What Scott mentioned.. Good point.
From: wg-uma-bounces@kantarainitiative.org
[mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler
Sent: Thursday, October 29, 2015 2:24 AM
To: Mark Dobrinic
Cc: wg-uma@kantarainitiative.org UMA
Subject: Re: [WG-UMA] NIST Seeks Comments on New Project Aimed at Protecting
Privacy Online
Okay, I'll be the contrarian, just for fun.
As I commented to a couple of people regarding the relatively recent
academic paper Toward Mending Two Nation-Scale Brokered Identification
Systems
http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/popets15-brokid.pdf ,
everything is tradeoffs. And it's arguable that the governments in those
cases made the operationally and more citizen-acceptable tradeoff for
privacy vs. what the researchers recommended.
Quoting/paraphrasing myself from previous threads on this topic:
I suspected from a brief article
<http://www.computing.co.uk/ctg/news/2414194/govuk-verify-identity-managemen
t-system-riddled-with-severe-privacy-and-security-problems-warn-ucl-academic
s> on the subject that the reporter probably had trouble divining exactly
what the problem with the FCCX and UK.Gov Verify systems actually was, since
it wasn't explained at all, nor what the proposed solution was... and it's
all extremely subtle. And I'm not even seeing a huge outcry or even all that
much gov followup/panicked defense after.
The researchers found a limitation in the tradeoff choice that the FCCX and
UK.Gov Verify system designers made. This tradeoff prizes the ability for
the user to use an online service ("relying party") and an identity
provider, free from worrying that the two will discover who the other is,
over the perfect ability for a pseudonymous identifier and attributes
representing the user to pass unseen through the broker in the middle (the
broker makes this "service blinding" possible). The researchers propose some
clever encryption tricks to guard against the broker seeing things, and go
further and propose a new user-chosen "identity integration" service that
could handle the tricks. Given that brokered systems, and the "older"
protocols such as SAML already in use, and the encryption tricks they
suggest, and user interfaces that force users to choose services, are all
considered extremely heavyweight and expensive in various ways, I give the
researchers' suggestions a nil chance of succeeding in the current
environment. And given that users have a variety of incentives to share
enough attributes in everyday circumstances to routinely become identifiable
(Latanya Sweeney's research in particular is famous for discovering these
properties), it's very questionable whether the researchers' preference for
tradeoffs vs. the nations' preference is the correct one.
On 25 Oct 2015, at 7:49 AM, Mark Dobrinic