Ben Laurie blathering

Stefan Brands on Minimal Disclosure

Stefan Brands writes eloquently about the spectrum of uses available when selective disclosure is employed, which I might paraphrase as ranging from “anonymous” to “completely privacy invading”, contrary to many peoples’ perceptions. Selective disclosure is often seen as a purely privacy-preserving technology; but that misses the point. Selective disclosure allows the full spectrum of options – from nothing at all to everything. Other signature mechanisms and technologies do not. It’s as simple as that.

One thing that intrigues me, though, is his statement at the end: that the issuer has the ability to control what is revealed. I’m dubious about the value of this property. The user should be aware of this control and therefore able to choose whether to show the certificate at all. Similarly, the relying party can refuse to continue the transaction unless his requirements for disclosure are satisfied. What did the identity provider add by having a hand in this decision?

1 Comment

  1. Hi Ben,

    >One thing that intrigues me, though, is
    >his statement at the end: that the issuer
    >has the ability to control what is revealed.
    >I’m dubious about the value of this property.
    >… What did the identity provider add by
    >having a hand in this decision?

    This is really intended as yet another feature that might be useful in certain use cases. Consider the heated debates in many application settings about who “owns” data about a person: the identity provider or the person himself. In reality, “control” over personal information is not a binary matter: different parties may all have some claim of partial control over a particular piece of personal data. “Control” primarily manifests itself as the degree to which the “controller” can determine (or limit) to whom the data can be showed and, more generally, how it can be used. With selective disclosure technology, it is possible for identity providers and users to achieve any desired degree of partial control over the identity data that is contained in a particular identity claim. The user and the identity provider can together set the appropriate degree of “shared control” via the process of digitally signing the identity claim.

    By way of example, a medical professional may not want a patient to be able to selectively disclose some entries in the patient’s portable electronic health record without inevitably also having to disclose certain other information in that record (such as the name of the doctor that provided the particular entry).

    Here’s another example. In the case of electronic cash, which I know you are intimately familiar with, the issuer of e-coins may be fine with users hiding their built-in identifiers when they spend their e-coins, but may want to prevent users from hiding other information that it encodes into the e-coins (such as their denomination and expiry). Building on this example, perhaps the issuer may be OK with allowing users to hide the expiraton date and to instead provide a proof that the expiry date has not yet been reached without disclosing the date itself.

    Does that clarify things?

    Comment by Stefan Brands — 25 Jun 2007 @ 20:34

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress