More on minimal disclosure tokens

Kim Cameron is continuing his excellent educational series on unlinkability; see here, here, here, here, and here. Kim proposes to use the term “minimal disclosure tokens” for what I referred to as minimal disclosure certificates, which I am happy to go along with. (Coincidentally, Credentica’s technology for minimal disclosure centers on what we call “ID Tokens”.) Since several commentors on Kim’s posts continue to be confused about what Kim is getting at, let me add the following observation to the discussion:

Minimal disclosure tokens are not about forcing anonymity and unlinkability upon interacting participants. They are about ensuring that identity claims do not convey any identity-related information beyond the attribute statements they contain.

If, for example, the identity provider and the relying party need to agree on a common “user handle”, then the identity provider should explicitly insert that handle into the identity claim as an attribute statement. As such, minimal disclosure technology is not a complementary approach to standard technology for signing identity claims. Instead, it is a digital signing technology that provides a large superset of the basic functionalities of standard signature technology. By virtue of this, minimal disclosure technology supports the largest possible set of use cases, ranging from unconditional anonymity use cases on the one end to strong omni-directional identification use cases at the other, and anything in between.

Discussions as to whether the presence of inescapable universal identifiers (i.e., RSA/DSA signatures made by identity providers) in protected identity claims is good or bad when using standard signing technology are ultimately besides the point. This is like having endless discussions about whether or not having the user’s shoe size or hair color present in identity claims is a good or a bad thing in case of a hypothetical signing technology that inescapably encodes these attributes as an unintended side effect. A signing technology for identity claims should simply not inescapably encode anything that is not explicitly inserted in the form of attribute statements.

My personal belief is that minimal disclosure technology ultimately needs to be build right into the infrastructure core of identity systems. In any case, as identity systems start to support the issuance of “long-lived” identity claims (which can be stored by their users rather than having to be presented instantaneously), a move away from standard signing technology to minimal disclosure technology will be entirely natural. Namely, for long-lived identity claims, identity providers and in fact users themselves may not know in advance how and by whom the claims will be relied on; as such, protecting identity claims with the most flexible signing technology that supports the largest possible set of uses cases is simply common business sense. For the same reason, selective disclosure capabilities will become the natural choice.

Finally, I want to make it clear that minimal disclosure technology is not “just” about privacy: it is really all about multi-party security, which is a much broader notion. For an overview and an animated PowerPoint presentation that clarify this in some detail, see here and here, as well as this related blog entry.

June 25, 2007 - Posted by Stefan Brands | General