Electronic identities need private credentials

Ref: Jan Camenisch, Anja Lehmann, and Gregory Neven. IEEE Security & Privacy, 10(1), pages 80-83, 2012.

Abstract: When creating a user account, users are often required to provide a list of self-claimed personal attributes. Existing solutions such as SAML, OpenID, or X.509 certificates let users authenticate and transfer attributes, certified by an issuer, to a relying party in a more trusted way but have considerable security and privacy concerns: Either the issuer learns which user interacts with which relying party at which time (e.g., SAML and OpenID), or they force the user to reveal all of her attributes to the relying party at once (e.g., X.509). In this article, we present private credentials as a third solution that gives the best of both worlds: the issuer does not have to be involved during the authentication, yet the user only discloses those attributes that are required by the relying party, and can even do so without being easily trackable across her transactions.