In a previous blog post I argued that identity cards should not be used to store anonymous credentials. The reason being that users may not believe that a card that is used to identify them in one context, can also be used anonymously in another. But last Friday, in a meeting with Martijn Oostdijk among others, I heard an interesting reason why anonymous credentials perhaps should be stored on an identity card anyway.
Credentials are issued to persons, because they describe a property of that person. This binding of a credential to the person to which it belongs must be maintained after the credential is issued. It should not be possible to obtain a credential (like "being over 18 years old") for yourself and then sell it to a minor. One way to do so is to bind the credential to a personal secret that is used both in issuing the credential and when revealing the credential. Of course, for anonymous credentials care has to be taken to ensure that the use of this personal secret cannot be used to trace the owner of the credential. Idemix uses this approach, and so does uProve. Cardspace uses so-called proof keys to achieve a similar objective.
However, there still is not much stopping you from sharing this personal secret (and the credential) with your friends. The main impediment is the concept of all-or-nothing disclosure: you only have one personal secret that is tied to all your credentials, so giving away one credential basically gives away all your credentials. If access to your bank account is among those credentials, you are supposedly less likely to share it with others. It remains to be seen whether this is an effective deterrent.
Sharing of credentials can also be prevented if they are stored on a smart card (provided they can never be read from the card). But then still this card needs to be bound to the user. The simplest approach is to store the credential on the identity card of the user, and making sure that in order to prove possession of the credential, the identity card needs to be present. This has the aforementioned drawback that users may not believe that the credential is anonymous. However, a dual-interface smart card (with contact and contact-less interface) may help solve this problem in the following way. The smart card must ensure that the contact interface can only be used to identify and authenticate the user, while the contactless interface can only be used to show anonymous credentials. Then the way the smart card has to be used in a particular application immediately reveals the nature of the information that is processed. If the card has to be inserted into a card reader (hence using the contact interface), your identity is revealed. If the card has to be held close to a reader (hence using the contactless interface), you are anonymous.
Maybe there are other options: suggestions are more than welcome! More research is needed in this area, I believe.