< draft-hansen-privacy-terminology-00.txt   draft-hansen-privacy-terminology-01.txt >
Network Working Group A. Pfitzmann, Ed. Network Working Group A. Pfitzmann, Ed.
Internet-Draft TU Dresden Internet-Draft TU Dresden
Intended status: Informational M. Hansen, Ed. Intended status: Informational M. Hansen, Ed.
Expires: January 6, 2011 ULD Kiel Expires: February 12, 2011 ULD Kiel
H. Tschofenig H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
July 5, 2010 August 11, 2010
Terminology for Talking about Privacy by Data Minimization: Anonymity, Terminology for Talking about Privacy by Data Minimization: Anonymity,
Unlinkability, Undetectability, Unobservability, Pseudonymity, and Unlinkability, Undetectability, Unobservability, Pseudonymity, and
Identity Management Identity Management
draft-hansen-privacy-terminology-00.txt draft-hansen-privacy-terminology-01.txt
Abstract Abstract
This document is an attempt to consolidate terminology in the field This document is an attempt to consolidate terminology in the field
privacy by data minimization. It motivates and develops definitions privacy by data minimization. It motivates and develops definitions
for anonymity/identifiability, (un)linkability, (un)detectability, for anonymity/identifiability, (un)linkability, (un)detectability,
(un)observability, pseudonymity, identity, partial identity, digital (un)observability, pseudonymity, identity, partial identity, digital
identity and identity management. Starting the definitions from the identity and identity management. Starting the definitions from the
anonymity and unlinkability perspective and not from a definition of anonymity and unlinkability perspective and not from a definition of
identity (the latter is the obvious approach to some people) reveals identity (the latter is the obvious approach to some people) reveals
some deeper structures in this field. some deeper structures in this field.
Note: In absence of a separate discussion list please post your
comments to the IETF SAAG mailing list and/or to the authors. For
information about that mailing list please take a look at
https://www.ietf.org/mailman/listinfo/saag.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 6, 2011. This Internet-Draft will expire on February 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
skipping to change at page 2, line 43 skipping to change at page 2, line 47
12.1. Knowledge of the linking between the pseudonym and 12.1. Knowledge of the linking between the pseudonym and
its holder . . . . . . . . . . . . . . . . . . . . . . . 33 its holder . . . . . . . . . . . . . . . . . . . . . . . 33
12.2. Linkability due to the use of a pseudonym across 12.2. Linkability due to the use of a pseudonym across
different contexts . . . . . . . . . . . . . . . . . . . 34 different contexts . . . . . . . . . . . . . . . . . . . 34
13. Known mechanisms and other properties of pseudonyms . . . . . 37 13. Known mechanisms and other properties of pseudonyms . . . . . 37
14. Identity management . . . . . . . . . . . . . . . . . . . . . 39 14. Identity management . . . . . . . . . . . . . . . . . . . . . 39
14.1. Setting . . . . . . . . . . . . . . . . . . . . . . . . . 39 14.1. Setting . . . . . . . . . . . . . . . . . . . . . . . . . 39
14.2. Identity and identifiability . . . . . . . . . . . . . . 39 14.2. Identity and identifiability . . . . . . . . . . . . . . 39
14.3. Identity-related terms . . . . . . . . . . . . . . . . . 42 14.3. Identity-related terms . . . . . . . . . . . . . . . . . 42
14.4. Identity management-related terms . . . . . . . . . . . . 46 14.4. Identity management-related terms . . . . . . . . . . . . 46
15. Overview of main definitions and their negations . . . . . . . 48 15. Overview of main definitions and their opposites . . . . . . . 48
16. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 49 16. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 50 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 50
17.1. Normative References . . . . . . . . . . . . . . . . . . 50 17.1. Normative References . . . . . . . . . . . . . . . . . . 50
17.2. Informative References . . . . . . . . . . . . . . . . . 50 17.2. Informative References . . . . . . . . . . . . . . . . . 50
1. Introduction 1. Introduction
Early papers from the 1980ies about privacy by data minimization Early papers from the 1980ies about privacy by data minimization
already deal with anonymity, unlinkability, unobservability, and already deal with anonymity, unlinkability, unobservability, and
pseudonymity and introduce these terms within the respective context pseudonymity and introduce these terms within the respective context
of proposed measures. of proposed measures.
skipping to change at page 3, line 36 skipping to change at page 3, line 36
given out in order to mislead or deceive [Wils93]). given out in order to mislead or deceive [Wils93]).
Furthermore, data minimization is the only generic strategy to Furthermore, data minimization is the only generic strategy to
enable unlinkability, since all correct personal data provide some enable unlinkability, since all correct personal data provide some
linkability if we exclude providing misinformation or linkability if we exclude providing misinformation or
disinformation. disinformation.
