This might hide identity from the person requesting the info, but not from the trusted authority. In theory the authority could collect data on where requests are coming from, or where the certs are used. To my knowledge, there's no way to completely hide identity while also verifying an attribute and ownership.
There are actually ideas using crypto to provide proof of properties without a trusted entity having to know what the proof will be used for, and without the requester of the proof being able to learn more about the identity. E.g. (in french) https://linc.cnil.fr/demonstrateur-du-mecanisme-de-verificat...
Now i think it is still either a dangerous slope, or it will end up inefficient, because of credential sharing; the typical modern idea to avoid that is to require the user to have a locked smartphone, wich is quite an intrusive requirement.
This is close. But I believe an attacker could use the signature to tie it back to a user if the gain access to the trusted authority information. There's no way to do it truly anonymously. Even the article recognized its pseudonymous.
I don't see anything in that link explaining how one could verify age while remaining anonymous to all parties. How does one verify the age is correct and associated with the true person? It also seems the cert is for specific sites. So doesn't that mean the identity provider (trust anchor?) who verified the age now has a list of which sites you're using your certs on sinc eyou must define a reciever (recipient domain?)? Maybe you can explain the flow in an example?
This might hide identity from the person requesting the info, but not from the trusted authority. In theory the authority could collect data on where requests are coming from, or where the certs are used. To my knowledge, there's no way to completely hide identity while also verifying an attribute and ownership.
There are actually ideas using crypto to provide proof of properties without a trusted entity having to know what the proof will be used for, and without the requester of the proof being able to learn more about the identity. E.g. (in french) https://linc.cnil.fr/demonstrateur-du-mecanisme-de-verificat...
Now i think it is still either a dangerous slope, or it will end up inefficient, because of credential sharing; the typical modern idea to avoid that is to require the user to have a locked smartphone, wich is quite an intrusive requirement.
This is close. But I believe an attacker could use the signature to tie it back to a user if the gain access to the trusted authority information. There's no way to do it truly anonymously. Even the article recognized its pseudonymous.
It does hide identity from all parties except the party you decide to share your identity with.
Here's the technical details on how that is achieved: https://cipheredtrust.com/doc/#pki-id-anchoring
I don't see anything in that link explaining how one could verify age while remaining anonymous to all parties. How does one verify the age is correct and associated with the true person? It also seems the cert is for specific sites. So doesn't that mean the identity provider (trust anchor?) who verified the age now has a list of which sites you're using your certs on sinc eyou must define a reciever (recipient domain?)? Maybe you can explain the flow in an example?
4 replies →