In our IRMA project we are implementing attribute based credentials on a smart card. In fact, we are developing a proof of concept for the Dutch Ministry of the Interior, to show that this technology can, in principle, be embedded on a national identity card to support eID functionality. One important other application of eID's are digital signatures. The use of smart cards (combined with secure terminals) allow the generation of so called qualified digital signatures as specified in the law. How should these two applications be combined on one smart identity card?
The problem to solve is the following. Attribute based credentials are in principle a privacy enhancing technology. They allow a user to selectively disclose certain personal attributes. This, in turn, implements context separation: attributes relevant in a private context need not be revealed in a work context, and vice versa. Often, a form of sector specific pseudonyms are also supported. These allow you to securely use different pseudonyms in different contexts that cannot be linked.
Current digital signature functionality is often blissfully unaware of context. The smart card contains one signing key, and a corresponding certificate that binds that key to your real identity, i.e. name. Using such signatures in a particular context totally breaks the context separation that was so carefully established using the attribute based credentials. As explained before, the signature of a notary is highly valuable, and it should not be possible to mix a notary signature for private use by accident.
Therefore, it would be useful to extend the signature functionality of eID cards in two ways. First of all, one should be able to create a signature under a sector specific pseudonym, such that the signature does not allow linking to the real identity. In other words, a different signing key (and corresponding certificate that links this key to the pseudonym) needs to be used for each pseudonym. This should be implemented in an efficient manner. How to do this is something worth thinking about.
Secondly, a user should be able to sign under a collection of attributes. That is to say: the signature proves that the signer was in the possession of the specified set of attributes. This should in fact be implemented in two forms: a privacy friendly one where no other information is revealed, and a version where the signature is actually linked to the identity of the signer. The latter case supports use cases where for example a notary can use his private key to sign both in an official capacity (i.e. the document has a special status because it is signed by a notary), and in a private capacity (when signing the contract for selling his own house).
Without consideration of these issues and use cases, the use of integrating digital signature capabilities on smart cards that support attribute based credentials is rather limited.