In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. One of the things we have been looking at is possible use cases for such credentials, especially when they are implemented on a (contactless) smart card. One particularly interesting use case is the sale of tickets for events.
In this rather long post, I’d like to discuss the practical difficulty of securely collecting and combining attributes from different contexts when one starts using a system based on attribute based credentials. How do you determine that two separate contexts really belong to the same person? How do you ensure that a few people colluding cannot create a supercredential combining their individual attributes.
Daniel Solove recently wrote a short piece on The Virtues of Anonymity. He observes that anonymity can be used both for good and bad purposes, and he therefore argues for striking a balance between the two through the concept of “traceable anonymity”. In this legal concept, people’s anonymity is protected by law, unless anonymity is abused to cause harm. In that case, according to Solove, the law should preserve a way to trace the identity of the culprit.