On Sat, Apr 01, 2006 at 12:35:12PM +0100, Ben Laurie wrote: > However, anyone I show this proof to can then masquerade as a silver > member, using my signed nonce. So, it occurred to me that an easy > way to prevent this is to create a private/public key pair and > instead of the nonce use the hash of the public key. Then to prove > my silver status I have to show that both the hash is signed by BA > and that I possess the corresponding private key (by signing a > nonce, say). It seems to me quite obvious that someone must have > thought of this before - the question is who? Is it IP free?
Well I thought of this a few years ago also. However I suspect you'd find the same idea earlier as a footnote in Stefan Brands book. (Its amazing how much stuff is in there, I thought I found something else interesting -- offline transferable cash, turns out that also was a footnote referring to someone's MSc thesis.) > Obviously this kind of credential could be quite useful in identity > management. Note, though, that this scheme doesn’t give me > unlinkability unless I only show each public/private key pair > once. What I really need is a family of unlinkable public/private > key pairs that I can somehow get signed with a single “family” > signature (obviously this would need to be unlinkably transformed > for each member of the key family). This is harder, I thought about this a bit also. I was thinking a way to do this would be to have a self-reblindable signature. Ie you can re-blind the certificate signature such that the signature remains, but it is unlinkable. I didn't so far find a way to do this with any of the schemes. So it would for example be related to the more recent publicly re-encryptable Elgamal based signatures. (Third party can re-encrypt the already encrypted message with out themselves being able to decrypt the message). Brands also has a mechanism to simplify the use each cert once method. He can have the CA reissue you a new cert without having to go through the attribute verification phase. Ie you present an old cert and get it reblinded, and the CA does not even if I recall see what attributes you have. So you just periodically get yourself another batch. Mostly does what you want just with some assistance from the CA. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
