From: Hal <hfinney@shell.portal.com>
Date: Wed, 21 Feb 1996 15:54:16 +0800
To: cypherpunks@toad.com
Subject: Re: anonymous age credentials, sharing of
In-Reply-To: <Pine.SUN.3.91.960214143233.28807O-100000@viper.law.miami.edu>
Message-ID: <199602210205.SAA20048@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Michael Froomkin <froomkin@law.miami.edu> writes:

>Suppose Alice is a CA who issues anonymous age credentials.
>Bob is 15
>Carol is 25

>Carol gets a legitimate anonymous age credential from Alice bound to an 
>anonymous public key generated for this purpose.  Carol then gives the 
>key pair to Bob.  Bob uses to do things only adults are legally permitted 
>to do.  (It's not bound to Carol's everday keypair because that's not 
>anonymous....)

>What can stop Bob and Carol from subverting a scheme that relies on 
>anonymous age creditials in this manner?

I think I wrote something about this before, but I can't recall whether
there was subsequent discussion...

In Chaum's pseudonym/credential system, you can be restricted in the
number of pseudonyms you can get of a given type.  You can transfer
your credentials among any of your pseudonyms, but you might only have
one pseudonym (and associated key pair) for a specific forum or
purpose.  So Carol could get her age credential by showing her birth
certificate, and get it on a non-anonymous pseudonym, then transfer it to
any of her other pseudonyms.  Maybe there is a particular nym which she
uses for access in some area, and she has to prove her age in order to do
so.  So she transfers the credential to that pseudonym and can get
access.

Now Carol could give her pseudonym, credential and key pair to Bob, and
let him act as her within that forum (say, for access to a particular
archive).  He could then exercise all of the privileges that she
could.  This is in effect a shortcut for the case where Bob asks Carol,
"get me this file", "get me that file", and she does.  This is in effect
a blanket promise on Carol's part to respond affirmatively to all such
requests.

Obviously, as I think Michael wrote earlier, we can't stop Carol from
doing this on a file-by-file basis.  But we still might want to make it
so she won't give Bob full access, since that will make it even easier
for him to get these files he's not supposed to see, and it seems to
somewhat remove Carol from responsibility for giving each file to Bob.

One thing that might make Carol reluctant to authorize Bob to act as
her agent in this way is that she would also be responsible for any
negative consequences of things Bob does.  If Bob abuses the lent key
pair in some way, such that maybe he is even banned from that archive,
then Carol will suffer the consequences as well.  Given that she only
gets one pseudonym of a kind which can access this archive, she can be
hurt by giving Bob the full use of that nym.

Now, depending on the circumstances, this may or may not be a significant
deterrent for Carol.  If the archive has no material she would be
interested in, or there is no significant likelihood of abuse which would
lead to losing her access, then it won't matter.  But things could be
structured so that these bad consequences were more likely, and then it
would be a more significant consideration for her.

There is a tradeoff between anonymity and accountability here.  We gain
this degree of accountability only be limiting the number of pseudonyms
a person can have for certain kinds of usage, thereby reducing
anonymity.  The most extreme case would would to say that a person can
have only one identity for use everywhere.  That is, we would ban
anonymity.  At the other extreme, anyone can get as many nyms of all
kinds as they want, and transfer credentials in all ways, in which case
credentials are meaningless.  These seem to be the two endpoints
considered in Michael's hypothetical example.

But there are actually a whole range of intermediate points which are
possible.  One example, close to the non-anonymous case, is to give
every person exactly one online pseudonym, unlinkable to their physical
identity, but the only one they can use in their online life.  Now if
they behave abusively the consequences they can suffer are limited.
They can't go to jail.  But still the risks may be relatively severe, and
could include in the most extreme case loss of access to all online
resources, which will be a severe punishment in the future.  Another
point on the continuum would be the use of a single pseudonym for all
access to materials which are illegal for minors to see.  If Carol gives
hers to Bob and he screws it up somehow, she may be stuck watching PG
movies for the rest of her life.

I have tried to think of a better technical fix, such that in order to
give Bob the ability to show one of her credentials, Carol must
inherently give him the ability to use all of them, to act as her in all
forums.  Maybe some zero-knowledge protocol would be required to show a
credential, one which would only work if you knew some basic secret that
underlies all your pseudonyms, but which doesn't reveal it to anyone.
Then Bob could act as Carol only if he knew her innermost secrets.  But
still it would be necessary to retain unlinkability among pseudonyms.  I
can't see how to make it work, and maybe it is fundamentally impossible.
But if something like this were possible it would be a good solution to
the problem Michael has described.

Hal Finney

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAwUBMSp9xxnMLJtOy9MBAQH9GAH9F7E6mZ/4lfL/b/4kdGTSpLZfmvJZu7iK
EN8+wUHrAdi/cobG9KUsrFxcm3evG6ijLyu4WhxQzdoU0k1wyAUN7g==
=X7tH
-----END PGP SIGNATURE-----