86
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 01 Jul 2024
86 points (100.0% liked)
Privacy
31995 readers
1084 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Most of these make sense and are definitely blockers for this ever releasing but -
Correct me if I'm wrong but this data all has to be signed somewhere right? Like the eID contains cryptographically signed assertions about the user in some standard (JWT?) format.
What use is signing the assertions locally? There would be no way to tell if the citizen actually had any valid id at all. A pseudonym provider is the privacy layer that allows for signing of new tokens after ensuring the validity of the old.
How could you sign an anonymous token using a valid one without it being linked back to the valid one? It seems like impossible constraints.
Am I totally off base here?
No you’re right. The ARF just ignored that constraint and intentionally built in a back door here. From the linked article:
Agreed that law enforcement should not be involved but the quote I posted was also from the article and it seems impossible.
It’s impossible to do without signing the with the valid cert. I think destroying the anonymity is the point
It's impossible to do without exposing a private signing cert to everyone, yes. That's the issue.
You can't do asymmetric key signing anonymously and with a central issuer.
So either you have to just trust the assertions (0 security) or you have to have a trusted issuer (not anonymous)
A pseudonym issuer is a trusted issuer. There's no way to do it otherwise. You have to trust someone to make this kind of system work.