We show relationships between these terms and thereby develop a We show relationships between these terms and thereby develop a
consistent terminology. Then, we contrast these definitions with consistent terminology. Then, we contrast these definitions with
newer approaches, e.g., from ISO IS 15408. Finally, we extend this newer approaches, e.g., from ISO IS 15408. Finally, we extend this
terminology to identity (as a negation of anonymity and terminology to identity (as the the opposite of anonymity and
unlinkability) and identity management. Identity management is a unlinkability) and identity management. Identity management is a
much younger and much less well-defined field - so a really much younger and much less well-defined field - so a really
consolidated terminology for this field does not exist. consolidated terminology for this field does not exist.
The adoption of this terminology will help to achieve better progress The adoption of this terminology will help to achieve better progress
in the field by avoiding that those working on standards and research in the field by avoiding that those working on standards and research
invent their own language from scratch. invent their own language from scratch.
This document is organized as follows: First, the setting used is This document is organized as follows: First, the setting used is
described. Then, definitions of anonymity, unlinkability, described. Then, definitions of anonymity, unlinkability,
linkability, undetectability, and unobservability are given and the linkability, undetectability, and unobservability are given and the
relationships between the respective terms are outlined. Afterwards, relationships between the respective terms are outlined. Afterwards,
known mechanisms to achieve anonymity, undetectability and known mechanisms to achieve anonymity, undetectability and
unobservability are listed. The next sections deal with unobservability are listed. The next sections deal with
pseudonymity, i.e., pseudonyms, their properties, and the pseudonymity, i.e., pseudonyms, their properties, and the
corresponding mechanisms. Thereafter, this is applied to privacy- corresponding mechanisms. Thereafter, this is applied to privacy-
enhancing identity management. To give an overview of the main terms enhancing identity management. To give an overview of the main terms
defined and their negations, a corresponding table follows. Finally, defined and their opposites, a corresponding table follows. Finally,
concluding remarks are given. In appendices, we (A1) depict the concluding remarks are given. In appendices, we (A1) depict the
relationships between some terms used and (A2 and A3) briefly discuss relationships between some terms used and (A2 and A3) briefly discuss
the relationship between our approach (to defining anonymity and the relationship between our approach (to defining anonymity and
identifiability) and other approaches. To make the document readable identifiability) and other approaches. To make the document readable
to as large an audience as possible, we did put information which can to as large an audience as possible, we did put information which can
be skipped in a first reading or which is only useful to part of our be skipped in a first reading or which is only useful to part of our
readership, e.g., those knowing information theory, in footnotes. readership, e.g., those knowing information theory, in footnotes.
2. Terminology and Requirements Notation 2. Terminology and Requirements Notation
skipping to change at page 4, line 28 skipping to change at page 4, line 28
extent information about them is communicated to others. Viewed extent information about them is communicated to others. Viewed
in terms of the relation of the individual to social in terms of the relation of the individual to social
participation, privacy is the voluntary and temporary withdrawal participation, privacy is the voluntary and temporary withdrawal
of a person from the general society through physical or of a person from the general society through physical or
psychological means, either in a state of solitude or small-group psychological means, either in a state of solitude or small-group
intimacy or, when among larger groups, in a condition of anonymity intimacy or, when among larger groups, in a condition of anonymity
or reserve.", see page 7 of [West67] or reserve.", see page 7 of [West67]
3. Setting 3. Setting
We develop this terminology in the usual setting that senders send We develop this terminology in the usual setting of entities
messages to recipients using a communication network, i.e., stations (subjects and objects) and actions, i.e., subjects execute actions on
send and receive messages using a wired and/or wireless communication objects. In particular, subjects called that senders send objects
medium. called messages to subjects called recipients using a communication
network, i.e., stations send and receive messages using communication
technology.
Note: Note:
To keep the setting as simple as possible, usually, we do not To keep the setting as simple as possible, usually, we do not
distinguish between human senders and the stations which are used distinguish between human senders and the stations which are used
to send messages. Putting it the other way round, usually, we to send messages. Putting it the other way round, usually, we
assume that each station is controlled by exactly one human being, assume that each station is controlled by exactly one human being,
its owner. If a differentiation between human communication and its owner. If a differentiation between human communication and
computer communication is necessary or if the assumption that each computer communication is necessary or if the assumption that each
station is controlled by exactly one human being is wrong, the station is controlled by exactly one human being is wrong, the
skipping to change at page 5, line 5 skipping to change at page 5, line 7
for human beings and message for their communication. For for human beings and message for their communication. For
computers and their communications, we use stations sending bit computers and their communications, we use stations sending bit
strings. If we have to look even deeper than bits which are strings. If we have to look even deeper than bits which are
"abstractions" of physical signals, we call the representation of "abstractions" of physical signals, we call the representation of
bit strings signals. bit strings signals.
For other settings, e.g., users querying a database, customers For other settings, e.g., users querying a database, customers
shopping in an e-commerce shop, the same terminology can be derived shopping in an e-commerce shop, the same terminology can be derived
by instantiating the terms "sender", "recipient", and "message". But by instantiating the terms "sender", "recipient", and "message". But
for ease of explanation, we use the specific setting here, see for ease of explanation, we use the specific setting here, see
Figure 1. Only if what we have to say is valid in a broader context Figure 1. For a discussion in a broader context, we speak more
without requiring further explanations, we speak more generally about generally about subjects, which might be actors (such as senders) or
acting entities called actors (such as senders) and entities acted actees (such as recipients).
upon called actees (such as recipients).
Irrespective whether we speak of senders and recipients or whether we Irrespective whether we speak of senders and recipients or whether we
generalize to actors and actees, we regard a subject as a possibly generalize to actors and actees, we regard a subject as a human being
acting entity such as, e.g., a human being (i.e., a natural person), (i.e., a natural person), a legal person, or a computer. An
a legal person, or a computer. An organization not acting as a legal organization not acting as a legal person we neither see as a single
person we neither see as a single subject nor as a single entity, but subject nor as a single entity, but as (possibly structured) sets of
as (possibly structured) sets of subjects or entities. Otherwise, subjects or entities. Otherwise, the distinction between "subjects"
the distinction between "subjects" and "sets of subjects" would and "sets of subjects" would completely blur.
completely blur.
If we make our setting more concrete, we may l it a system. For our If we make our setting more concrete, we may l it a system. For our
purposes, a system has the following relevant properties: purposes, a system has the following relevant properties:
1. The system has a surrounding, i.e., parts of the world are 1. The system has a surrounding, i.e., parts of the world are
"outside" the system. Together, the system and its surrounding "outside" the system. Together, the system and its surrounding
form the universe. form the universe.
2. The state of the system may change by actions within the system. 2. The state of the system may change by actions within the system.
skipping to change at page 6, line 48 skipping to change at page 6, line 48
perspective" iff it holds for all possible observations of that perspective" iff it holds for all possible observations of that
perspective. The attacker's perspective depends on the information perspective. The attacker's perspective depends on the information
the attacker has available. If we assume some limits on how much the attacker has available. If we assume some limits on how much
processing the attacker might be able to do, the information processing the attacker might be able to do, the information
available to the attacker will not only depend on the attacker's available to the attacker will not only depend on the attacker's
perspective, but on the attacker's processing (abilities), too. The perspective, but on the attacker's processing (abilities), too. The
attacker may be an outsider tapping communication lines or an insider attacker may be an outsider tapping communication lines or an insider
able to participate in normal communications and controlling at least able to participate in normal communications and controlling at least
some stations, cf. Figure 2. We assume that the attacker uses all some stations, cf. Figure 2. We assume that the attacker uses all
information available to him to infer (probabilities of) his items of information available to him to infer (probabilities of) his items of
interest (IOIs), e.g., who did send or receive which messages. interest (IOIs), e.g., who did send or receive which messages. At
Related to the IOIs are attributes (and their values) because they this level of description, intentionally we do not care about
may be items of interest themselves or their observation may give particular types of IOIs. The given example would be an IOI which
information on IOIs: An attribute is a quality or characteristic of might be a 3-tupel of actor, action, and object. Later we consider
an entity or an action. Some attributes may take several values. attribute values as IOIs. Attributes (and their values) are related
Then it makes sense to make a distinction between more abstract to IOIs because they may be items of interest themselves or their
attributes and more concrete attribute values. Mainly we are observation may give information on IOIs: An attribute is a quality
interested in attributes of subjects. Examples for attributes in or characteristic of an entity or an action. Some attributes may
this setting are "sending a message" or "receiving a message". take several values. Then it makes sense to make a distinction
between more abstract attributes and more concrete attribute values.
Mainly we are interested in attributes of subjects. Examples for
attributes in this setting are "sending a message" or "receiving a
message".
Senders Recipients Senders Recipients
Communication Network Communication Network
-- -- -- --
| | ---- ----------- ---| | | | ---- ----------- ---| |
-- ------ /---- ----\ ---- -- -- ------ /---- ----\ ---- --
Alice ---- /// \\\ -- Carol Alice ---- /// \\\ -- Carol
// \\ // \\
// \\ // \\
/ Message \ / Message \
skipping to change at page 13, line 15 skipping to change at page 13, line 15
robustness. Robustness of anonymity characterizes how stable the robustness. Robustness of anonymity characterizes how stable the
quantity of anonymity is against changes in the particular setting, quantity of anonymity is against changes in the particular setting,
e.g., a stronger attacker or different probability distributions. We e.g., a stronger attacker or different probability distributions. We
might use quality of anonymity as a term comprising both quantity and might use quality of anonymity as a term comprising both quantity and
robustness of anonymity. To keep this text as simple as possible, we robustness of anonymity. To keep this text as simple as possible, we
will mainly discuss the quantity of anonymity in the following, using will mainly discuss the quantity of anonymity in the following, using
the wording "strength of anonymity". the wording "strength of anonymity".
The above definitions of anonymity and the mentioned measures of The above definitions of anonymity and the mentioned measures of
quantifying anonymity are fine to characterize the status of a quantifying anonymity are fine to characterize the status of a
subject in a world as is. If we want to describe changes to the subject in a world as it is. If we want to describe changes to the
anonymity of a subject if the world is changed somewhat, e.g., the anonymity of a subject if the world is changed somewhat, e.g., the
subject uses the communication network differently or uses a modified subject uses the communication network differently or uses a modified
communication network, we need another definition of anonymity communication network, we need another definition of anonymity
capturing the delta. The simplest way to express this delta is by capturing the delta. The simplest way to express this delta is by
the observations of "the" attacker. the observations of "the" attacker.
Definition: An anonymity delta (regarding a subject's anonymity) Definition: An anonymity delta (regarding a subject's anonymity)
from an attacker's perspective specifies the difference between from an attacker's perspective specifies the difference between
the subject's anonymity taking into account the attacker's the subject's anonymity taking into account the attacker's
observations (i.e., the attacker's a-posteriori knowledge) and the observations (i.e., the attacker's a-posteriori knowledge) and the
skipping to change at page 14, line 17 skipping to change at page 14, line 17
in the limiting case all subjects in an anonymity set. An important in the limiting case all subjects in an anonymity set. An important
special case is that the "set of subjects" is the set of subjects special case is that the "set of subjects" is the set of subjects
having one or several attribute values A in common. Then the meaning having one or several attribute values A in common. Then the meaning
of "preservation of anonymity of this set of subjects" is that of "preservation of anonymity of this set of subjects" is that
knowing A does not decrease anonymity. Having a negative anonymity knowing A does not decrease anonymity. Having a negative anonymity
delta means that anonymity is decreased. delta means that anonymity is decreased.
5. Unlinkability 5. Unlinkability
Unlinkability only has a meaning after the system in which we want to Unlinkability only has a meaning after the system in which we want to
describe anonymity properties has been defined and the entities describe anonymity properties has been defined and the attacker has
interested in linking (the attacker) have been characterized. Then: been characterized. Then:
Definition: Unlinkability of two or more items of interest (IOIs, Definition: Unlinkability of two or more items of interest (IOIs,
e.g., subjects, messages, actions, ...) from an attacker's e.g., subjects, messages, actions, ...) from an attacker's
perspective means that within the system (comprising these and perspective means that within the system (comprising these and
possibly other items), the attacker cannot sufficiently possibly other items), the attacker cannot sufficiently
distinguish whether these IOIs are related or not. , distinguish whether these IOIs are related or not. ,
Note: Note:
From [ISO99]: "Unlinkability ensures that a user may make multiple From [ISO99]: "Unlinkability ensures that a user may make multiple
skipping to change at page 17, line 35 skipping to change at page 17, line 35
Of course, all 5 definitions would work for receiving of messages Of course, all 5 definitions would work for receiving of messages
accordingly. For more complicated settings with more operations than accordingly. For more complicated settings with more operations than
these two, appropriate sets of definitions can be developed. these two, appropriate sets of definitions can be developed.
Now we are prepared to describe anonymity in terms of unlinkability. Now we are prepared to describe anonymity in terms of unlinkability.
We do this by using our setting, cf. Section 3. So we consider We do this by using our setting, cf. Section 3. So we consider
sending and receiving of messages as attributes; the items of sending and receiving of messages as attributes; the items of
interest (IOIs) are "who has sent or received which message". Then, interest (IOIs) are "who has sent or received which message". Then,
anonymity of a subject w.r.t. an attribute may be defined as anonymity of a subject w.r.t. an attribute may be defined as
unlinkability of this subject and this attribute. Unlinkability is a unlinkability of this subject and this attribute. In the wording of
sufficient condition of anonymity, but it is not a necessary the definition of unlinkability: a subject s is related to the
condition. Thus, failing unlinkability w.r.t. some attribute attribute value "has sent message m" if s has sent message m. s is
value(s) does not necessarily eliminate anonymity as defined in not related to that attribute value if s has not sent message m.
Section 4; in specific cases (i.e., depending on the attribute Same for receiving.Unlinkability is a sufficient condition of
value(s)) even the strength of anonymity may not be affected. anonymity, but it is not a necessary condition. Thus, failing
unlinkability w.r.t. some attribute value(s) does not necessarily
eliminate anonymity as defined in Section 4; in specific cases (i.e.,
depending on the attribute value(s)) even the strength of anonymity
may not be affected.
So we have: Sender anonymity of a subject means that to this So we have: Sender anonymity of a subject means that to this
potentially sending subject, each message is unlinkable. potentially sending subject, each message is unlinkable.
Note: Note:
The property unlinkability might be more "fine-grained" than The property unlinkability might be more "fine-grained" than
anonymity, since there are many more relations where unlinkability anonymity, since there are many more relations where unlinkability
might be an issue than just the relation "anonymity" between might be an issue than just the relation "anonymity" between
subjects and IOIs. Therefore, the attacker might get to know subjects and IOIs. Therefore, the attacker might get to know
skipping to change at page 28, line 7 skipping to change at page 28, line 7
For pseudonyms chosen by the user (in contrast to pseudonyms For pseudonyms chosen by the user (in contrast to pseudonyms
assigned to the user by others), primarily, the holder of the assigned to the user by others), primarily, the holder of the
pseudonym is using it. Secondarily, all others he communicated to pseudonym is using it. Secondarily, all others he communicated to
using the pseudonym can utilize it for linking. Each of them can, using the pseudonym can utilize it for linking. Each of them can,
of course, divulge the pseudonym and all data related to it to of course, divulge the pseudonym and all data related to it to
other entities. So finally, the attacker will utilize the other entities. So finally, the attacker will utilize the
pseudonym to link all data related to this pseudonym he gets to pseudonym to link all data related to this pseudonym he gets to
know being related. know being related.
Defining the process of preparing for the use of pseudonyms, e.g., by Defining the process of preparing for the use of pseudonyms, e.g., by
establishing certain rules how and under which conditions to identify establishing certain rules how and under which conditions civil
holders of pseudonyms by so-called identity brokers or how to prevent identities of holders of pseudonyms will be disclosed by so-called
uncovered claims by so-called liability brokers (cf. Section 11), identity brokers or how to prevent uncovered claims by so-called
leads to the more general notion of pseudonymity, as defined below. liability brokers (cf. Section 11), leads to the more general notion
of pseudonymity, as defined below.
Note: Note:
Identity brokers have for the pseudonyms they are the identity Identity brokers have for the pseudonyms they are the identity
broker for the information who is their respective holder. broker for the information who is their respective holder.
Therefore, identity brokers can be implemented as a special kind Therefore, identity brokers can be implemented as a special kind
of certification authorities for pseudonyms. Since anonymity can of certification authorities for pseudonyms. Since anonymity can
be described as a particular kind of unlinkability, cf. Section 6, be described as a particular kind of unlinkability, cf. Section 6,
the concept of identity broker can be generalized to linkability the concept of identity broker can be generalized to linkability
broker. A linkability broker is a (trusted) third party that, broker. A linkability broker is a (trusted) third party that,
skipping to change at page 32, line 11 skipping to change at page 32, line 11
has proof of the identity of the holder of this digital pseudonym has proof of the identity of the holder of this digital pseudonym
and is willing to divulge that proof under well-defined and is willing to divulge that proof under well-defined
circumstances) or circumstances) or
o both. o both.
Note: Note:
If the holder of the pseudonym is a natural person or a legal If the holder of the pseudonym is a natural person or a legal
person, civil identity has the usual meaning, i.e. the identity person, civil identity has the usual meaning, i.e. the identity
attributed to an individual person by a State (e.g., represented attributed to that person by a State (e.g., a natural person being
by the social security number or the combination of name, date of represented by the social security number or the combination of
birth, and location of birth etc.). If the holder is, e.g., a name, date of birth, and location of birth etc.). If the holder
computer, it remains to be defined what "civil identity" should is, e.g., a computer, it remains to be defined what "civil
mean. It could mean, for example, exact type and serial number of identity" should mean. It could mean, for example, exact type and
the computer (or essential components of it) or even include the serial number of the computer (or essential components of it) or
natural person or legal person responsible for its operation. even include the natural person or legal person responsible for
its operation.
If sufficient funds attached to a digital pseudonym are reserved If sufficient funds attached to a digital pseudonym are reserved
and/or the digitally signed statement of a trusted identity broker is and/or the digitally signed statement of a trusted identity broker is
checked before entering into a transaction with the holder of that checked before entering into a transaction with the holder of that
pseudonym, accountability can be realized in spite of anonymity. pseudonym, accountability can be realized in spite of anonymity.
11.3. Transferring authenticated attributes and authorizations between 11.3. Transferring authenticated attributes and authorizations between
pseudonyms pseudonyms
To transfer attributes including their authentication by third To transfer attributes including their authentication by third
skipping to change at page 40, line 8 skipping to change at page 40, line 8
Note: Note:
Here (and in Section 14 throughout), we have human beings in mind, Here (and in Section 14 throughout), we have human beings in mind,
which is the main motivation for privacy. From a structural point which is the main motivation for privacy. From a structural point
of view, identity can be attached to any subject, be it a human of view, identity can be attached to any subject, be it a human
being, a legal person, or even a computer. This makes the being, a legal person, or even a computer. This makes the
terminology more general, but may lose some motivation at first terminology more general, but may lose some motivation at first
sight. Therefore, we start in our explanation with identity of sight. Therefore, we start in our explanation with identity of
human beings, but implicitly generalize to subjects thereafter. human beings, but implicitly generalize to subjects thereafter.
This means: In a second reading of this paper, you may replace This means: In a second reading of this paper, you may replace
"individual person" by "individual subject" (introduced as "individual person" by "individual subject" throughout as it was
"possibly acting entity" at the beginning of Section 3) throughout used in the definitions of the Section 3 through Section 13. It
as it was used in the definitions of the Section 3 through may be discussed whether the definitions can be further
Section 13. It may be discussed whether the definitions can be generalized and apply for any "entity", regardless of subject or
further generalized and apply for any "entity", regardless of object.
subject or not.
According to Mireille Hildebrandt, the French philosopher Paul According to Mireille Hildebrandt, the French philosopher Paul
Ricoeur made a distinction between "idem and ipse. Idem Ricoeur made a distinction between "idem and ipse. Idem
(sameness) stands for the third person, objectified observer's (sameness) stands for the third person, objectified observer's
perspective of identity as a set of attributes that allows perspective of identity as a set of attributes that allows
comparison between different people, as well as unique comparison between different people, as well as unique
identification, whereas ipse (self) stands for the first person identification, whereas ipse (self) stands for the first person
perspective constituting a 'sense of self'.", see page 274 in perspective constituting a 'sense of self'.", see page 274 in
[RaRD09]. So what George H. Mead called "I" is similar to what [RaRD09]. So what George H. Mead called "I" is similar to what
Paul Ricoeur called "ipse" (self). What George H. Mead called Paul Ricoeur called "ipse" (self). What George H. Mead called
"Me" is similar to what Paul Ricoeur called "idem" (sameness). "Me" is similar to what Paul Ricoeur called "idem" (sameness).
Motivated by identity as an exclusive perception of life, i.e., a Motivated by identity as an exclusive perception of life, i.e., a
psychological perspective, but using terms defined from a computer psychological perspective, but using terms defined from a computer
science, i.e., a mathematical perspective (as we did in the sections science, i.e., a mathematical perspective (as we did in the sections
before), identity can be explained and defined as a property of an before), identity can be explained and defined as a property of an
entity in terms of the negation of anonymity and the negation of entity in terms of the opposite of anonymity and the opposite of
unlinkability. In a positive wording, identity enables both to be unlinkability. In a positive wording, identity enables both to be
identifiable as well as to link IOIs because of some continuity of identifiable as well as to link IOIs because of some continuity of
life. Here we have the negation of anonymity (identifiability) and life. Here we have the opposite of anonymity (identifiability) and
the negation of unlinkability (linkability) as positive properties. the opposite of unlinkability (linkability) as positive properties.
So the perspective changes: What is the aim of an attacker w.r.t. So the perspective changes: What is the aim of an attacker w.r.t.
anonymity, now is the aim of the subject under consideration, so the anonymity, now is the aim of the subject under consideration, so the
attacker's perspective becomes the perspective of the subject. And attacker's perspective becomes the perspective of the subject. And
again, another attacker (attacker2) might be considered working again, another attacker (attacker2) might be considered working
against identifiability and/or linkability. I.e., attacker2 might against identifiability and/or linkability. I.e., attacker2 might
try to mask different attributes of subjects to provide for some kind try to mask different attributes of subjects to provide for some kind
of anonymity or attacker2 might spoof some messages to interfere with of anonymity or attacker2 might spoof some messages to interfere with
the continuity of the subject's life. the continuity of the subject's life.
Corresponding to the anonymity set introduced in the beginning of Corresponding to the anonymity set introduced in the beginning of
skipping to change at page 42, line 51 skipping to change at page 42, line 51
Identities may of course comprise particular attribute values like Identities may of course comprise particular attribute values like
names, identifiers, digital pseudonyms, and addresses - but they names, identifiers, digital pseudonyms, and addresses - but they
don't have to. don't have to.
14.3. Identity-related terms 14.3. Identity-related terms
Role: In sociology, a "role" or "social role" is a set of connected Role: In sociology, a "role" or "social role" is a set of connected
actions, as conceptualized by actors in a social situation (i.e., actions, as conceptualized by actors in a social situation (i.e.,
situation-dependent identity attributes). It is mostly defined as situation-dependent identity attributes). It is mostly defined as
an expected behavior (i.e., sequences of actions) in a given an expected behavior (i.e., sequences of actions) in a given
individual social context. So roles provide for some linkability social context. So roles provide for some linkability of actions.
of actions.
Partial identity: An identity of an individual person may comprise Partial identity: An identity of an individual person may comprise
many partial identities of which each represents the person in a many partial identities of which each represents the person in a
specific context or role. (Note: As an identity has to do with specific context or role. (Note: As an identity has to do with
integration into a social group, on the one hand, partial integration into a social group, on the one hand, partial
identities have to do with, e.g., relationships to particular identities have to do with, e.g., relationships to particular
group members (or to be more general: relationships to particular group members (or to be more general: relationships to particular
subsets of group members). On the other hand, partial identities subsets of group members). On the other hand, partial identities
might be associated with relationships to organizations.) A might be associated with relationships to organizations.) A
partial identity is a subset of attribute values of a complete partial identity is a subset of attribute values of a complete
skipping to change at page 46, line 32 skipping to change at page 46, line 32
Virtual identity Virtual identity is sometimes used in the same Virtual identity Virtual identity is sometimes used in the same
meaning as digital identity or digital partial identity, but meaning as digital identity or digital partial identity, but
because of the connotation with "unreal, non-existent, seeming" because of the connotation with "unreal, non-existent, seeming"
the term is mainly applied to characters in a MUD (Multi User the term is mainly applied to characters in a MUD (Multi User
Dungeon), MMORPG (Massively Multiplayer Online Role Playing Game) Dungeon), MMORPG (Massively Multiplayer Online Role Playing Game)
or to avatars. For these reasons, we do not use the notions or to avatars. For these reasons, we do not use the notions
physical world vs. virtual world nor physical person vs. virtual physical world vs. virtual world nor physical person vs. virtual
person defined in [RaRD09] (pp. 80ff). Additionally, we feel that person defined in [RaRD09] (pp. 80ff). Additionally, we feel that
taking the distinction between physical vs. digital (=virtual) taking the distinction between physical vs. digital (=virtual)
world as a primary means to build up a terminology is not helpful. world as a primary means to build up a terminology is not helpful.
First we have to define what a person, an entity, and an identity First we have to define what a person and an identity is. The
is. The distinction between physical and digital is only of distinction between physical and digital is only of secondary
secondary importance and the structure of the terminology should importance and the structure of the terminology should reflect
reflect this fundamental fact. In other disciplines, of course, this fundamental fact. In other disciplines, of course, it may be
it may be very relevant whether a person is a human being with a very relevant whether a person is a human being with a physical
physical body. Please remember Section 14.3, where the body. Please remember Section 14.3, where the sociological
sociological definition of identity includes "is bound to a body", definition of identity includes "is bound to a body", or law
or law enforcement when a jail sentence has to be carried out. enforcement when a jail sentence has to be carried out.
Generalizing from persons, laws should consider and spell out Generalizing from persons, laws should consider and spell out
whether they are addressing physical entities, which cannot be whether they are addressing physical entities, which cannot be
duplicated easily, or digital entities, which can. duplicated easily, or digital entities, which can.
14.4. Identity management-related terms 14.4. Identity management-related terms
Identity management Identity management means managing various Identity management Identity management means managing various
partial identities (usually denoted by pseudonyms) of an partial identities (usually denoted by pseudonyms) of an
individual person, i.e., administration of identity attributes individual person, i.e., administration of identity attributes
including the development and choice of the partial identity and including the development and choice of the partial identity and
skipping to change at page 47, line 41 skipping to change at page 47, line 41
omitted. (Note: Given the terminology defined in Section 3 to omitted. (Note: Given the terminology defined in Section 3 to
Section 6, privacy-enhancing identity management is unlinkability- Section 6, privacy-enhancing identity management is unlinkability-
preserving identity management. So, maybe, the term "privacy- preserving identity management. So, maybe, the term "privacy-
preserving identity management" would be more appropriate. But to preserving identity management" would be more appropriate. But to
be compatible to the earlier papers in this field, we stick to be compatible to the earlier papers in this field, we stick to
privacy-enhancing identity management.) privacy-enhancing identity management.)
Privacy-enhancing identity management enabling application design An Privacy-enhancing identity management enabling application design An
application is designed in a privacy-enhancing identity management application is designed in a privacy-enhancing identity management
enabling way if neither the pattern of sending/receiving messages enabling way if neither the pattern of sending/receiving messages
nor the attribute values given to entities (i.e., human beings, nor the attribute values given to subjects (i.e., human beings,
organizations, computers) reduce unlinkability more than is organizations, computers) reduce unlinkability more than is
strictly necessary to achieve the purposes of the application. strictly necessary to achieve the purposes of the application.
Identity management system (IMS) An identity management system in User-controlled identity management Identity management is called
its broadest sense refers to technology-based administration of user-controlled if the flow of this user's identity attribute
identity attributes including the development and choice of the values is explicit to the user and the user is in control of this
partial identity and pseudonym to be (re-)used in a specific flow.
context or role. Note that some publications use the
abbreviations IdMS or IDMS instead. We can distinguish between
identity management system and identity management application:
The term "identity management system" is seen as an Identity management system (IMS) An identity management system
infrastructure, in which "identity management applications" as supports administration of identity attributes including the
components, i.e., software installed on computers, are co- development and choice of the partial identity and pseudonym to be
ordinated. (re-)used in a specific context or role. Note that some
publications use the abbreviations IdMS or IDMS instead. We can
distinguish between identity management system and identity
management application: The term "identity management system" is
seen as an infrastructure, in which "identity management
applications" as components, i.e., software installed on
computers, are co-ordinated.
Privacy-enhancing identity management system (PE-IMS) A Privacy- Privacy-enhancing identity management system (PE-IMS) A Privacy-
Enhancing IMS is an IMS that, given the restrictions of a set of Enhancing IMS is an IMS that, given the restrictions of a set of
applications, sufficiently preserves unlinkability (as seen by an applications, sufficiently preserves unlinkability (as seen by an
attacker) between the partial identities and corresponding attacker) between the partial identities and corresponding
pseudonyms of an individual person. pseudonyms of an individual person.
User-controlled identity management system A user-controlled User-controlled identity management system A user-controlled
identity management system is an IMS that makes the flow of this identity management system is an IMS that makes the flow of this
user's identity attribute values explicit to the user and gives user's identity attribute values explicit to the user and gives
its user a large degree of control [CPHH02]. The guiding its user control of this flow [CPHH02]. The guiding principle is
principle is "notice and choice". "notice and choice".
Combining user-controlled IMS with PE-IMS means user-controlled Combining user-controlled IMS with PE-IMS means user-controlled
linkability of personal data, i.e., achieving user-control based linkability of personal data, i.e., achieving user-control based
on thorough data minimization. According to respective situation on thorough data minimization. According to respective situation
and context, such a system supports the user in making an informed and context, such a system supports the user in making an informed
choice of pseudonyms, representing his or her partial identities. choice of pseudonyms, representing his or her partial identities.
A user-controlled PE-IMS supports the user in managing his or her A user-controlled PE-IMS supports the user in managing his or her
partial identities, i.e., to use different pseudonyms with partial identities, i.e., to use different pseudonyms with
associated identity attribute values according to different associated identity attribute values according to different
contexts, different roles the user is acting in and according to contexts, different roles the user is acting in and according to
different interaction partners. It acts as a central gateway for different interaction partners. It acts as a central gateway for
all interactions between different applications, like browsing the all interactions between different applications, like browsing the
web, buying in Internet shops, or carrying out administrative web, buying in Internet shops, or carrying out administrative
tasks with governmental authorities [HBCC04]. tasks with governmental authorities [HBCC04].
15. Overview of main definitions and their negations 15. Overview of main definitions and their opposites
o o
o o
+---------------------------------+---------------------------------+ +---------------------------------+---------------------------------+
| Definition | Negation | | Definition | Negation |
+---------------------------------+---------------------------------+ +---------------------------------+---------------------------------+
| Anonymity of a subject from an | Identifiability of a subject | | Anonymity of a subject from an | Identifiability of a subject |
| attacker's perspective means | from an attacker's perspective | | attacker's perspective means | from an attacker's perspective |
| that the attacker cannot | means that the attacker can | | that the attacker cannot | means that the attacker can |
skipping to change at page 49, line 47 skipping to change at page 50, line 19
quality of the document with their feedback. The original authors, quality of the document with their feedback. The original authors,
Marit Hansen and Andreas Pfitzmann, would therefore like to thank Marit Hansen and Andreas Pfitzmann, would therefore like to thank
Adam Shostack, David-Olivier Jaquet-Chiffelle, Claudia Diaz, Giles Adam Shostack, David-Olivier Jaquet-Chiffelle, Claudia Diaz, Giles
Hogben, Thomas Kriegelstein, Wim Schreurs, Sandra Steinbrecher, Mike Hogben, Thomas Kriegelstein, Wim Schreurs, Sandra Steinbrecher, Mike
Bergmann, Katrin Borcea, Simone Fischer-Huebner, Stefan Koepsell, Bergmann, Katrin Borcea, Simone Fischer-Huebner, Stefan Koepsell,
Martin Rost, Marc Wilikens, Adolf Flueli, Jozef Vyskoc, Thomas Martin Rost, Marc Wilikens, Adolf Flueli, Jozef Vyskoc, Thomas
Kriegelstein, Jan Camenisch, Vashek Matyas, Daniel Cvrcek, Wassim Kriegelstein, Jan Camenisch, Vashek Matyas, Daniel Cvrcek, Wassim
Haddad, Alf Zugenmair, Katrin Borcea-Pfitzmann, Thomas Kriegelstein, Haddad, Alf Zugenmair, Katrin Borcea-Pfitzmann, Thomas Kriegelstein,
Elke Franz, Sebastian Clauss, Neil Mitchison, Rolf Wendolsky, Stefan Elke Franz, Sebastian Clauss, Neil Mitchison, Rolf Wendolsky, Stefan
Schiffner, Maritta Heisel, Katja Liesebach, Stefanie Poetzsch, Thomas Schiffner, Maritta Heisel, Katja Liesebach, Stefanie Poetzsch, Thomas
Santen, Maritta Heisel, Manuela Berg, and Katie Tietze for their Santen, Maritta Heisel, Manuela Berg, Katrin Borcea-Pfitzmann, and
input. Katie Tietze for their input.
The terminology has been translated to other languages and the result The terminology has been translated to other languages and the result
can be found here: can be found here:
http://dud.inf.tu-dresden.de/Anon_Terminology.shtml. http://dud.inf.tu-dresden.de/Anon_Terminology.shtml.
17. References 17. References
17.1. Normative References 17.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
17.2. Informative References 17.2. Informative References
 End of changes. 30 change blocks. 
91 lines changed or deleted 104 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/