RE: Representing anonymous Subjects

[Carlisle Adams <carlisle.adams@entrust.com>]

Title: RE: Representing anonymous Subjects

Hi Hal,

----------
From:   Hal Lockhart[SMTP:hal.lockhart@entegrity.com]
Sent:   Monday, August 20, 2001 6:21 PM
To:     'Tim Moses'; security-services@lists.oasis-open.org
Cc:     'George Robert Blakley III'; 'Marlena Erdos'
Subject:        RE: Representing anonymous Subjects

1) We agreed a long time ago (F2F #1 or #2) to allow pseudonomous and
anonymous subjects. The distinction made was that former has the weaker
property of it not being the same as a meatspace name. (BobB commented at
the time that there was no way to prevent this.) SO for example, my entry in
some registry is listed as "Donald Duck", or "USER123456" Note that there
may well be a person with the legal name of Donald Duck, so it may or may
not be clear to either the Asserting or Relying Party whether the name is
"real".

Anonymous is harder. Here it must not only be not be possible to tie the
subject to a human being, but also not determine that two sessions that this
person conducts were conducted by the same person. I recently proposed
meeting this requirement by issuing an Authentication Assertion with a
random value as the subject name.  The reason for not using a blank subject
name would be to make it possible to request, for example, an Attribute
Assertion refering to the same subject. (More on this below)

 
I disagree with the above paragraph.  To me, anonymous means "anonymous in every sense" (that is, not only do you not know who is at the other end, but there is no traceability between sessions either).  A vending machine is a server; requesters insert money and ask for a chocolate bar or pop or whatever, but the server has no idea who is requesting and has no idea whether or not they've ever visited before.  This is anonymity.

If you want to be able to determine that "two sessions that this person conducts were conducted by the same person", this is the purpose of pseudonymity.  Whether the pseudonym is of the form "USER123456", "Donald Duck", or an entirely random bit string (i.e., whether or not it can potentially be confused with a legitimate human name) is, I think, unimportant.  The whole point is that it is different from the actual human name of the person conducting the session (and can't readily be linked to this name), but allows traceability between sessions.  [Note:  pseudonyms that cannot be confused with legitimate human names are preferable (so that different sessions are not inappropriately linked together), but I don't think this is mandatory.]

So, in my opinion, anonymity requires a blank subject name.  (Note:  this is a "necessary-but-not-sufficient" sense of "requires".  I recognize that there may be other things in the assertion or in the transaction itself that will allow traceability.  I can pay cash at a store to try to achieve anonymity, but if I show up the next day to buy something else and happen to get the same teller, traceability may certainly be possible.)  Pseudonymity, on the other hand, requires a subject name to be present.

One final comment.  The above discussion pertains to the presence or absence of a subject name, and traceability with respect to its contents, if present.  However, the presence of an authenticator field (or whatever we decide to call it) with a value other than "bearer" allows the possibility of traceability between unnamed session conductors.  "I've no idea who this is, but it's the same entity as this other time because the same private key was used to authenticate (or the same password was supplied, or whatever)."  This is not anonymity in the truest sense {no identity; no traceability}, but is still a form of anonymity {no identity; traceability}.  Pseudonymity {false identity} always allows traceability through the (false) name, and perhaps also through the authenticator (if not "bearer").

Carlisle.