Whenever you read about “anonymous credentials”, you should really think of these as minimal disclosure certificates. “Minimal disclosure” implies three privacy properties: (1) minimization of traceability, (2) minimization of linkability, and (3) selective disclosure:
- Minimization of traceability means that there is nothing in a certificate beyond any disclosed attribute data it may contain that can be used to link its presentation to its issuance.
- Minimization of linkabilility means that there is nothing in a certificate beyond any disclosed attribute data it may contain that can be used to link its presentation to the presentation of other certificates of the same user.
- Selective disclosure means that the user of a certificate, when presenting the certificate, can (unconditionally) hide attribute data contained in the certificate that does not need to be revealed. More generally, properties of encoded attribute values can be disclosed while any other information remains hidden.
These properties hold in the face of collusions between relying parties and identity providers. What’s more, they hold unconditionally, even if relying parties and identity providers actively collude from the outset and try to build in “cryptographic backdoors” in the algorithms used to digitally sign identity claims.
This has interesting implications with HSPD-12, the requirement for all Government activities to use strong authentication for networked systems. This has been implemented by issuing smart cards with an embedded PKI certificate to government employees (and contractors) and requiring the use mutual SSL pretty much everywhere. So rationale behind the client PKI certificates aside, we can say that linkability and traceability are foregone conclusions in these environments. There is, however, a battle to be had regarding discretionary user information release.