer (de-referencable URI)
>> >placed in the SAN of minimalist X.509 certificate (i.e., one that has now
>> >personally identifiable information) can't deliver the above and more?
> Because it contains "correlation handles" to use the terminology of the quote.
>

There was a typo in my statement above, it should have read:

Why are you assuming that a hyperlink based pointer (de-referencable URI)
placed in the SAN of minimalist X.509 certificate (i.e., one that has *no*
personally identifiable information) can't deliver the above and more?


As for correlation handles I see the following:

1. Internet -- you have machine names resolvable via DNS protocol, so 
you always have machine scoped correlation handle

2. Web of Linked Documents -- you have document names resolvable via 
HTTP (which leverages DNS) so you still have correlation to the 
combination of a machine name, user agent, and in some cases referrer 
document name

3.Web of Linked Data -- all of the above, but with the addition of a 
name (in the form of a URI) for nebulous entity "You" or anything else.

Bar the use of Tor, I am not seeing this lack of "correlation handles" 
(basis for fingerprints) re. U-Prove.

You continue to insinuate (IMHO. incorrectly) that the following isn't 
achievable via a protocol that leverages the combination of 
de-referencable URIs, structured data (in the form of a Linked Data 
graph), entity relationship semantics (for structured data tapestry), 
first-order logic (the conceptual schema), and reasoning (inference and 
entailments):

"Prove Tokens can be issued in such a manner that not even collusions of 
Verifiers and Issuers can trace the presentation of an U-Prove Token to 
its issuing event, or determine whether or not two presented U-Prove 
Tokens were issued to the same User. When used in combination with the 
selective disclosure feature, Verifiers and Issuers can infer no more 
than what can be inferred from the attribute properties that Users 
expressly disclose to Verifiers"


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen