IETF Logo Mail Archive

Re: [dix] More requirements

"Ben Laurie" <benl@google.com> Sat, 15 July 2006 14:05 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1kmB-0008CL-Ep; Sat, 15 Jul 2006 10:05:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1kmA-00087E-3J for dix@ietf.org; Sat, 15 Jul 2006 10:05:46 -0400
Received: from smtp-out.google.com ([216.239.45.12]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1km8-00068Q-Kd for dix@ietf.org; Sat, 15 Jul 2006 10:05:46 -0400
Received: from lois.corp.google.com (lois.corp.google.com [172.24.0.50]) by smtp-out.google.com with ESMTP id k6FE5fOi016175 for <dix@ietf.org>; Sat, 15 Jul 2006 07:05:41 -0700
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=received:message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=VgcRtlJFVtqfXwe2w68oFW9AP2fYzB9MtLrdrt6+ghHjPCCoPgCsvK9WCvYiSZMCk LNRUHi75quUwuKTwuVqsw==
Received: from smtp-out2.google.com (fpe16.prod.google.com [10.253.5.16]) by lois.corp.google.com with ESMTP id k6FE5edp019898 for <dix@ietf.org>; Sat, 15 Jul 2006 07:05:40 -0700
Received: by smtp-out2.google.com with SMTP id 16so295337fpe for <dix@ietf.org>; Sat, 15 Jul 2006 07:05:40 -0700 (PDT)
Received: by 10.253.14.20 with SMTP id 20mr101227fpn; Sat, 15 Jul 2006 07:05:40 -0700 (PDT)
Received: by 10.253.14.2 with HTTP; Sat, 15 Jul 2006 07:05:40 -0700 (PDT)
Message-ID: <1b587cab0607150705o384f32bbo19c133560df7cbb1@mail.google.com>
Date: Sat, 15 Jul 2006 10:05:40 -0400
From: Ben Laurie <benl@google.com>
To: Digital Identity Exchange <dix@ietf.org>
Subject: Re: [dix] More requirements
In-Reply-To: <9A93CC39-8708-4898-AC1E-1688761BA865@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <1b587cab0607131743g36c96314ta9b3a0a90aa871e0@mail.google.com> <9A93CC39-8708-4898-AC1E-1688761BA865@cisco.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc: IETF HTTP Auth <ietf-http-auth@lists.osafoundation.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

On 7/15/06, Paul Gleichauf <pgleicha@cisco.com> wrote:
> I have missed significant parts of this thread, but is there
> assurance that these are in fact computationally feasible?
>
> There are cases where such guarantees are often found possible to
> break in unanticipated ways. Recently the focus is on medical records
> and the ability to identify a specific person in a large population
> when an anonymization algorithm had been appropriately applied by
> correlating data from a variety of sources.  Below is one set of
> citations often cross referenced in this area:
>
> http://lab.privacy.cs.cmu.edu/people/sweeney/confidentiality.html

I explicitly stated that these kinds of attacks were out of scope. I'm
talking about the avoidable kind of linkage, for example where you
present the same X.509 client cert everywhere.

>
> Paul
>
> On Jul 13, 2006, at 5:43 PM, Ben Laurie wrote:
>
> > On the plane to IETF I realised that there were several more potential
> > requirements to add to ekr's list:
> >
> > 12. Single Site Unlinkability (SSU)
> > The user should be able to visit the same site multiple times without
> > the site being able to tell that it is the same user, even if the user
> > is, for example, asserting the same external claims each time. This
> > protects the user's privacy. Obviously if data provided by the user is
> > unique to that user (for example, age and address combined are often
> > sufficient to uniquely identify a person) then no amount of cleverness
> > can provide SSU, but SSU should be available to the extent permitted
> > by the uniqueness of the data provided.
> >
> > 13. Multiple Site Unlinkability (MSU)
> > The user should be able to visit multiple sites without the sites
> > being able to collude to correlate the data provided by the user. This
> > is a weaker requirement than SSU (that is, MSU does not guarantee
> > SSU). Again, this protects the user's privacy.
> >
> > 14. Attack Resistant Credentials (ARC)
> > Credentials should be such that the (computationally limited) verifier
> > cannot reconstruct the original credential by brute force. Note that
> > the impossibility of this may rely on the user choosing strong
> > secrets, which is often unlikely, for example where the sole source of
> > entropy is a password.
> >
> > 15. Claim Minimality (CM)
> > The ability to show only exactly what is needed, (for example, the
> > user is over 21 rather than the user's exact age, or if there are
> > mutlple claims the ability to show a subset). This improves privacy
> > and reduces linkability.
> >
> > _______________________________________________
> > dix mailing list
> > dix@ietf.org
> > https://www1.ietf.org/mailman/listinfo/dix
>
> _______________________________________________
> dix mailing list
> dix@ietf.org
> https://www1.ietf.org/mailman/listinfo/dix
>

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email