11.14.1. This is one of the most overlooked and ignored aspects of
cryptology, especially of Chaum's work. And no one in
Cypherpunks or anywhere else is currently working on "blinded
credentials" for everyday use.
11.14.2. "Is proof of identity needed?"
- This question is debated a lot, and is important. Talk of a
national ID card (what wags call an "internal passport") is
in the air, as part of health care, welfare, and
immigration legislation. Electronic markets make this also
an issue for the ATM/smart card community. This is also
closely tied in with the nature of anonymous reamailers
(where physical identity is of course generally lacking).
+ First, "identity" can mean different things:
- Conventional View of Identity: Physical person, with
birthdate, physical characteristics, fingerprints, social
security numbers, passports, etc.--the whole cloud of
"identity" items. (Biometric.)
- Pseudonym View of Identity: Persistent personnas,
mediated with cryptography. "You are your key."
- Most of us deal with identity as a mix of these views: we
rarely check biometric credentials, but we also count on
physical clues (voice, appearance, etc.). I assume that
when I am speaking to "Duncan Frissell," whom I've never
met in person, that he is indeed Duncan Frissell. (Some
make the jump from this expectation to wanting the
government enforce this claim, that is, provided I.D.)
+ It is often claimed that physical identity is important in
order to:
- track down cheaters, welchers, contract breakes, etc.
- permit some people to engage in some transactions, and
forbid others to (age credentials, for drinking, for
example, or---less benignly--work permits in some field)
- taxation, voting, other schemes tied to physical
existence
+ But most of us conduct business with people without ever
verifying their identity credentials...mostly we take their
word that they are "Bill Stewart" or "Scott Collins," and
we never go beyond that.
- this could change as digital credentials proliferate and
as interactions cause automatic checks to be made (a
reason many of us have to support Chaum's "blinded
credentials" idea--without some crypto protections, we'll
be constantly tracked in all interactions).
+ A guiding principle: Leave this question of whether to
demand physical ID credentials up to the *parties
involved*. If Alice wants to see Bob's "is-a-person"
credential, and take his palmprint, or whatever, that's an
issue for them to work out. I see no moral reason, and
certainly no communal reason, for outsiders to interfere
and insist that ID be produced (or that ID be forbidden,
perhaps as some kind of "civil rights violation"). After
all, we interact in cyberspace, on the Cypherpunks list,
without any such external controls on identity.
- and business contracts are best negotiated locally, with
external enforcement contracted by the parties (privately-
produced law, already seen with insurance companies,
bonding agents, arbitration arrangements, etc.)
- Practically speaking, i.e., not normatively speaking,
people will find ways around identity systems. Cash is one
way, remailers are another. Enforcement of a rigid identity-
based system is difficult.
11.14.3. "Do we need "is-a-person" credentials for things like votes
on the Net?"
- That is, any sysadmin can easily create as many user
accounts as he wishes. And end users can sign up with
various services under various names. The concern is that
this Chicago-style voting (fictitious persons) may be used
to skew votes on Usenet.
- Similar concerns arise elsewhere.
- In my view, this is a mighty trivial reason to support "is-
a-person" credentials.
11.14.4. Locality, credentials, validations
+ Consider the privacy implications of something so simple as
a parking lot system. Two main approaches:
- First Approach. Cash payment. Car enters lot, driver pays
cash, a "validation" is given. No traceability exists.
(There's a small chance that one driver can give his
sticker to a new driver, and thus defraud the parking
lot. This tends not to happen, due to the inconveniences
of making a market in such stickers (coordinating with
other car, etc.) and because the sticker is relatively
inexpensive.)
- Second Approach. Billing of driver, recording of license
plates. Traceability is present, especially if the local
parking lot is tied in to credit card companies, DMV,
police, etc. (these link-ups are on the wish list of
police agencies, to further "freeze out" fugitives, child
support delinquents, and other criminals).
- These are the concerns of a society with a lot of
electronic payments but with no mechanisms for preserving
privacy. (And there is currently no great demand for this
kind of privacy, for a variety of reasons, and this
undercuts the push for anonymous credential methods.)
- An important property of true cash (gold, bank notes that
are well-trusted) is that it settles immediately, requiring
no time-binding of contracts (ability to track down the
payer and collect on a bad transaction)
By Tim May, see README
HTML by Jonathan Rochkind