- From: Kazue Sako <
>
- To: "Chasen, Les" <
>, Andy Jennings <
>
- Cc: Doc Searls <
>, Dan Miller <
>, ProjectVRM list <
>
- Subject: RE: [projectvrm] IBM's Identity Mixer
- Date: Fri, 6 Feb 2015 07:41:34 +0000
- Accept-language: ja-JP, en-US
Andy,
>
(Kazue, please correct me if I got anything wrong. :) )
You've got it totally right.
>
Now I want to take an attestation from vendor A that I pay my bills on time
>
and show it to vendor B (without A and B being able to compare records and
>
see that I'm the same person).
Just to clarify this part, B knows that I'm someone that pay my bills on time
for A, but B (nor A, even if A and B colluded) would not know exactly who I
am in A's record.
Les,
>
It would be ideal if this started from your own personally controlled
>
database aka a personal cloud.
Indeed!
>
For example, yes i am over 21years old or yes i have a history of paying my
>
bills on time.
The scheme ensures that what my personal cloud says is not a makeup but is
indeed backed-up by some authority. (for example, Bill part is ensured/signed
by A.)
Yet if both A and B know my cloud name, that may be the information to link
my record in A and B. That part need to be covered somehow.
=Kazue
-----Original Message-----
From: Chasen, Les
[mailto:
]
Sent: Monday, February 02, 2015 1:05 AM
To: Andy Jennings; Sako Kazue(佐古 和恵)
Cc: Doc Searls; Dan Miller; ProjectVRM list
Subject: Re: [projectvrm] IBM's Identity Mixer
It would be ideal if this started from your own personally controlled
database aka a personal cloud. One of the many great use cases is the
ability for a vendor (or any entity) to ask a question and for you, via your
personal cloud, to respond with a validated answer. For example, yes i am
over 21years old or yes i have a history of paying my bills on time.
From: Andy Jennings
<
>
Date: Sunday, February 1, 2015 at 3:34 AM
To: Kazue Sako
<
>
Cc: Doc Searls
<
>,
Dan Miller
<
>,
ProjectVRM list
<
>
Subject: Re: [projectvrm] IBM's Identity Mixer
I convened a session on this stuff at the last IIW
(
http://iiw.idcommons.net/The_State_of_Anonymous_Credentials_%28discussion%29
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__iiw.idcommons.net_The-5FState-5Fof-5FAnonymous-5FCredentials-5F-2528discussion-2529&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=9OcKXkn7p_uRIxldwmqXvxf2YTxt5_H_u3p7xm3NQEE&e=>
)
Here is my take on Identity Mixer: It is the real thing, not
marketing fluff. Real working code and real cryptography. A great fit for
the VRM community.
Suppose I want the ability to interact with vendor A anonymously.
Public-key cryptography can give me that. I also want to interact with
vendor B anonymously, but I don't want A and B to be able to compare records
and see that I'm the same person, so I use a different key pair when I'm
dealing with vendor B. Now I want to take an attestation from vendor A that
I pay my bills on time and show it to vendor B (without A and B being able to
compare records and see that I'm the same person). This is impossible with
vanilla PKP.
I could pass an attestation through some trusted central authority to
anonymize it. (I believe there are people creating such central authorities
in the VRM community already.)
Or I can use "pseudonymous cryptography" to do it without a central
authority. Brilliant! Cryptographers like Kazue and Anna Lysyanskaya are
working on the cryptography for this. IBM's Identity Mixer and Microsoft's
uProve are frameworks to implement this cryptography.
The problem is that organizations have no incentive to use
pseudonymous cryptography. They know who all their employees and their
customers are. And if they need some interactions to be anonymous, it's much
easier to go the "anonymity through a trusted central authority" route. Who
is the central authority? They are, of course!
So Identity Mixer and uProve are not getting much implementation.
There's not much demand for them from businesses.
To be useful, this stuff needs to be put into software or hardware
that is used by the masses (if it's not too complicated for them). Web
browsers? Ubikeys? Bitcoin wallets? VRM agents?
But I do think it is the future of the VRM movement...
