In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. One of the things we have been looking at is possible use cases for such credentials, especially when they are implemented on a (contactless) smart card. One particularly interesting use case is the sale of tickets for events.

In the Netherlands, resale of event tickets is rampant, especially for popular shows. Professional resellers buy tickets in bulk as soon as they are for sale. They do so either offline or online. Once the concert sells out, the resellers will sell their tickets at a huge profit. Even though the practice is illegal, it is hard to stop this fraud. Even when the sale of online tickets is bound to personal accounts, with a limit of say 4 tickets per account, resellers have found ways to overcome such barriers.

Smart card bound attribute based credentials, like those developed in the IRMA project, can solve this problem.

The IRMA card is bound to a person using a passport style picture of the bearer printed on the front of the card. In principle, people only have one IRMA card. When you loose a card, you may be able to obtain a new one, but this is a resource intensive process (a mechanism to avoid sybil attacks). Credentials issued to an IRMA card are bound to that card through a private key that never leaves the card and that is required to prove ownership of the credential.

In the online ticket sales scenario, a concert ticket is a credential with several attributes, including the date and title of the event for example, the number of people the ticket is valid for, and possibly a sequence number. To buy a ticket online, you inserts your IRMA card in a smart card reader attached to your PC, or put your IRMA card against the back of your NFC enabled phone (IRMA cards are contactless). The online ticket office sells tickets online as credentials that are issued to your IRMA card. In fact, the ticket office web server connects to your card to upload the credential once the transaction is approved. In the offline case, you insert your card in a terminal at the ticket office, and the process is pretty much the same after that.

At the venue, the doormen will compare you with the picture on your card, and then verify whether you have the right credential for the event on your IRMA card. They could do so with a special app installed on their NFC phone. Note that access to credentials is restricted, so the doormen can only access the credential for this particular event, and no other credentials on your card whatsoever. Because credentials are bound to a private key stored securely in the card, and IRMA cards are personal, tickets cannot be resold. If you worry about cards of people that entered the venue somehow can be smuggled out and be reused (for example because the picture check is not that reliable in the dark), the optional sequence number can be used to mark the credential (i.e. ticket) invalid. Note that even if the doormen do not check the picture on the card at all (and sequence numbers are used to invalidate used credentials) the fact that IRMA cards are in principle only issued once to a person keeps the system secure.

The approach outlined above solves the reseller problem. Moreover, it makes the sale of concert tickets online privacy friendly again (like the offline case) as long as you pay the tickets through a third party using a privacy friendly protocol (like once the SET standard for credit card payments)…