On 7/15/06, Paul Gleichauf <[EMAIL PROTECTED]> wrote:
I have missed significant parts of this thread, but is there
assurance that these are in fact computationally feasible?
There are cases where such guarantees are often found possible to
break in unanticipated ways. Recently the focus is on medical records
and the ability to identify a specific person in a large population
when an anonymization algorithm had been appropriately applied by
correlating data from a variety of sources. Below is one set of
citations often cross referenced in this area:
http://lab.privacy.cs.cmu.edu/people/sweeney/confidentiality.html
I explicitly stated that these kinds of attacks were out of scope. I'm
talking about the avoidable kind of linkage, for example where you
present the same X.509 client cert everywhere.
Paul
On Jul 13, 2006, at 5:43 PM, Ben Laurie wrote:
> On the plane to IETF I realised that there were several more potential
> requirements to add to ekr's list:
>
> 12. Single Site Unlinkability (SSU)
> The user should be able to visit the same site multiple times without
> the site being able to tell that it is the same user, even if the user
> is, for example, asserting the same external claims each time. This
> protects the user's privacy. Obviously if data provided by the user is
> unique to that user (for example, age and address combined are often
> sufficient to uniquely identify a person) then no amount of cleverness
> can provide SSU, but SSU should be available to the extent permitted
> by the uniqueness of the data provided.
>
> 13. Multiple Site Unlinkability (MSU)
> The user should be able to visit multiple sites without the sites
> being able to collude to correlate the data provided by the user. This
> is a weaker requirement than SSU (that is, MSU does not guarantee
> SSU). Again, this protects the user's privacy.
>
> 14. Attack Resistant Credentials (ARC)
> Credentials should be such that the (computationally limited) verifier
> cannot reconstruct the original credential by brute force. Note that
> the impossibility of this may rely on the user choosing strong
> secrets, which is often unlikely, for example where the sole source of
> entropy is a password.
>
> 15. Claim Minimality (CM)
> The ability to show only exactly what is needed, (for example, the
> user is over 21 rather than the user's exact age, or if there are
> mutlple claims the ability to show a subset). This improves privacy
> and reduces linkability.
>
> _______________________________________________
> dix mailing list
> [email protected]
> https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
