Kim has a couple of posts responding to my paper on selective disclosure and my claim that CardSpace does not obey his fourth law.
First off, Kim thinks I shouldn’t say unlinkability and verifiability are things that an identity system should be required to support, on the basis that sometimes you want to be linked, and sometimes you don’t need verification. Well, of course … perhaps he didn’t notice that I said “here are three properties assertions must be able to have” – I didn’t say that every assertion should have these properties.
He also does not like this statement
Note a subtle but important difference between Kimâ€™s laws and mine â€“ he talks about identifiers whereas I talk about assertions. In an ideal world, assertions would not be identifiers; but it turns out that in practice they often are.
He claims that, in fact, his laws are about assertions. Allow me to quote his fourth law in full
A universal identity system must support both â€œomni-directionalâ€ identifiers for use by public entities and â€œunidirectionalâ€ identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
You will note that this law talks about identifiers. Not identities. Not assertions. The point I am trying to make is that assertions are identifiers when they are signed using conventional signatures. This is because each time a signed assertion is presented it is identical to the last time it was presented, and different from all other signed assertions (since it must be linked to the identity of the subject of the assertion, or it is useless). The very core of my argument is that unless assertions are unlinkable, then they are identifiers – and, what’s more, they are omnidirectional identifiers. Therefore the “identity metasystem” as currently implemented cannot obey Kim’s fourth law.
Finally, he attempts to show that I am wrong about this claim, with the following argument
How does CardSpace hide the identity of the relying party? It associates some random information – unknown to the identity provider – with each Information Card. Then it hashes this random information (letâ€™s call it a â€œsaltâ€) with the identity of the site being visited. That is conveyed to the identity provider instead of the identity of the site. We call it the â€œClient Pseudonymâ€. Unlike a Liberty Alliance client pseudomym, the identity provider doesnâ€™t know what relying party a client pseudonym is associated with.
The identity provider can use this value to determine that the user is returning to some site she has visited before, but has no idea which site that would be. Two users going to the same site would have cards containing different random information. Meanwhile, the Relying Party does not see the client pseudonym and has no way of calculating what client pseudonym is associated with a given user.
Of course, if the identity provider and the relying party never talk to each other, then this works just fine. But clearly it is easy for the two of them to put their heads together and find out who the user is. I require unlinkability even if everyone gangs up to track the user. So, this argument totally fails to satisfy my requirement.
I’m looking forward to the next post in Kim’s series…
The question now becomes that of how identity providers behave. Given that suddenly they have no visibility onto the relying party, is linkability still possible? Iâ€™ll discuss this next.