Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)

[Toerless Eckert <tte@cs.fau.de>]

On Wed, Jun 28, 2023 at 12:06:04PM -0700, Eric Rescorla wrote:
> Now we are getting into the actual work, but I think this is a pretty good
> example of the limitations of this kind of anonymous credential.

I am always only getting excited by use-case examples.

> For instance, if you are at a bar and you want to purchase alcohol, the
> person selling it to you needs to know that the person in front of them is old
> enough.  It's not enough to just show them a zero-knowledge proof that your phone has
> a credential proving that you are over 18 (21 in the US) you actually need
> to prove that the person in front of them is over age, which means that the proof
> has to be tied to a biometric (typically a photo). But at that point, the biometric
> is usable for facial recognition even if your name is hidden.

The biometric would be taken by the phone and verified by the trusted third party
(DMV, ...) which then vouches for the "over 18 assertion" against the establishments
terminal.

Might not even need to have biometric verification if one assumes (IMHO rightfully so),
that the chance of borrowing cell phones to someone else is pretty slim. And even slimmer
when one puts some less intrusive incentives onto the cell phone to to not borrow them
for such purpose.

Of course i know this is not only wishfull thinking from myself as a half-witted
security interested person. I just have to recollect how Covid certificates on phones
where "verified" at restaurants an eternity, oops: just 2 years! ago. Laughable.

I could have walked into restaurants with a contraption concocted from a cell phone
case, a printout of a random QR code and a backlight. "Look here, photo or QR code".
"Sure, please come in".

> See https://educatedguesswork.org/posts/vaccine-passport-anon/ for some more
> on this general topic, though more about COVID.

Right. See above.
> 
> The systems where this kind of selective proof technology works better are
> those where what's being authenticated is some sort of digital operation.

Thats just because the digital operation is software that doesn't need additional
incentives like a door man at a restaurant. But then again, you can turn everything
digital these days by attaching a digital payment operation to it.

> For  instance,  you might want to prove you are a Netflix subscriber but not have Netflix
> know who is watching what videos. This works because the credential is just tied
> to your device, not to you personally (yes, I know it's more complicated
> than this).

> But it works less well when you have avoid attacks where one person
> impersonates another.

As soon as you deal with humans there is of course a lot of understanding of human
behavior that one wants to factor into how to design the solution.

Cheers
    Toerless

> -Ekr
> 
> >
> > Not too difficult to imagine how to do this technically, but certainly
> > hard to believe that
> > current business and government entities would design such solution that
> > your
> > privacy / anonymity is maximized.
> >
> > Obviously this is likely also where there might be a commercial interest
> > of sponsors
> > of IETF participants to develop standardized solutions for exactly this
> > type of use cases,
> > but really making sure that those solutions will then still protect your
> > privacy against
> > those commercial entities that contributed to the IETF effort, that is our
> > IETF challenge -
> > or limitation.
> >
> > Cheers
> >     Toerless
> >
> > On Wed, Jun 28, 2023 at 11:25:35AM -0700, Christian Huitema wrote:
> > >
> > >
> > > On 6/28/2023 6:17 AM, Pieter Kasselman wrote:
> > > > Martin, I read the "Human Oriented Discussion" part of the title as a
> > statement about making the discussion accessible to humans (all of us who
> > are not identity experts), not excluding machines (devices and workloads).
> > The proposed program text clearly calls those out as being in scope.
> > > >
> > > > Authorization decisions (part of an identity system) needs to take
> > into account all identities (human and machine) acting on a resource. There
> > are also examples of machine identities accessing sensitive data, even when
> > there is no user present (batch processes for example).
> > > >
> > > > Given the rapid growth of machine identities, the shortage of
> > expertise in the identity field, the rising need for
> > multi-cloud/multi-platform systems (and managing identities in those
> > environments), the move towards least privilege systems and the changing
> > threat landscape (a compromised device identity may be far more impactful
> > than a compromised human identity), this may well be one of the most useful
> > areas of exploration.
> > >
> > > I am worried about "human oriented" for another reason. As EKR said, a
> > lot
> > > of what we handle are "credentials", such as authorizations to use a
> > > particular resource on the Internet. There is of course a lot of work to
> > be
> > > done to properly manage credentials, but moving from "credentials" to
> > "human
> > > oriented identity" implies something else: that a set of credentials is
> > > linked to the identity of a particular human person. And that makes me
> > > shudder, because this ties directly to tracking people activities around
> > the
> > > Internet.
> > >
> > > Separating "credentials" from "human identity" is a pretty important tool
> > > for privacy. It allows people to compartment their activities, so that
> > for
> > > example your activities in a church, in a sport club or in a work place
> > are
> > > not linked. It also allow credentials to be shared by groups of people,
> > so
> > > that outsiders cannot easily track which person in the group engaged in a
> > > specific activity.
> > >
> > > I can see how governments and businesses would like linking credentials
> > to a
> > > specific human person. Advertisements would be so much more relevant!
> > Laws
> > > about viewing ages would be so easier to enforce! The police would be so
> > > much more efficient! Cheating spouses would be so easy to find out! But
> > > then, these very reasons are why "unique Internet identity" is so
> > > controversial.
> > >
> > > If the IAB does proceed with this Human-Oriented Identity program, I sure
> > > hope that treating privacy issues and providing privacy guarantees will
> > be
> > > the number one priority.
> > >
> > > -- Christian Huitema
> > >
> > >
> > > _______________________________________________
> > > Architecture-discuss mailing list
> > > Architecture-discuss@ietf.org
> > > https://www.ietf.org/mailman/listinfo/architecture-discuss
> >
> > --
> > ---
> > tte@cs.fau.de
> >
> > _______________________________________________
> > Architecture-discuss mailing list
> > Architecture-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/architecture-discuss
> >

-- 
---
tte@cs.fau.de