From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sun, 13 Oct 1996 23:47:08 -0700 (PDT)
To: cypherpunks@toad.com
Subject: Re: Blinded Identities [was Re: exporting signatures only/CAPI]
Message-ID: <199610140646.XAA03949@dfw-ix12.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


>> >Steve Shear <azur@netcom.com> writes:
>> I've been charged with developing an Internet service which needs to assure
>> its clients of anonymity.  However, we fear some clients may abuse the
>> service and we wish to prevent the abusers from re-enrollment if
>> terminated for misbehavior. 

At 04:28 PM 10/13/96 -0400, "Michael Froomkin - U.Miami School of Law"
<froomkin@law.miami.edu> wrote:
>Stefan Brands has a protocol that probably does what you want.  
....
>http://www.law.miami.edu/~froomkin/articles/oceanno.htm#ENDNOTE286

Looks like a really nice paper on anonymity issues; at 485K, it'll take
a little while to read :-)

The fundamental difficulty in this problem is that you need some 
demonstrable proof of uniqueness for human users; if you don't have that,
you can't transform it into a unique-but-anonymous identity.*
The issues are similar to privacy-protecting voter registration problems.

Brands's protocol starts with the user going to the bank with proof of ID,
and getting a numerical ID which can be blinded and signed.
It's a nice approach; you can do cruder approaches by hashing your
universal-citizen-unit-ID-number or whatever, but that can be
dictionary-searched
by feeding all the possible ID numbers through the hash.

For some applications, mapping back to a unique human isn't necessary;
if you do something like map back to a bank account which has a high
minimum balance for setup, this discourages the type of users who
don't want to spend $100 just to send spam.

Blinding a Verisign signature isn't enough, though - they support
personna certificates without proof of identity.

Froomkin also points out a class of attacks that can allow abusers to get around
Brands's protocol - a group of users get together and abuse one ID till it gets
busted, then abuse the next, etc., until they're all burned.  Or you hire
a bum off the street to get an account for you.  Or whatever.

[ * There are non-universal-identifier methods for preventing double-use.
Voter registration in many places just depends on identification and
affidavit, and is often abused (e.g. Chicago graveyard voters and
Nevada absentee ballots), but usually not massively abused.
Some third-world countries don't even require registration or literacy - 
they dip your thumb in ink after you vote, using a kind of ink that
won't come off for a couple of days.  Attacks against this protocol
include better solvents :-) ]


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk
  Imagine if three million people voted for somebody they _knew_,
  and the politicians had to count them all.