Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)

[Eric Rescorla <ekr@rtfm.com>]

On Wed, Jun 28, 2023 at 4:00 PM Toerless Eckert <tte@cs.fau.de> wrote:

> On Wed, Jun 28, 2023 at 12:06:04PM -0700, Eric Rescorla wrote:
> > Now we are getting into the actual work, but I think this is a pretty
> good
> > example of the limitations of this kind of anonymous credential.
>
> I am always only getting excited by use-case examples.
>
> > For instance, if you are at a bar and you want to purchase alcohol, the
> > person selling it to you needs to know that the person in front of them
> is old
> > enough.  It's not enough to just show them a zero-knowledge proof that
> your phone has
> > a credential proving that you are over 18 (21 in the US) you actually
> need
> > to prove that the person in front of them is over age, which means that
> the proof
> > has to be tied to a biometric (typically a photo). But at that point,
> the biometric
> > is usable for facial recognition even if your name is hidden.
>
> The biometric would be taken by the phone and verified by the trusted
> third party
> (DMV, ...) which then vouches for the "over 18 assertion" against the
> establishments
> terminal.
>
> Might not even need to have biometric verification if one assumes (IMHO
> rightfully so),
> that the chance of borrowing cell phones to someone else is pretty slim.
> And even slimmer
> when one puts some less intrusive incentives onto the cell phone to to not
> borrow them
> for such purpose.
>

I go into some detail into why the practice you are describing is not secure
in the post I linked to, so I won't bother going into it here.


Of course i know this is not only wishfull thinking from myself as a
> half-witted
> security interested person. I just have to recollect how Covid
> certificates on phones
> where "verified" at restaurants an eternity, oops: just 2 years! ago.
> Laughable.
>
> I could have walked into restaurants with a contraption concocted from a
> cell phone
> case, a printout of a random QR code and a backlight. "Look here, photo or
> QR code".
> "Sure, please come in".
>

Yes, this practice is not secure, and I think in part reflected that the
establishments in question didn't really care about COVID vaccination.
But they do care about checking IDs--or at least they do care in
places where the laws are strict.



>
>
> > The systems where this kind of selective proof technology works better
> are
> > those where what's being authenticated is some sort of digital operation.
>
> Thats just because the digital operation is software that doesn't need
> additional
> incentives like a door man at a restaurant. But then again, you can turn
> everything
> digital these days by attaching a digital payment operation to it.
>

No, that's not the reason. The reason is that the good that is being
delivered
is digital and therefore that you don't need to bind it to a human.

-Ekr


> > For  instance,  you might want to prove you are a Netflix subscriber but
> not have Netflix
> > know who is watching what videos. This works because the credential is
> just tied
> > to your device, not to you personally (yes, I know it's more complicated
> > than this).
>
> > But it works less well when you have avoid attacks where one person
> > impersonates another.
>
> As soon as you deal with humans there is of course a lot of understanding
> of human
> behavior that one wants to factor into how to design the solution.
>
> Cheers
>     Toerless
>
> > -Ekr
> >
> > >
> > > Not too difficult to imagine how to do this technically, but certainly
> > > hard to believe that
> > > current business and government entities would design such solution
> that
> > > your
> > > privacy / anonymity is maximized.
> > >
> > > Obviously this is likely also where there might be a commercial
> interest
> > > of sponsors
> > > of IETF participants to develop standardized solutions for exactly this
> > > type of use cases,
> > > but really making sure that those solutions will then still protect
> your
> > > privacy against
> > > those commercial entities that contributed to the IETF effort, that is
> our
> > > IETF challenge -
> > > or limitation.
> > >
> > > Cheers
> > >     Toerless
> > >
> > > On Wed, Jun 28, 2023 at 11:25:35AM -0700, Christian Huitema wrote:
> > > >
> > > >
> > > > On 6/28/2023 6:17 AM, Pieter Kasselman wrote:
> > > > > Martin, I read the "Human Oriented Discussion" part of the title
> as a
> > > statement about making the discussion accessible to humans (all of us
> who
> > > are not identity experts), not excluding machines (devices and
> workloads).
> > > The proposed program text clearly calls those out as being in scope.
> > > > >
> > > > > Authorization decisions (part of an identity system) needs to take
> > > into account all identities (human and machine) acting on a resource.
> There
> > > are also examples of machine identities accessing sensitive data, even
> when
> > > there is no user present (batch processes for example).
> > > > >
> > > > > Given the rapid growth of machine identities, the shortage of
> > > expertise in the identity field, the rising need for
> > > multi-cloud/multi-platform systems (and managing identities in those
> > > environments), the move towards least privilege systems and the
> changing
> > > threat landscape (a compromised device identity may be far more
> impactful
> > > than a compromised human identity), this may well be one of the most
> useful
> > > areas of exploration.
> > > >
> > > > I am worried about "human oriented" for another reason. As EKR said,
> a
> > > lot
> > > > of what we handle are "credentials", such as authorizations to use a
> > > > particular resource on the Internet. There is of course a lot of
> work to
> > > be
> > > > done to properly manage credentials, but moving from "credentials" to
> > > "human
> > > > oriented identity" implies something else: that a set of credentials
> is
> > > > linked to the identity of a particular human person. And that makes
> me
> > > > shudder, because this ties directly to tracking people activities
> around
> > > the
> > > > Internet.
> > > >
> > > > Separating "credentials" from "human identity" is a pretty important
> tool
> > > > for privacy. It allows people to compartment their activities, so
> that
> > > for
> > > > example your activities in a church, in a sport club or in a work
> place
> > > are
> > > > not linked. It also allow credentials to be shared by groups of
> people,
> > > so
> > > > that outsiders cannot easily track which person in the group engaged
> in a
> > > > specific activity.
> > > >
> > > > I can see how governments and businesses would like linking
> credentials
> > > to a
> > > > specific human person. Advertisements would be so much more relevant!
> > > Laws
> > > > about viewing ages would be so easier to enforce! The police would
> be so
> > > > much more efficient! Cheating spouses would be so easy to find out!
> But
> > > > then, these very reasons are why "unique Internet identity" is so
> > > > controversial.
> > > >
> > > > If the IAB does proceed with this Human-Oriented Identity program, I
> sure
> > > > hope that treating privacy issues and providing privacy guarantees
> will
> > > be
> > > > the number one priority.
> > > >
> > > > -- Christian Huitema
> > > >
> > > >
> > > > _______________________________________________
> > > > Architecture-discuss mailing list
> > > > Architecture-discuss@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/architecture-discuss
> > >
> > > --
> > > ---
> > > tte@cs.fau.de
> > >
> > > _______________________________________________
> > > Architecture-discuss mailing list
> > > Architecture-discuss@ietf.org
> > > https://www.ietf.org/mailman/listinfo/architecture-discuss
> > >
>
> --
> ---
> tte@cs.fau.de
>