Anonymous credentials in the browser

Identity matters!  In everyday life we present different “faces” to different people according to the social context, e.g. family, personal, and professional. Our online life is the same, and our privacy depends on keeping these different faces compartmentalized. To support this, we need ways to restrict access to services. As an example, a social website used by college students could be restricted to fellow students and off limits to everyone else including college staff and past students.  You certainly don’t want potential employers sifting through the site and rejecting your job application on the grounds of some loose talk or revealing party photo!

A powerful way to implement this is with anonymous credentials. Imagine the student union providing electronic credentials to all students that asserts that you are a current student at that college/university.  This is an electronic equivalent of a student ID card. When you go online to the social website operated by the student union, you are asked for proof you are a current student, but not for your actual identity.

I have been working with Patrik Bischel (IBM Zurich Labs)  on an implementation of this approach based upon a Firefox extension and the open source idemix (identity mixer) library.  The extension recognizes policy references in web page markup and asks the user for a PIN or pass phrase to unlock her credentials and construct a zero knowledge proof which is then sent to the website for verification. The browser extension is written in JavaScript and uses LiveConnect to communicate with the Java idemix library. The webserver is Apache2 and proof verification is implemented as a Java servlet on a backend Tomcat server.

This has been done with support from the EU PrimeLife project, and we hope to be able to make the extension and servlet widely available in the near future. Further work is needed on tools for simplifying the creation of credentials and proof specifications, and there are opportunities for integrating biometric techniques as alternatives to typing a PIN or pass phrase. One possibility would be for the browser to confirm your identity by taking a photo of your face with the camera built into phones and notebook computers. Another would be to ask you to say aloud a few digits and use the built in microphone for voice authentication. We’ve also discussed the role of physical tokens such as smart cards, and USB sticks for credential stores, but this is hindered by platform independent ways to access these from browser extensions.

As Dave Birch is fond of saying, there is no privacy without security. Anonymous credentials provide a powerful new way to boost privacy on the Web, and it is time to turn them from a laboratory curiosity into widely deployed solutions. I look forward to working on incorporating them in W3C’s suite of standards for Web platforms.

About dsr

I am a member of the [http://www.w3.org/ W3C] Team working on assignment from [http://www.justsystems.com JustSystems]. For more details see my [http://www.w3.org/People/Raggett/ personal page].
This entry was posted in Browsers, Privacy, Software, W3C. Bookmark the permalink.

4 Responses to Anonymous credentials in the browser

  1. Melvin Carvalho says:

    Great post, it looks interesting. Zero knowledge proofs are a fascinating area. I’d love to see this combined with Web of Trust and Linked Data.

    Why not use signed RDF triples for this?

    a Student

    Signed using (for example) a public key.

    This is, in essence what the FOAF/WOT/WebID projects have been working on using Web Standards.

    idemix looks interesting

    primelife i think uses elgg in some places, which implies every user has a FOAF, and hence, WebID

    having spoken to Paul T in the SWXG higgins is looking at exploring the Web Stack inc. SPARQL Update, FOAF, WebID, in 2011 … so many all the things we’ve been working on might be able to come together?

  2. This is interesting. Does this potentially suggest that the student (in the example) would trust the provider of the anonymous credentials – and therefore risk career damaging content being published on the basis of trusting the provider?

  3. dsr says:

    In principle, signed RDF triples could be used for credentials, and could also be used for proof specifications – e.g. requiring someone’s age to be 21 or over (rdfq:greaterThan). Whether signed RDF will take off for security assertions is another matter and we will have to see.

  4. dsr says:

    In the example, the website is operated by the same organization that provides the student id credentials. Students indeed have to trust that the site will honor its stated privacy policy, but could sue for damages if harm is incurred through a breach of that policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>