~ Andy
(Kazue, please correct me if I got anything wrong. :) )
On Sat, Jan 31, 2015 at 4:46 PM, Kazue Sako
<
>
wrote:
Doc, this is what I (as cryptographer) had worked for many
years and would be great if the idea is enhanced here.
The cryptograpic algorithm is developed to enpower
individuals, but as we need to motivate industry we often emphasize companies
merits.
I'm happy to explain more in detail from my computer perhaps
tommorrow. Currently I only have a mobile phone but I couldnot stop myself
from speaking up!
=Kazue
Kazue Sako
Sent via Mobile Portal
>Here is the original:
>
><
http://www.net-security.org/secworld.php?id=17881
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.net-2Dsecurity.org_secworld.php-3Fid-3D17881&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=2wl3NxZSCyiPfDMNEzZ4aWeKkMsPjQHDW1zq9dLYk-4&e=>
>
>
>Comments inline below...
>
>> IBM's sophisticated cryptographic algorithm protects your
identity
>> Posted on 28 January 2015.
>>
>> IBM researchers revealed plans for a cloud-based
technology,
>
>Speaking personally, I don't want my identity in anybody's
cloud other than my own. I don't mind companies authenticating me, or
attesting to some of my credentials. But from the start I've had a problem
with the notion that somebody other than me is an "identity provider," aka
IDP. Just saying.
>
>> called Identity Mixer, that uses a cryptographic algorithm
to encrypt the certified identity attributes of a user, such as their age,
nationality, address and credit card number in a way that allows the user to
reveal only selected pieces to third parties.
>
>Selective disclosure has always been good.
>
>> Identity Mixer can be used within a digital wallet, which
contains credentials certified by a trusted third party, such as a
government-issued electronic identity card. It’s important to note that the
issuer of the credentials has no knowledge of how and when they are being
used.
>
>That's good, but wallets should be personal. We haven't seen
a personal wallet yet. And we need one. More on that, in reverse chron order:
>
>
<http://blogs.law.harvard.edu/doc/2015/01/27/maybe-wallets-cant-be-apps/
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.law.harvard.edu_doc_2015_01_27_maybe-2Dwallets-2Dcant-2Dbe-2Dapps_&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=KecwPMmSUfKQWOljL_aFGt6CHaUt7sMfzeHNFpjcHNE&e=>
>
>
<http://blogs.law.harvard.edu/vrm/2011/08/28/circling-around-your-wallet/
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.law.harvard.edu_vrm_2011_08_28_circling-2Daround-2Dyour-2Dwallet_&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=aaqiwbA9fTNxt6stAvpe1h9nHmdYSpTKRYWtHbn78bo&e=>
>
>
<http://blogs.law.harvard.edu/vrm/2011/05/27/googles-wallet-and-vrm/
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.law.harvard.edu_vrm_2011_05_27_googles-2Dwallet-2Dand-2Dvrm_&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=aRkNmfb-WlZW-Vnq4-wA-646bycCJSvSmXiDWPR1ICU&e=>
>
>
>> “Identity Mixer enables users to choose precisely which
data to share, and with whom”, said Christina Peters, IBM’s Chief Privacy
Officer. “Now web service providers can improve their risk profile and
enhance trust with customers, and it’s all in the cloud, making it easy for
developers to program.”
>
>Note that this is about service providers, rather than
individuals. So it still sounds like it's on the administrative side of the
administrative/sovereign divide.
>
>But ... could be it's not. I do believe there are identity
services that do not require storing one's personal stuff, or credentials,
outside one's zone of control.
>
>> According to comScore, the average person spends nearly 25
hours per month using the Internet, accessing dozens of different Internet
services, including banking, shopping and social networks. For virtually
every service, users have to create a personal profile with a username and
password ? or for stronger security ? cryptographic certificates. Although
such tools can offer sufficient security for many purposes, they do not
typically provide any level of privacy for the users, causing them to reveal
more personal data than is necessary, which can be costly if it falls into
the wrong hands.
>
>That's one problem. Another is that the individual has no
one way to deal with all of those different service providers. There are as
many different systems as providers, and one cannot scale across all of them
in a single way.
>
>> “We wanted individuals to have control over what they
reveal about themselves,”said, Dr. Anna Lysyanskaya, a co-inventor of
Identity Mixer, who is currently a professor of computer science at Brown
University. “With Identity Mixer now in the cloud, developers have a very
strong cryptographic tool that makes privacy practical; it is a piece of
software that you can incorporate into any identity management service
enabling the service to verify that an individual is an authorized user
without revealing any other personal information."
>
>Again, meat for from vendors, with some gravy for the
individual. Do I have that right?
>
>> European and Australian pilot programs demonstrate
Identity Mixer potential
>>
>> To demonstrate the new cloud version of Identity Mixer,
IBM scientists are collaborating with academic and industrial partners in
Europe and Australia in a new pilot project called Authentication and
Authorization for Entrusted Unions (AU2EU). In a two-year, 8.6-million euro
pilot, scientists will test Identity Mixer in two scenarios: in Germany with
the Deutsches Rotes Kreuz (DRK, or the German Red Cross), and with the
Commonwealth Scientific and Industrial Research Organisation (CSIRO),
Australia’s national science agency.
>>
>> As a major provider for regional home emergency call and
social services in Germany, the DRK delivers tailored social care services to
their customers 24/7, including emergency services, assisted mobility,
housekeeping and nursing assistance. The organization has four million
volunteers and professional staff, 52 hospitals and more than 500 nursing
homes operated worldwide.
>>
>> In the AU2EU pilot, 20 DRK test participants in the
southwest of Germany will be equipped with sensors for in-home activity and
status monitoring. The data gathered from these sensors will be transferred
to a dedicated cloud server, where the data will be analyzed to determine the
type of assistance required. In addition, DRK field representatives will be
provided with a mobile device to collect and register sensitive customer
data, such as medical records, medication and family contacts, to establish a
service contract. Identity Mixer will be used to keep all of this data
confidential and private. The technology will be implemented by NEC Europe
and Tunstall Healthcare.
>>
>> A second pilot will support one of the keys to Australia’s
agricultural productivity and related export trade: its freedom from exotic
diseases, particularly in animals. To maintain the nation’s disease-free
status, the Australian government, along with key partners, has developed an
emergency rapid response plan to take action quickly before an outbreak
spreads. This plan involves swiftly bringing together government, academic
and other research organizations, along with industry partners into a secure,
trustworthy online collaborative environment that facilitates evidence-based
decision making. Using Identity Mixer, the pilot will help facilitate the
secure sharing of sensitive information in a timely matter across several
remote locations and among collaborating partners.
>
>Why not try to partner with startups (or mature companies)
here? Would anybody here be interested in that?
>
>Doc
>
>
>> On Jan 30, 2015, at 2:44 PM, Dan Miller
<
>
wrote:
>>
>>
https://www.evernote.com/shard/s52/sh/b5f6c04e-dcb8-4dc3-afa4-99f6844751a9/d975dc8e83de6c2430be9b02282de65e
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.evernote.com_shard_s52_sh_b5f6c04e-2Ddcb8-2D4dc3-2Dafa4-2D99f6844751a9_d975dc8e83de6c2430be9b02282de65e&d=AwMFaQ&c=MOptNlVtIETeDALC_lULrw&r=GmIkFYB5mJUePL-AjY1Dc16uEHcEGn7VgNAWW67Dwz0&m=JU5pwwEbXJz85yolZ3CNMpt3tuB5HtahVcLOVq5eEdE&s=739_KJoVIFCbLvjObbKrdmLm-KwbDecjK9y6IgteqdQ&e=>
>>
>> I'm not sure what to make of this. It's all geek to me,
but IBM's research is using a "cryptographic algorithm" to make it possible
for me to protect my privacy.
>>
>> To wit:
>>
>> “We wanted individuals to have control over what they
reveal about themselves,”said, Dr. Anna Lysyanskaya, a co-inventor of
Identity Mixer, who is currently a professor of computer science at Brown
University. “With Identity Mixer now in the cloud, developers have a very
strong cryptographic tool that makes privacy practical; it is a piece of
software that you can incorporate into any identity management service
enabling the service to verify that an individual is an authorized user
without revealing any other personal information."
Archive powered by MHonArc 2.6.19.