The Identity Corner

Kim Cameron is in the midst of blogging an excellent series of posts on the important topic of unlinkability; see here and here, for instance. As I had expected from past experience, several commentors on Kim’s post wrongly equate unlinkability with anonymity (see, e.g., here and here, both using the analogy of shoppers or bankrobbers wearing masks). Of course, an unfortunate choice of terminology (”anonymous credentials”) does not help at all in this respect. Here are some important things to keep in mind when reading Kim’s posts:

• Whenever you read about “anonymous credentials”, you should really think of these as minimal disclosure certificates. “Minimal disclosure” implies three privacy properties: (1) minimization of traceability, (2) minimization of linkability, and (3) selective disclosure:
  • Minimization of traceability means that there is nothing in a certificate beyond any disclosed attribute data it may contain that can be used to link its presentation to its issuance.
  • Minimization of linkabilility means that there is nothing in a certificate beyond any disclosed attribute data it may contain that can be used to link its presentation to the presentation of other certificates of the same user.
  • Selective disclosure means that the user of a certificate, when presenting the certificate, can (unconditionally) hide attribute data contained in the certificate that does not need to be revealed. More generally, properties of encoded attribute values can be disclosed while any other information remains hidden.
• These properties hold in the face of collusions between relying parties and identity providers. What’s more, they hold unconditionally, even if relying parties and identity providers actively collude from the outset and try to build in “cryptographic backdoors” in the algorithms used to digitally sign identity claims.
• “Minimal disclosure” refers to privacy properties of a certificate, not to privacy properties of an entire transaction or session in which that certificate is used. If an “anonymous credential” is presented over the Internet then its user’s IP address may be captured, for instance. Or, when presenting an “anonymous credential” using a chipcard at a brick-and-mortar store, a camera may capture a picture of the user.

In short, “anonymous credentials” are not all about anonymity. They are about the ability to disclose the absolute minimum that is required when presented an identity claim. Similarly, “unlinkability”, “untraceability”, and selective disclosure” are not about anonymity per se. Anonymity is just an extreme point on the privacy “spectrum” that can be achieved, all depending on what attribute information is encoded into certificates and what of that is disclosed at presentation time. Currently prevalent technologies, such as standard digital signatures and PKI/X.509 certificates, are a poor technology to protect identity claims, since they inescapably leak a lot of identifying information when presenting protected identity claims; in particular, they disclose universally unique identifiers (correlation handles) that can be used to unambiguously link their presentation to their issuance.

A final remark: With “anonymous credential” technology, the degree of granularity that a certificate user has over selectively disclosing properties of attribute values contained in that certificate can be controlled by the identity provider. Consider, by way of example, a certificate that specifies the date of birth, gender, name, and residency of a person; the issuer may decide to issue the certificate (i.e., protected identity claim) in such a manner that its user will be able to selectively hide the name and to prove that the date of birth is over 18 years ago, say, while preventing the user from hiding the gender and residency. More generally, the identity provider can give the user of a certificate any desired degree of partial control over the release of attribute information that the issuer encodes into that certificate.