11.14.1. This is one of the most overlooked and ignored aspects of cryptology, especially of Chaum's work. And no one in Cypherpunks or anywhere else is currently working on "blinded credentials" for everyday use. 11.14.2. "Is proof of identity needed?" - This question is debated a lot, and is important. Talk of a national ID card (what wags call an "internal passport") is in the air, as part of health care, welfare, and immigration legislation. Electronic markets make this also an issue for the ATM/smart card community. This is also closely tied in with the nature of anonymous reamailers (where physical identity is of course generally lacking). + First, "identity" can mean different things: - Conventional View of Identity: Physical person, with birthdate, physical characteristics, fingerprints, social security numbers, passports, etc.--the whole cloud of "identity" items. (Biometric.) - Pseudonym View of Identity: Persistent personnas, mediated with cryptography. "You are your key." - Most of us deal with identity as a mix of these views: we rarely check biometric credentials, but we also count on physical clues (voice, appearance, etc.). I assume that when I am speaking to "Duncan Frissell," whom I've never met in person, that he is indeed Duncan Frissell. (Some make the jump from this expectation to wanting the government enforce this claim, that is, provided I.D.) + It is often claimed that physical identity is important in order to: - track down cheaters, welchers, contract breakes, etc. - permit some people to engage in some transactions, and forbid others to (age credentials, for drinking, for example, or---less benignly--work permits in some field) - taxation, voting, other schemes tied to physical existence + But most of us conduct business with people without ever verifying their identity credentials...mostly we take their word that they are "Bill Stewart" or "Scott Collins," and we never go beyond that. - this could change as digital credentials proliferate and as interactions cause automatic checks to be made (a reason many of us have to support Chaum's "blinded credentials" idea--without some crypto protections, we'll be constantly tracked in all interactions). + A guiding principle: Leave this question of whether to demand physical ID credentials up to the *parties involved*. If Alice wants to see Bob's "is-a-person" credential, and take his palmprint, or whatever, that's an issue for them to work out. I see no moral reason, and certainly no communal reason, for outsiders to interfere and insist that ID be produced (or that ID be forbidden, perhaps as some kind of "civil rights violation"). After all, we interact in cyberspace, on the Cypherpunks list, without any such external controls on identity. - and business contracts are best negotiated locally, with external enforcement contracted by the parties (privately- produced law, already seen with insurance companies, bonding agents, arbitration arrangements, etc.) - Practically speaking, i.e., not normatively speaking, people will find ways around identity systems. Cash is one way, remailers are another. Enforcement of a rigid identity- based system is difficult. 11.14.3. "Do we need "is-a-person" credentials for things like votes on the Net?" - That is, any sysadmin can easily create as many user accounts as he wishes. And end users can sign up with various services under various names. The concern is that this Chicago-style voting (fictitious persons) may be used to skew votes on Usenet. - Similar concerns arise elsewhere. - In my view, this is a mighty trivial reason to support "is- a-person" credentials. 11.14.4. Locality, credentials, validations + Consider the privacy implications of something so simple as a parking lot system. Two main approaches: - First Approach. Cash payment. Car enters lot, driver pays cash, a "validation" is given. No traceability exists. (There's a small chance that one driver can give his sticker to a new driver, and thus defraud the parking lot. This tends not to happen, due to the inconveniences of making a market in such stickers (coordinating with other car, etc.) and because the sticker is relatively inexpensive.) - Second Approach. Billing of driver, recording of license plates. Traceability is present, especially if the local parking lot is tied in to credit card companies, DMV, police, etc. (these link-ups are on the wish list of police agencies, to further "freeze out" fugitives, child support delinquents, and other criminals). - These are the concerns of a society with a lot of electronic payments but with no mechanisms for preserving privacy. (And there is currently no great demand for this kind of privacy, for a variety of reasons, and this undercuts the push for anonymous credential methods.) - An important property of true cash (gold, bank notes that are well-trusted) is that it settles immediately, requiring no time-binding of contracts (ability to track down the payer and collect on a bad transaction)
Next Page: 11.15 Records of all UseNet postings
Previous Page: 11.13 National Health Care System Issues
By Tim May, see README
HTML by Jonathan Rochkind