Hi Zhou,
thanks for your response. From: ext [email protected] [mailto:[email protected]] Sent: Wednesday, February 15, 2012 8:06 AM To: Klaas Wierenga Cc: Tschofenig, Hannes (NSN - FI/Espoo); [email protected]; [email protected] Subject: 答复: Re: [ietf-privacy] 答复: Re: 答复: RE: anonymity definition in"draft-hansen-privacy-terminology-03" Hi, > > 1) two different relying parties should not be able to tell that the same > > user has logged in to both of them by comparing their login logs. > > This property (targeted or directed identity) was not what I was > referring to, but yes, you want a per session, per relying party > (and in some cases for limited time) pseudonym > > > > > Here I would just the term anonymity or pseudonymity of the subject towards > > the individual relying parties. > > See above, it goes beyond pseudonimity towards rp, it is about not > sharing pseudonyms between parties Isn't 1) similar to unlinkability? You are certainly right that there is a relationship between anonymity and unlinkability. In fact we had test about this topic in earlier versions in the draft, see http://tools.ietf.org/html/draft-hansen-privacy-terminology-00#section-5 <http://tools.ietf.org/html/draft-hansen-privacy-terminology-00#section-5> . The problem with these earlier versions was that they are a bit hard to read �C the wording feels a bit academic. As such, the term unlinkability (with some additional qualifications regarding the items of interests, such as ‘unlinkability with respect to the subject’) may also be suitable here. In a description I would, however, point out who the adversary is. In the description above the adversaries here are the colluding relying parties rather than some eavesdropper observing the communication exchange. The unlinkability in the http://tools.ietf.org/html/draft-iab-privacy-terminology-00#section-3 <http://tools.ietf.org/html/draft-iab-privacy-terminology-00#section-3> leaves a few things open, namely who the attacker is and what the items of interest are. The content of the message is likely going to play a role in our context as well and the relying parties get to see the content. So, in certain cases it may be possible to come up with a solution that does not allow an eavesdropper to link to message exchanges of a subject to two relying parties together but the relying parties themselves will be able to establish that linkage. > > > > > 2) the identity provider should not be able to keep track of which relying > > parties are being used by the subject. You are talking about this one. > > Yep > > > > > Well, even more, the idp should not know at all which rp I talk to > in the first place. It is a strong privacy reqirement. Idoubt solutions in ABFAB can provide this feature. This is only the terminology document and so there is no requirement to actually accomplish that functionality. Regarding ABFAB the text would then say that it does not provide this functionality. ciao Hannes
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
