On Tue, Aug 2, 2011 at 1:43 AM, Francisco Corella <fcorella@pomcor.com> wrote:
Yes. The NSTIC Identity Ecosystem should encompass pseusonymity and also anonymity. Today most of your activity on the Web, other when you pay with a credit card, is anonymous. When you log in to a site with a username and a password, you are just proving that you are the same user who registered earlier with the site.
In practice this is not generally so, you leak identity information all over the place. For example: * IP address * Recovery email address * Third party tracking cookies and so on.
As we move away from passwords we should preserve this anonymity.
No, we need to improve on it.
A simple way to achieve that is to have the Web site itself issue you a "login certificate" when you register, which you use later to log in to the site. (The certificate binds a public key to a reference to the your account at the site, internal to the site. The public key is the public key component of a key pair generated by your browser for the specific purpose of registering with that particular site, so that it cannot be used to track you.)
This has been available in browsers forever, yet it is hardly used. Why? a) UI b) Portability. Neither of these is simple. But at least I (and Google) offer a solution to b (http://www.links.org/files/nigori/).