Re: [Cfrg] ZKP for proving ownership of a credential
Paul Lambert <paul@marvell.com> Wed, 03 June 2015 02:33 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF4C1B2C09 for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2015 19:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.433
X-Spam-Level:
X-Spam-Status: No, score=0.433 tagged_above=-999 required=5 tests=[BAYES_50=0.8, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnPSDPl1YTEF for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2015 19:33:49 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1721C1B2BE5 for <cfrg@irtf.org>; Tue, 2 Jun 2015 19:33:49 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id t532XWOW024768; Tue, 2 Jun 2015 19:33:45 -0700
Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0b-0016f401.pphosted.com with ESMTP id 1usqkvg58v-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 02 Jun 2015 19:33:45 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Tue, 2 Jun 2015 19:33:43 -0700
Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%24]) with mapi id 15.00.1044.021; Tue, 2 Jun 2015 19:33:43 -0700
From: Paul Lambert <paul@marvell.com>
To: Manu Sporny <msporny@digitalbazaar.com>, Crypto Forum Research Group <cfrg@irtf.org>
Thread-Topic: [Cfrg] ZKP for proving ownership of a credential
Thread-Index: AQHQnaONdbS/nROpr0ixPwGVlNXqzZ2aECGA
Date: Wed, 03 Jun 2015 02:33:43 +0000
Message-ID: <D193B311.6A3A7%paul@marvell.com>
References: <556E63DB.8090904@digitalbazaar.com>
In-Reply-To: <556E63DB.8090904@digitalbazaar.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.0.150423
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.94.250.30]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <82CA56AA5A92714B8959F15B02FA8D86@marvell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-06-03_02:2015-06-02,2015-06-03,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1506030034
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3lQoBf2HvTdT_EVUBHbSqwcL5WA>
Subject: Re: [Cfrg] ZKP for proving ownership of a credential
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 02:33:50 -0000
On 6/2/15, 7:18 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: >Hi all, > >I'm currently involved in some work in a Community Group at W3C called >the Credentials CG as well as the Web Payments Interest Group at W3C. An >executive summary of what the Credentials CG is trying to do is here: > >https://docs.google.com/document/d/1Nq543-Am1hQUIZ2hhzAFl8KexvIEBwDDc_f3Ik >z1opQ/edit > >We have a subset of credentials, like proof of citizenship ("this person >is a citizen of the United Kingdom") and proof of age ("this person is >above the age of 21"), that we believe could be asserted without leaking >information that could be used by colluding websites* to identify the >individual with the credential. We're trying to avoid having a single >identifier associated w/ these credentials that can be used to track >individuals between sites. > >Clearly, at some point it's impossible to protect the privacy of the >individual or organization because information like a government issued >ID or name is shared in the credential. However, those are not the use >cases we're focused on with this particular question. > >We have a hunch that perhaps some form of Zero Knowledge Proof could be >used with the credential, such that: > >1. The issuer of the credential (a government) could issue a > credential to a recipient (a citizen). The credential would > contain an assertion (this person is a citizen of the United > Kingdom). The credential would also contain a credential-specific > ZKP algorithm and some public ZKP initialization vectors of some > kind. >2. The recipient (the citizen) would separate out the /private/ > credential-specific ZKP algorithm and store it. The recipient > would also store the /public/ credential with ZKP initialization > vectors. >3. A verifier (3rd party website, like the BBC) would then request > a credential proving UK citizenship. Unless the credential is different each time it is provided to a third party the recipient is trackable. This problem has been Œsolved' to some degree by P1609.2 for automotive applications. Paul >The recipient and verifier > would then go through a number of ZKP iterations until the > verifier was satisfied. > >The end result is that the recipient has proven their citizenship while >the verifier has ensured that it checked this particular property of an >individual before delivering a service to them. > >Unfortunately, we don't have any experts in ZKPs in the group and need >to have a chat with someone that is an expert. Preferably, someone that >knows if it is possible to construct a ZKP that could be used in this way. > >If there is a more promising cryptographic approach than using a ZKP, >we'd love to hear about that as well. Any ideas? > >-- manu > >* The one big caveat to this is that a simple ask of an email address, > browser fingerprinting, supercookies, defeats this mechanism. > However, I believe our mandate in the future is going to be > "don't make privacy worse on the Web". > >-- >Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) >Founder/CEO - Digital Bazaar, Inc. >blog: Web Payments: The Architect, the Sage, and the Moral Voice >https://manu.sporny.org/2015/payments-collaboration/ > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] ZKP for proving ownership of a credential Manu Sporny
- Re: [Cfrg] ZKP for proving ownership of a credent… Paul Lambert
- Re: [Cfrg] ZKP for proving ownership of a credent… Manu Sporny
- Re: [Cfrg] ZKP for proving ownership of a credent… William Whyte
- Re: [Cfrg] ZKP for proving ownership of a credent… Tony Arcieri
- Re: [Cfrg] ZKP for proving ownership of a credent… Alec Edgington
- Re: [Cfrg] ZKP for proving ownership of a credent… Paul Lambert
- Re: [Cfrg] ZKP for proving ownership of a credent… Tony Arcieri
- Re: [Cfrg] ZKP for proving ownership of a credent… David Jacobson
- Re: [Cfrg] ZKP for proving ownership of a credent… Vadym Fedyukovych