I have missed significant parts of this thread, but is there
assurance that these are in fact computationally feasible?
There are cases where such guarantees are often found possible to
break in unanticipated ways. Recently the focus is on medical records
and the ability to identify a specific person in a large population
when an anonymization algorithm had been appropriately applied by
correlating data from a variety of sources. Below is one set of
citations often cross referenced in this area:
http://lab.privacy.cs.cmu.edu/people/sweeney/confidentiality.html
Paul
On Jul 13, 2006, at 5:43 PM, Ben Laurie wrote:
On the plane to IETF I realised that there were several more potential
requirements to add to ekr's list:
12. Single Site Unlinkability (SSU)
The user should be able to visit the same site multiple times without
the site being able to tell that it is the same user, even if the user
is, for example, asserting the same external claims each time. This
protects the user's privacy. Obviously if data provided by the user is
unique to that user (for example, age and address combined are often
sufficient to uniquely identify a person) then no amount of cleverness
can provide SSU, but SSU should be available to the extent permitted
by the uniqueness of the data provided.
13. Multiple Site Unlinkability (MSU)
The user should be able to visit multiple sites without the sites
being able to collude to correlate the data provided by the user. This
is a weaker requirement than SSU (that is, MSU does not guarantee
SSU). Again, this protects the user's privacy.
14. Attack Resistant Credentials (ARC)
Credentials should be such that the (computationally limited) verifier
cannot reconstruct the original credential by brute force. Note that
the impossibility of this may rely on the user choosing strong
secrets, which is often unlikely, for example where the sole source of
entropy is a password.
15. Claim Minimality (CM)
The ability to show only exactly what is needed, (for example, the
user is over 21 rather than the user's exact age, or if there are
mutlple claims the ability to show a subset). This improves privacy
and reduces linkability.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
